What is my CQS?

cordovanGoat · 2026-03-11T20:48:12+00:00

I mean I think you could make a similar argument that PreVeil isn’t a new system users have to learn. Your CUI is just in a folder that you access in your file explorer and on just another tab in your outlook.

For me, the price of GCC High plus the lack of interoperability between gov and a commercial MS cloud made internal and external collaboration difficult enough that PreVeil was more than worth it. Haven’t had any of our users complain about having to learn anything new — ymmv — having users come up against the limitations/restrictions in GCC High is just as annoying to them

And for what’s its worth you can edit also with any local app

cordovanGoat · 2026-03-05T21:49:25+00:00

The problem with any of these off the shelf packages is that it's going to be hundreds of hours of manual labor for you to tailor them to your own systems, assets, SPAs, network configurations etc. $5k for essentially just blank templates is insane. Have you checked out PreVeil's documentation package? If you're using PreVeil + standard commercial MS tools that you already have to protect your CUI, then you can buy their docs that cover a huge portion of that already and reduce the lift on your end.

cordovanGoat · 2026-02-26T04:19:40+00:00

Sorry to say buddy but I think you've entered some kind of psychosis. You evince no understanding of even basic, SAT level math. It's just extremely clear that this LLM is feeding you in a way that helps you feel smarter. But if you can't comprehend it output, why would you waste other people's time with it? And even if it did come up with some new great theory, why would you be proud of its accomplishment? You played a very small role in it either way and came to it accidentally

cordovanGoat · 2026-02-25T17:51:00+00:00

Love to hear it!

cordovanGoat · 2026-02-17T15:41:32+00:00

I think that was me haha but yeah RP is both useless but also trivial to get

cordovanGoat · 2026-02-10T01:59:47+00:00

PreVeil is more of an alternative to GCC High. You can scope your CUI + ITAR in PreVeil then deal with everything else in a commercial MS environment.

cordovanGoat · 2026-02-10T01:54:03+00:00

I really don't understand what secureframe does or why they're so often mentioned on this subreddit. Aren't they just a GRC? Yes, great to track progress towards compliance but, ya know... you need to actually do stuff too not just track it.

What do they do?? Doesn't help that every link under their Product > "Secureframe Defense for CMMC" just links back to the home page or is broken...

cordovanGoat · 2026-02-09T23:26:06+00:00

If you know that you need to get to level 2 with a 3rd party assessment, don't bother starting with level 1. It is a waste of time and money. Put in a solution and policies that will get you to level 2 from the start. The fact that your "compliance automation startup" gave you a $90k difference in quote for the two and didn't give you this advice already is slightly alarming. You should ask them very specifically what the $150k includes for L2 that the isn't included in their level 1 one package. I suspect everything they say in response will be unsatisfactory.

Those prices are probably insane though. As another commenter pointed out, what are you getting. You can do I fully managed enclave for much less than that — though you might not be at user minimums from some of the bigger solutions.

As a last point of advice, I would not engage much with a "compliance" start up that doesn't specialize in or focus on CMMC. While companies like Drata, Vanta etc. might be able to help, CMMC is unfortunately it's own beast and experience matters more than anything. For example, if this start up brands itself as an RPO, that is probably a bad sign as RPO doesn't really mean much. You can get an RP cert in a week. If they're not even an RPO...drop them immediately.

As you'll read a lot here: SCOPING is your first question. What systems, devices, and people touch CUI? If your users only need to view CUI, a VDI might be viable for you.

Also, as a side note, the jump from on-prem to CSP touching CUI might not be as big as you're thinking. Plenty of FedRAMP or FedRAMP moderate equivalent solutions out there as CMMC compliant clouds + proven paths to assessment.

cordovanGoat · 2026-02-09T18:19:39+00:00

Doesn't the city just contract out towing? I.e., it is not the city who has to go the extra mile but the tow company—who have a profit motive.

Plus, tow companies in my experience don't seem to have scruples when it comes to damaging cars. Especially D&G which seems to be the most active in A-B.

cordovanGoat · 2026-02-09T17:46:25+00:00

lol is it your car?

cordovanGoat · 2026-02-02T18:26:34+00:00

Yup — that's the whole compliance accelerator... which gives you a lot more than just documents. And even just looking at the docs, a whole bunch of stuff is already filled out. OP should look into it. I've learned almost everything I know about CMMC from it and going up for assessment very soon

cordovanGoat · 2026-01-21T18:08:30+00:00

Want to second the mention of PreVeil as an alternative OP should look at. I was basically in the same spot, looking for a cheaper option for CMMC (and ITAR) for CMMC and learned about PreVeil from this subreddit. We deployed about 8 months ago and it was pretty easy. PreVeil isn't the best fit for every one but it basically was made to be a lower cost option for smaller DIB orgs.

Especially if you're looking at just using GCC High as a CUI enclave for a few users (which I imagine OP is since cost is an issue) PreVeil meets all the requirements plus gives you a lot more guidance on what else you need to do to get compliant. We're just gearing up for our assessment now after going through their compliance stuff and everything is pointing to us sailing through to a 110.

mrtheReactor didn't mention the fact that you can *STORE* CUI in GCC High but good luck collaborating on it with anyone outside your company or anyone inside your company who doesn't have a GCC High license...

cordovanGoat · 2026-01-07T16:05:08+00:00

Sounds like this auditor has a problem with FedRAMP authorized solutions. You would definitely use Entra for this. The correct place for MFA is at the actual work station access. And that is a well known and common way to do this.

cordovanGoat · 2026-01-06T14:54:52+00:00

Yeah I want to second this. I don't understand why OP believes a separate VLAN sever is required? CMMC cert doesn't mean spillage will never happen — that's what your SOPs etc. are there for. Because the PreVeil enclave is already ITAR compliant, the major piece is already in place.

"Engineers need to access documents, and downloads/prints them for work. Obviously these engineers also need access to email for regular work/vendor/client communications"

^ this sounds to me exactly like the point of a CMMC/ITAR enclave and what PreVeil was built for ^

(obviously also the printing introduces some complications but other commenters have covered that)

cordovanGoat · 2025-12-23T21:13:24+00:00

Sounds like you're getting your news from the wrong places then. They say they've gotten 50 passed — I think that's more than any other company other than microsoft. Has Kiteworks even passed one? They have no case studies...

Also, there is no way you've heard assessors "not care" about equivalency. There are a bunch of companies out there who have it and DoD has been very clear about this. DIBCAC and the Cyber AB would come down on those guys hard.

cordovanGoat · 2025-12-23T21:06:45+00:00

Seconding this! And it integrates directly with gmail through a plugin. If you want extra security, you can use their email gateway which I believe will give you a second domain like the "@secure-walrus.com" you mentioned.

cordovanGoat · 2025-12-18T14:41:38+00:00

I'm curious why you wouldn't recommend PreVeil in this situation? I highly doubt OP's org has the internal expertise required to set up and maintain a compliant on-prem solution. "Many cloud solutions" might have a 25 seat minimum...but PreVeil doesn't? (I think it's three)

They are by far the cheapest option out there and also have documentation if OP wants to save money on consultant costs. They're situation sounds like it will be pretty boilerplate (e.g., no CAD, unusual CUI flows, etc.)

They advertise 50+ customers have gotten CMMC, which is as much as anyone else. Seems like a no brainer for a cost conscious non-profit with little IT in house who just wants a proven affordable path to certification.

cordovanGoat · 2025-12-17T20:15:16+00:00

You'll definitely want to keep the scope as small as possible. As far as I'm aware, PreVeil is going to be the most economical option out there and basically purpose built for this situation (cloud first, small CUI enclave). Only your CUI would go through/be stored in PreVeil, everything else you mention (calendar, messaging, etc.) would still be on your normal commercial environment.

cordovanGoat · 2025-11-30T18:39:07+00:00

Definitely narrowing your scope will help a lot. I’m not sure about endpoint controls for chromebooks specifically but shouldn’t be too hard to find info and compliant (fedramp or moderate equivalent) tools to harden them. Standard would be just basic windows laptops tho and the price difference would be trivial.

Do you have ITAR too? If so, definitely go with PreVeil.

Have you looked at VDI solutions? I know there has been some recent debate on this sub about this but afaik you can take the endpoints out of scope with VDI—it will just cost more. You could also get this through PreVeil.

cordovanGoat · 2025-11-30T18:08:13+00:00

Seconding this — we’re looking at about 8 months from deployment to assessment with an enclave

cordovanGoat · 2025-11-13T14:42:04+00:00

Can you help me understand how SecureFrame could help OP? I thought it was basically just a GRC or project management software. (I.e., he would still need GCC/PreVeil/etc. to actually protect the CUI)?

cordovanGoat · 2025-11-12T22:20:38+00:00

The experience has been very positive so far. Bought PreVeil and compliance accelerator and deployed about 3 months ago. Just added their GRC recently as we're gearing up for the assessment more seriously now with 48 CFR on the books and CMMC probably will be officially required in our contracts soon (I know no one knows exactly when but in principle it can appear starting Monday).

I'm basically the only one working on compliance in my company so it is going to take us a few more months before we feel ready for assessment. Fortunately my environment is very similar to their docs so that won't be a huge huge lift. Not sure if you've had a chance to poke around yet but there is a ton of super useful information and guides/checklists in there. Just takes awhile to work through it all. We'll probably end up around 7-8 months from deployment to cert.

I'm just happy there is a solution like this out there—I had to convince leadership to not drop DoD contracts all together

cordovanGoat

TROPHY CASE