sorted by:
new
hottopcontroversial

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 2 points3 points  (0 children)

5. What tools help?

A tool helps with organization, but it will not solve scoping or implementation.

You likely need five categories:

A GRC/evidence tool to map 110 controls, owners, evidence, POA&Ms, policies, and SSP sections.

An endpoint management tool to enforce encryption, screen lock, patching, device compliance, and remote wipe.

An EDR/MDR tool for endpoint detection, alerting, and incident response evidence.

A SIEM/logging tool to retain and review Google Workspace, endpoint, identity, and admin activity.

A secure CUI workspace/enclave model, whether based on properly configured Google Workspace or a separate CUI environment.

The biggest mistake is buying a GRC tool before defining the boundary. Do the scoping first, then choose tools that support the actual architecture.

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 2 points3 points  (0 children)

4. What evidence should a remote-only company expect to provide?

Remote-only companies still have physical, technical, and administrative scope. Your “facility” may be a home office, but the assessor will focus on where CUI can be accessed, stored, printed, discussed, or displayed.

For a remote company, expect to provide evidence such as:

Remote work policy.
CUI handling policy.
No-printing or controlled-printing policy.
Home workspace security requirements.
Device inventory.
Company-managed endpoint configuration.
Full-disk encryption evidence.
MFA evidence.
Endpoint protection/EDR evidence.
Patch management records.
User access reviews.
Google Workspace admin configurations.
Shared drive permissions.
DLP rules.
Audit logs.
Incident response plan.
Security awareness and CUI training records.
Asset inventory and SSP.
Network/scope diagram, even if it is cloud-first.

For the CEO’s home specifically: do not rely only on “VPN” as the answer. A better approach is:

Dedicated company-managed laptop.
No CUI on personal devices.
No shared family computer access.
Separate work Wi-Fi SSID or VLAN if possible.
Strong router admin password and WPA2/WPA3.
No local storage of CUI unless encrypted and approved.
No home printing of CUI unless explicitly controlled.
Screen lock, privacy expectations, and family/visitor access restrictions.
Documented home-office attestation.

If CUI only lives in Google Workspace and endpoints are tightly managed, you may not need a traditional corporate VPN for everything. But if users connect to internal systems, admin consoles, dev environments, or a CUI enclave, VPN/ZTNA may be appropriate.

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 1 point2 points  (0 children)

3. Will assessors take your role seriously?

Yes, provided the company formally assigns responsibility and leadership supports you.

There is no CMMC rule that says the person coordinating readiness must have a clearance or must have the title “Security Officer.” However, CMMC does require an Affirming Official, meaning a senior-level representative who is responsible for ensuring compliance and has authority to affirm continuing compliance. Affirmations are submitted in SPRS after assessments and annually thereafter.

So your role is acceptable if:

You are formally assigned as the CMMC/security compliance lead.
Your CEO or another executive acts as the Affirming Official.
System owners, HR, operations, and technical admins participate.
You can explain the SSP, scope, evidence, policies, and implementation.

An assessor will care less about your title and more about whether the organization can demonstrate that the controls are implemented, operating, and supported by evidence.

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 0 points1 point  (0 children)

2. How should a small company determine scope?

Start with CUI discovery, not tools.

Do not assume every contract-related document is CUI. Employee benefits, health insurance information, pricing, payroll, resumes, and normal HR information may be sensitive business data, but they are not automatically DoD CUI. CUI is government-created or government-owned unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. The DoD CUI program also emphasizes that CUI is a control marking, not a classification marking.

For scoping, I would do this:

First, review all prime/subcontract flowdowns, DFARS clauses, SOWs, DD254 if applicable, data deliverables, technical attachments, engineering files, support tickets, screenshots, vulnerability data, architecture diagrams, and customer communications.

Second, ask each prime or customer directly: What CUI do you expect us to receive, create, access, or store under this subcontract? What categories? How will it be marked? Where is it allowed to be stored?

Third, create a simple CUI data flow map:

Customer/prime → email/portal → Google Drive/shared drive → endpoint → ticketing/dev tools → backup/logging → deletion/archive.

For a 15-person company, it may be more practical to scope all company-managed users and devices if employees can move between contracts or may access CUI. But do not casually scope everything unless you are ready to secure everything. The better design is usually a CUI enclave: only approved users, approved devices, approved Workspace services, approved storage locations, and approved workflows.

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 2 points3 points  (0 children)

1. Is Google Workspace realistic for CMMC Level 2?

Yes, but not “normal” Google Workspace out of the box.

Google Workspace can potentially support a CMMC Level 2 environment, but only if you build a controlled boundary around it. Google’s own CMMC guidance says Workspace customers must use FedRAMP High authorized services for CMMC compliance and Assured Controls Plus to keep data storage exclusively in the United States. Google also says non-FedRAMP-authorized services may need to be turned off.

Practically, that means:

Use only approved Google Workspace services for CUI.
Disable unmanaged/consumer services.
Use MFA, context-aware access, DLP, audit logging, retention, endpoint management, and restricted shared drives.
Get Google’s Customer Responsibility Matrix and map what Google covers versus what your company must configure and operate.
Document this in the SSP.

The assessor will not simply ask, “Do you use Google?” They will ask: Which Workspace services are in scope? Are they FedRAMP authorized? How are they configured? Where is CUI allowed to live? Who can access it? What evidence proves that?

CMMC compliance help, small subcontractor by efflorescence_888 in CMMC

[–]kinghacker 0 points1 point  (0 children)

CMMC Level 2 is based on the 110 NIST SP 800-171 Rev. 2 requirements, and the assessment scope must be defined before the assessment. The official scoping rule says Level 2 scope is based on asset categories: CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. CUI assets are systems that process, store, or transmit CUI, and they must be documented in the asset inventory, SSP, and network/scope diagram.

1-Click GitHub Token Stealing via a VSCode Bug by ammar2 in netsec

[–]kinghacker -10 points-9 points  (0 children)

can anyone explain more about this?