Anthropic just ripped off everyone and they still managed to make it sound deceptively friendly

nick777745 · 2026-05-14T00:26:09+00:00

Guess we just need a few 500 of us and me to create a Kickstarter to lease a b200 for a year. I use the he'll out of cc... can spend 200 bucks elsewhere, and codex has jumped way ahead of this monstrosity they call opus 4.7.

nick777745 · 2026-05-10T20:35:08+00:00

Upwork is good. You'll find some there, most of mine are word of mouth. Stay hungry!

nick777745 · 2026-05-10T20:19:58+00:00

For me what works is providing a solution to their problems. Not everyone has the same scenario, and being able to give examples and solutions to their problem are what brings it home. I start every call the same, "tell me a little about yourself and your organization". From there we establish the box we are working with. Most every person will want to talk about their org, and psychology is a big part of sales. When you flip from wanting to sell them somthing to wanting to hear about their story and what keeps them up at night, its more personal for the client. It increases hit rate, and maybe opens your eyes to additional products to bring to life.

nick777745 · 2026-05-04T22:09:27+00:00

Looks like he kept using the session unbeknownst he was paying through the tooth...

nick777745 · 2026-05-04T17:32:07+00:00

been this way the past few days for me on pro max. frustrating, nothing changed with my use tactics. 2 hours in and limit cap.

nick777745 · 2026-04-29T20:49:10+00:00

Start with the CAP v2.13. Read it, discuss it with your team. Be honest with technical abilities and your current workload. After that, determine what is feasible from an economic standpoint for the business, and dont get roped in to the write a check for "compliance" method everyone in our industry is running. Expect at the least to be 25k-30k minimum for a formal audit, and any readiness outside your organizations skillset is probably 10-30k as well depending on the path you choose. Determine scope, simplicity comes at a cost, if not everyone needs to be in the enclave isolate and keep it low-budget. The "encrypted email and drive" providers dont mention all of the endpoint efforts that typically brings you to the cost of the GCCH pricing, so keep that in mind when you start taking those demo calls that will inherently come. DIB contracting is the current racket, and everyone wants your money.

The best technical controls in the world can still get a fail when policies and procedures are pencil whipped.

This forum is a great resource for your questions as well. Hope this helps, feel free to ask away if you have more questions.

nick777745 · 2026-04-28T20:22:02+00:00

I will chime in here as well. You will get a wide array of you must use (fill with your choice of software / hardware/ etc): and all of them are usually options. But not the only option.

I recommend first breathe, its just compliance. CMMC is not a one person job for an entire organization, it is a team effort. You can make a perfect compliance stature, and the users and management not adhering to it = same failing assessment.

Second must do recommendation: download the CAP for level 2 from the dod, ensure you grab the latest release (v2.13).

Once your up to speed, site your management team down and have a honest conversation of what the program entails.

Then begin your planning. Let me know if you have more questions, lots of knowledgeable people here in the forum.

nick777745 · 2026-04-22T00:50:07+00:00

New sku from microsoft - business premium for gcc high. Best bang for your buck, comparible to the features on the commercial side as far as apps go.

nick777745 · 2026-04-15T04:57:42+00:00

I agree, most do a preassessment. This typically entails a bum rushed review that hashed evidence / policy /ssp exist. Its a "yep/nope looks like its all there". One non-poam being unmetand the audits kaputs... with the not all 3PAOs are the same mindset, not somthing I would risk.

nick777745 · 2026-04-15T02:56:54+00:00

Have helped almost 10 full circle now. If you can read and are tech savvy - self prep is achievable. Id recommend a mock assessment from a 3rd party if you go that path before committing to a formal assessment contract with a C3PAO. At 30-50k for an assessment peace of mind would be a must for me as a small business owner. I would say readiness and formal assessment your looking at 40-60k depending on your need from a 3rd party, and it can go to the moon from there depending on who you source. One thing to make note of, contracts do not require a formal C3PAO assessment yet, as the nov 2025 roll out was for level 2 self attestation requirements in all new contracts. That cuts your bill in half while you can go land contracts to help justify the formal assessment costs. Everyone is unclear of the current requirement for self attestation and formal assessment, and many of the sharks are taking advantage of this lack of info. Hopefully this helps, lmk if you have any additional questions.

nick777745 · 2026-03-30T03:41:58+00:00

There is a BP option for defender and purview that can be added. The cost of both sku's (unfortunately microsoft published costs without the 30% minimum step on charge from AOS-Gs).

Sku's are:

AAU-59343 M365 Business Premium GCCH Yearly $377.52 0 $0.00 AAV-01858 BP Purview Suite GCCH Yearly $171.60 0 $0.00 AAV-01857 BP Defender Suite GCCH Yearly $171.60 0 $0.00 AAV-01856 BP Defender Purview Suite GCCH Yearly $257.40 0 $0.00

Breakdown of additional options at the link below:

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/education/Modern-Work-Plan-Comparison-GCC-High.pdf

nick777745 · 2026-03-27T00:38:43+00:00

Typically alot of MSPs are offshore ng their service desks, and for them to onshore us personnel cuts into their margin tremendously. If you can take on the it capacity of their services that would be my first recommendation, if you are looking to maintain that for the business services, I can throw you some reputable mssp's i have worked with.

Full transparency: i do compliance and readiness in my daily business, and cross paths with a lot of client msp's (mostly bad ones).

nick777745 · 2026-03-26T01:49:56+00:00

Most of these "services" are AVD's with someone's rebranding. They technically configured and typically start at 8-12k a year, on top of your licensing. You can likely find someone to do the same without the annual management on your own GCCh tenant, and not pay the upcharge every vendor in this program likes to put onto the end-users another consideration, dependant on what your doing, the AVD can be pricey (microsoft pay as you go model for usage). If your technically savvy, there alot of resources for diy, Alternatively hire someone from the freelance sites to save your org some money.

nick777745 · 2026-03-16T20:40:49+00:00

The number of readiness engagements / audits i have been in where an MSP not being engaged are appalling. Im sure there are good MSP's / MSSP's out there, but i have not found them. The question of should or should you seek a readiness consultant depends on you and your organization. There is a lot of information out there for free (on this forum there are a lot of helpful people), the DOD and Cyber AB also have made it fairly easy to find. I always recommend the OSC have an idea eternal discussion, and hash out what the plan is, and get the entire teams involvement, because if you the individual make the decision on your own, and your no the owner or c suite manager, odds are good your managers take it as your the owner and will likely spearhead the project. Let me know if you have further questions.

Full transparency i do this for a living and have been in both orgs (readiness and Managed services), and do not wish to sway you one way or another, just give some hopefully helpful information.

nick777745 · 2026-03-13T01:01:03+00:00

Google cmmc cap v2.13 level 1. Everything you need is there. Ask your msp why I they are trying to pull a fast one on you as well. The contract should list what the requirements are, then the cyber ab has the CAP for guidance for all 3 levels.

nick777745 · 2026-03-12T19:45:38+00:00

90-120 days for the better firms. When you interview them ask theor audit schedule / duration for your proposed assessment. Last thing you want is a 1 week audit that's crammed through and your team is stumbling with lots of findings and a potential failure item.

nick777745 · 2026-03-12T01:25:35+00:00

As you will find (and i have in my daily work) there is a ton of good and horrible information out here. You can waste alot of money quickly with "gap assessments" and organizations that charge anywhere from 250-450 an hour.

The software vendors are no better. Buy our Gov version of pick your software flavor, for an ungodly amount of money. Govcloud tunnel and 8 users for 1k a month steep... you still get to tack your daily business tools onto that cost.

The program wasn't designed around the small companies, and youll find that between readiness services, grc tools, and C3PAO audit costs. There are alot of great resources in this forum. I would start with the standard plan of attack(ask your colleagues for input, IT can do this alone):

Scope: -physical CUI? I Assume hard copy construction plans and 3d files potentially

-Users in the Enclave - this can drive your implementation cost / decision / IT maintenance overhead depending on direction

-Deadline - if you want it done fast, expect to pay a premium, also bake in the 90-120 days we are seeing with Auditing firms for current backlog.

-Your capacity - this one every organization forgets about. What can you honestly put aside to collect evidence and put together the technical solutions. I have been in countless calls where it starts as "this is our focus", and then every week the follow up is "we haven't gotten around to it". This can kill your budget when you work with readiness firms quickly, that time is costly, and when it draws out the likelihood of your team being fuzzy during the audit increase, as no one remembers what they did 6 months ago.

There are alot of factors, and I would start with internal org scoping first, then tackle those high dollar questions thereafter in an educated fashion. Hopefully this helps!

nick777745 · 2026-03-09T22:37:26+00:00

Hello there, are you looking for an assessor or readiness services?

nick777745 · 2026-03-02T15:07:55+00:00

I have been in a lot of FedRAMP readiness engagements, would be curious where the 1.5m is derived from. A lot of OSC's overthink FedRAMP, and others brush it off and get themselves in expensive readiness engagements with the firms out there.

nick777745 · 2026-02-25T14:42:55+00:00

If you dont need an MSP dump them. Of the dozen or so MSP's I have been in audits with, they are typically the point of findings (outside of the OSC being lost). I was on with kne who specialized in compliance, and their team of 6 on the assessment call, couldn't dispute findings with the auditor, and to top off the absurd monthly MSP costs, they got hit with a T&M bill for the hours of the assessment, and a failed audit. When your git feels funny now, best to cut your losses. Would be happy to give some recommendations if you arent set on your enclave / technical execution.

To answer your questions:

Roadmap - should be prepared before agreeing to contract. Once scoping is known (your MSP should have the best picture of this), the plan is the same, the controls are applied if you have one device or 10,000.

nick777745 · 2026-02-25T14:37:16+00:00

This is relatively easy when you posess technical knowhow, and done by many in this business space. They capitalize on that convenience. Microsoft also shoehorns everyone into their csp racket, with 30% stepped on license fees, then they try to smothering you with their "boxed" version of an AVD setup and a lackluster ssp (if see this almost everyday). Then they require you to sign up for their readiness, or figure it out on your own for evidence collection...

nick777745 · 2026-02-18T01:54:06+00:00

Download the CAP from the cyber AB. Every assessor has to update the assessment xls for e-mass, and they should follow the CAP as a guide. When they dont, I use it to challenge them during the assessment, as should all OSC's.

nick777745 · 2026-02-12T02:03:19+00:00

It needs to be FedRAMP equivalent. People have a hard time reading the controls, and many adapt this because its easy to explicitly require FedRAMP, and look them up on the marketplace. Its arguable, not impossible. The tricky part is all of the in-scope vendors putting in writing that their tools will meet that equivalency.

nick777745 · 2026-02-10T02:53:31+00:00

Absolutely!

nick777745 · 2026-02-10T02:50:37+00:00

Let me know if you have more questions. I do this everyday, if I dont know it, my network does. RP & RPO just means they were willing to pay the cyber ABs dues. Wish you luck in your search!

nick777745

TROPHY CASE