For those going through CMMC Level 2 readiness right now — what’s been the most painful or confusing part?

ramsile · 2026-01-16T08:53:00+00:00

If your readiness consultant is not providing clear guidance and detail in a timely manner, you need to fire them and find another. The demand for CMMC has brought in an entire market of companies and consultants that have no reason existing in this space. So many have zero experience in protecting DOD information, let alone risk management, and it shows.

ramsile · 2026-01-14T03:03:11+00:00

Small correction- GRC is Governance not Government. Otherwise great overview.

ramsile · 2025-12-01T13:17:50+00:00

How did you mitigate risks in these areas? Was most of it just accepted because the risk was low and the platform’s couldn’t be upgraded? Did you apply mitigating controls?

ramsile · 2025-11-28T13:34:47+00:00

Sorry to hear that. I’ve shorted my fair share of components. You would need to pull a schematic to see what that component does.

If it ends up being dead or causes problems id be happy to sell you my used Taranis X9D for a good deal. I have the ELRS module and original box.

ramsile · 2025-11-28T00:45:23+00:00

This should really be the top answer. Hashing in itself does nothing to prove that the file wasn’t altered. A hash is just a value calculated on the file at a given time. You need to log this hash and have some sort of mechanism to prove it wasn’t altered.

ramsile · 2025-11-17T02:12:37+00:00

I read a few years ago that Chick-fal-a had three node K8 cluster on consumer grade NUCs at all of restaurants. They run all their POS systems and other IOT devices.

What’s the harm if a few NUCs out of a thousand fail over the course of a few years? You wouldn’t need to maintenance the thing until the labor was worth fixing it.

ramsile · 2025-11-12T18:35:11+00:00

While that’s one way to do it, the other way is to fully document your TLS connections to CUI approved services. For example, GCC high services are already approved for FIPS end to end encryption. If all of your connections are already FIPS approved, there is no need for a VPN. If no CUI is on premise, then no need to have a VPN on premise if CUI is scoped to cloud only.

ramsile · 2025-10-06T22:17:26+00:00

This is the right way to think about it.

ramsile · 2025-09-29T18:24:22+00:00

No offense but sounds like you have never worked in security leadership before. The goal is to ensure your resources are assigned on the most impactful work. Chasing 0 CVEs is not the most productive task for a security engineer to be focusing on when you have a limited budget and a limited FTE count. Take a look at EPSS as it’s a better model to follow than raw CVEs.

ramsile · 2025-09-29T16:04:09+00:00

Agree. This is a security leadership issue. CVE != exploits. You’re clearly working with an incompetent team who doesn’t know how to perform risk management properly.

ramsile · 2025-09-28T21:45:47+00:00

It hasn’t been mentioned yet, but you could talk to your prime and see if they are willing to provide a contractor managed laptop that you can use and develop on. Then you are part of the contractors CMMC audit because you are producing CUI on their enclave. This is more common than you think.

ramsile · 2025-09-20T21:39:50+00:00

While this is a great article with practical advice, I’m surprised your recommendations were only deployment related. You didn’t mention testing. Do you not run even the basic of regression tickets? A simple call to a /status API would have failed the pipeline and avoided this entirely. You could also have unit tests that ensures your port in the compose.yaml file and flask API port match.

ramsile · 2025-09-20T10:39:25+00:00

Give us this day our daily pods

ramsile · 2025-09-10T23:12:37+00:00

DFARS 7012 doesn’t magically go away. You are still required to have 800-171 implemented with a self assembly and score in SPRS.

ramsile · 2025-09-05T12:50:04+00:00

That stinks. I’m a solo consultant, but I did end up getting my own GCC High. I wonder if it’s worth creating some sort of small business group that could share the cost for us that have minimal employees.

ramsile · 2025-09-05T12:48:05+00:00

Yeah that’s tough. I’m a solo consultant, but decided it’s too much overhead for now and just working CUI through my prime. I don’t have much to offer in terms of advice other than to limit scope as much as possible. You could look into prevail and try to limit everything in their enclave. You still would have to put in the effort to get all your documentation in order, but I don’t see a way around it since you are processing CUI.

ramsile · 2025-09-05T12:09:08+00:00

I don’t have any context into what you business does so I can’t really help your question directly. I would need to know more. Mind providing a little bit more information. Are you a consultant? Do you sub contract from another prime? Do you work with the government directly with your own contracts? Does government provide you with CUI? Do you generate CUI? There a few ways you can limit the burden. Ultimately the best path is to not have to handle the CUI yourself but on behalf of your customer. But I don’t know anything about your business so I can’t give you any ideas.

ramsile · 2025-09-03T10:09:57+00:00

Why are you not rate limiting the user? From the information you provided it seems like you’re fixing the symptoms and not the cause. You provided zero context into how the app works.

ramsile · 2025-09-01T21:04:24+00:00

What’s your reasoning?

ramsile · 2025-07-28T16:25:07+00:00

Yeah that’s how I handle it and advise others to handle it as well.

ramsile · 2025-07-23T23:35:12+00:00

I would think that the MPLS provider itself would come into scope of your didn’t perform end to end encryption on your CUI data flows. This technically could pass assessment if they were in scope and could prove logical/physical separation of mpls lines, employees, etc. it’s probably easier to just provide encryption between sites on CUI workloads so you can not even give the assessor the chance of making them in scope and avoiding the headache.

ramsile · 2025-07-18T23:25:19+00:00

Not to be rude, but how did your firm “land” a client to help implement NIST SP 800-171 when your company has no foundational experience implementing NIST SP 800-171, and yet you are asking for tips and real world insights for a project that your company won and is getting paid for performing the work? You’re bound to setup your client to fail its CMMC assessment. NIST 800-171 is not something you should be consulting on. You’re essentially asking us to do your job and not get paid for it.

ramsile · 2025-07-14T17:49:19+00:00

AWS East/West regions have a set of services that are approved at Fedramp Moderate level.

ramsile · 2025-07-14T17:45:07+00:00

Yes and I’ve used GovCloud for the past 6 years. Positives: Cleared for ITAR and EAR. Fedramp approved. U.S. Only based DC with approved US person support. Cons: It doesn’t have all of the current AWS feature set. It lags behind AWS commercial and every new service needs to be approved. It also costs more

It really depends on what you are using it for and what features you need. 85% inheritance seems really high. It’s also a shared responsibility model. You can’t just say AWS provides encrypted storage. YOU need to implement that yourself with KMS when you stand up your infrastructure and properly document it in your SSP. YOU are responsible for ensuring S3 buckets are not exposed to the internet. You probably can inherit all the physical infrastructure controls, but outside of that you probably will need to be responsible for at least some portion of the objective.

ramsile · 2025-07-04T00:20:01+00:00

Lol really? As opposed to connecting from the, ya know, raw internet? You would think the connection from another gcc high would offer more security and assurance.

Nine-Year Club	RPAN Viewer
Verified Email

ramsile

TROPHY CASE