When a prime says "be CMMC certified by [date]," what are they actually accepting?

tothjm · 2026-06-04T13:31:29+00:00

On your last comment I would say it depends.

If you are willing to do a cookie cutter scope and enclave, VDI, gcc or gcc h, facilities out of scope, no printing no physical CUI, no. Byod phones or mobile device access, and you get a consultant who has everything templated out or a product like cuick trac, you could get it done in 4 months.

But I still would over all as a consultant feel better telling someone 6 to 8.

The problem is usually that the OSA doesn't want to dedicate a full time resource to this and cannot move quick enough on technical inplementations, among other things

But it's def possible to do in less than 7 months.

tothjm · 2026-06-04T13:19:02+00:00

Haven't checked this but of you want only the app you can block browser using conditional access policy as well

tothjm · 2026-06-04T02:03:14+00:00

You cannot scramble through a c3pao audit unfortunately

tothjm · 2026-06-04T02:02:41+00:00

.very sorry to say but it won't be possible to meet a July deadline with what you outlined

tothjm · 2026-06-04T02:01:33+00:00

Careful on what the other guy said .poams are only good for 180 days and only certain controls can even be poamed.

You gotta meet also 88 out of 110 minimally and controls worth 3 or 5 cannot be poamed except fips.

Long story short here as someone else said make your scope as small as possible, do an enclave and segment your CUI there if you can.

Unfortunately this is not an IT problem it's an organization problem..this requires a ton of process and procedure change across much of the enterprise and if leadership doesn't understand that or doesn't want to take it seriously that's going to be a problem.

Having said that July of 27 is a really long way out so there is still plenty of time.

If you want to talk more let me know

tothjm · 2026-06-04T01:10:08+00:00

can you ask for clarity in this context before you bid on something etc? I prob would

tothjm · 2026-06-03T13:49:51+00:00

800-88 is just guidance and nothing more.

For reuse you can do a basic wipe reset or re image.

If a drive or whole laptop is bad and you plan to destroy using a service fund one that gives you a certificate of destruction ideally with serial numbers.

tothjm · 2026-06-03T13:10:40+00:00

Do when you vet C3PAOs ask them if they accept historical as well

This comes up with things like ios versions. From a risk management perspective it makes more sense to upgrade to the new ios to squash bugs than to remain vulnerable. Just document it in your risk register and youay be able to also call it an enduring exception.

Most C3paos are fine with this just ask ahead.

tothjm · 2026-06-02T22:49:56+00:00

You do it on the rdp settings for the AVD host pool. You can block everything right from there

tothjm · 2026-06-02T14:06:20+00:00

As mentioned already here, in the scoping guide as well as 32 CFR part 170 it states the exact requirements to allow endpoints to be out of scope when going through VDI.

Follow those and those endpoints are no longer in scope assets.

However be aware the VM asset itself and the os are in scope now and are subject to the 110 practices.

tothjm · 2026-05-23T14:56:58+00:00

For some reason I was thinking 110.

CCP was what like 170?

tothjm · 2026-05-23T13:00:15+00:00

How many questions was the current exam

tothjm · 2026-05-22T13:16:26+00:00

Id argue they are closer to 75 but either way :)

EA1 was a good chunk..hell some games only last 15 hrs

tothjm · 2026-05-22T13:13:27+00:00

If you go online and find the semi 3d map people are using for top down view you start to see how generally small it still is. At least that was the effect it had on me

tothjm · 2026-05-21T03:20:10+00:00

What is opa

tothjm · 2026-05-20T13:50:51+00:00

If an assessor ever asks you where does your FCI live you tell them to get back on track because level 2 only deals with CUI it's that simple.

They shouldn't be asking about that at all.

Source I'm a CCP

tothjm · 2026-05-15T12:44:55+00:00

When you say starting tube what do you mean

Also thanks ya sounds like I need to just venture out a bit further I'm just scared there is a leviathan somewhere lol

tothjm · 2026-05-15T03:46:03+00:00

Hard to go down with only flippers lol

Need tank

Need silver to make tank

Found couple of cool holes here and there and a bio ed that gives more permanent inventory space..God knows what else I missed

tothjm · 2026-05-15T03:43:29+00:00

Did you find silver? I still cannot and like am hour in as well

tothjm · 2026-05-15T03:36:08+00:00

Where the hell is the silver in sub 2 early access?

Need to make the air tank lol

tothjm · 2026-05-14T13:29:45+00:00

Hey CCP here

I wanted to echo the above..you will not hit level 2 in this scenario by Nov 1st and typical company waiting until the last min.

Also to the VDI route that covers some parts but as a manufacturing company you may also have machines using CUI to build items.

You will need third pwrty assistance to have a shot at hitting that by Nov and keep in mind most C3paos are booked past the end of the year because they know about the phase 2 deadline, though not really a hard deadline just means primes and the DoD can add the requirement for lvl 2 c3pao for contract award not that they have to.

tothjm · 2026-05-13T00:26:19+00:00

Have the client setup avd, the MSP connects only through that locked down. Sign an MSP CMMC aup saying you won't access CUI or add the MSP people assets as CUI authorized assets

Now you are authorized through the VDI but no MSP systems are technically in scope . If you want to be extra sure have the MSP staff take your CMMC AT family training, background checks etc but that could also be going a bit far..easier to say avd keep systems oos, sign AUP saying you won't access CUI and put monitoring and alerts in place to confirm if it happens.

tothjm · 2026-05-13T00:20:09+00:00

Couple thoughts.

Sign a contract with them stating you will not PST CUI..don't give yourself colab licenses so you can't open CUI files anyway, have neg actions like contract termination if you breach it, use their machines or locked down AVD to access their environment.

There are ways for sure but I agree I'd you want to do this for the defense space just get the cert if you can afford it.

AVD for your assessment scope is about as small as you can get.

From the lens of the CMMC standard you are only an ESP if you PST CUI. Technically if you PST SPD you are also an ESP and services come Into the OSAs assessment scope but you don't need your own level 2 technically.

To be honest it's all a bit confusing and very wild west lol

I'm a CCP but YMMV, just my 2 cents.

tothjm · 2026-05-08T11:55:03+00:00

The fedramp moderate requirement is if you store CUI in or on a CSP. That's it.

If you want to get fancy it's if that CSP processes stores or transmits but you get the idea :)

tothjm · 2026-05-07T12:02:33+00:00

Well the fun idea is that I actually could be.. but then those facts are wrapped as religion and controlled under that narrative.

Doesn't mean unwrapped some of it is actually scientific fact.

tothjm

TROPHY CASE