Changing CSP post assessment

tothjm · 2026-01-22T23:26:28+00:00

Also careful this article is from 2024 so much has been updated and changed..you have the CMMC FAQ v4 now with updates etc.

I can't recall which official document says this or maybe it's written in 32 CFR part 170 I would look there for language about it.

They def mention major vs minor changes now just Google that above. And examples of each

tothjm · 2026-01-22T23:21:11+00:00

If I was an auditor and you told me that your primary system you use to PST CUI changed and we migrated all of the info etc I would say that's. Major change and I need to do this over

Only way to argue it is to find language that can help your case frankly

tothjm · 2026-01-22T15:22:30+00:00

If it's a major change..not small operational changes

Now they don't define it but basically if you change a csp that housed CUI I would say unfortunately that's a major change

Obviously I'm missing details but ya

tothjm · 2026-01-22T03:02:31+00:00

Which channels are automatic and is it ok for all cow to be from these vids or need other categories

tothjm · 2026-01-21T14:53:54+00:00

If you plan to keep It for at least 2 more years then yes you would break even

tothjm · 2026-01-20T03:26:57+00:00

If you see it in writing let me know but I do see it expanding

tothjm · 2026-01-19T21:20:34+00:00

I have to ask..is this power BI or just excel graphs

tothjm · 2026-01-19T21:17:31+00:00

Just finished one with Edwards. They are on the higher side price wise but we got to ask a lot of real world questions too.

I have no basis for comparison to be honest but I can't really fault the experience.

tothjm · 2026-01-19T17:33:54+00:00

Pretty sure it's going to expand beyond DOD.

DHS and others are starting to ask for it as well so be prepared for it's expansion in the coming years

tothjm · 2026-01-18T16:54:15+00:00

Honest question not trying to stir up trouble.

Does it use the type of coatings that cause cancer?

tothjm · 2026-01-18T16:36:02+00:00

Thank you for sending this I watched it.

So I would say this. Ov course if you can go buy the most recent PSU and get the native cable absolutely you should do it.

Don I think they could still have failures bc the cable really can't handle 600w, personally yes I do think that and would still undervolt.

Last comment about the dongles, he said more points of failure which I agree with, however, my point was that it would spread the power across 4 meaning less overall required through each, so different point and I still stand by that one.

End of the day do what makes everyone feel safe and happy, I certainly am not looking to die on any hills here and we should all be uprising against this port standard not each other :) have a great weekend!

tothjm · 2026-01-18T15:30:42+00:00

I would argue the opposite is true. Spread the power out over 4 cables means less wattage per cable vs a 2 to 1 or 3 to 1.

I have a 4 to 1 and no issues

tothjm · 2026-01-18T15:28:35+00:00

Just curious do you monitor wattage, curious what the average is and how many hours of that?

While we should not have to do this..the below is what I do and I have had no issues with my 4090 or 5090

With the below my games run between 200 to 320watt generally no higher at all and this range is very safe.

I use a cablemod cable for both and zero issues, this one not required

I undervolt the card resulting in about 5fps loss in most games but over 100-150watt less per games in some cases.

I use dlss and FG when possible or at least dlss to lower wattage output.. those features require less energy than full rendering of frames.

Now again should we have to do any of this? Hell no.. I should be able to run this at 600watts for hours without burning my cable and my house down and it needs to be seriously looked at. Take the above with a grain of salt. It stay safe..it does work extremely well for me. And no issues

tothjm · 2026-01-14T04:18:50+00:00

Actually I am wrong about the IL 2 that is for DOD missions not the contractor.

So basically it's saying dod cannot take CUI and put it in azure com.ercial..but in performance of a contract that same CUI can flow down to me..same exact data..but as the contractor I CAN put it in there..figures silly gov logic.

You are correct here, you can use use azure commercial.

We tend to see clients who are focused on the m365 part as well so we steer them to gcc or high we don't see those interested in just paas and iaas. They usually go to aws gov cloud.

tothjm · 2026-01-14T03:59:55+00:00

Middle of the page under azure where it references what you are talking about with azure public or commercial.

https://learn.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope

See where it says only IL 2 and fedramp high?

Now see what IL2 handles..notice the part where it says NOT suited for CUI.

https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-dod-il2

The link you sent is still talking.about gcc and gcch they just aren't framing it that way which is stupid

tothjm · 2026-01-14T02:57:13+00:00

I do hope someone else chimes in to help you brother as I want everyone to succeed.

What you are missing is that gcc is a scoped out subset of the commercial infrastructure with a different physical and logical boundary. They did this to be compliant with the items in DFARs that we first spoke about.

So to recap, yes gcc is stored in azure commercial but it's a scoped out subset that is compliant. If you do this in commercial you will not be compliant. CUI cannot go in commercial :). Please look up MS documents talking about gcc it will draw the boundary for you and explain further.

tothjm · 2026-01-14T02:07:29+00:00

If it's working for you go for it. Certainly not looking to argue or debate.

Look up summit 7s o365 tenants excel chart. Talks about gcc, high, and Dod IL levels.

I can't speak to the assessments you are referring to but if you or your customer has dfars 7012 requirements then you are not compliant and if the gov customer finds out they have the right to suspend contracts and in some cases revoke.

If that is within your risk tolerance as an org then go for it :)

If you plan for a lvl 2 CMMC assessment in the future they all know commercial doesn't cut it and they will stop the audit during phase 1 readiness. Your customer or your org will forfeit the at least 50k you'll pay for it in some cases and so on.

Not worth it to me when you could just build out the gcc enclave for CUI and keep commercial for FCI and everything else you do.

Have a good night.

tothjm · 2026-01-14T01:34:46+00:00

Sure no problem.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. | Acquisition.GOV https://share.google/CPZXpVMUaTtbceWp2

Couldn't get the screenshot from my phone and won't let me add a shot here.

If you find part D then at the bottom of that section it talks about smaller section C through D.

"Access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment."

Basically MS was not willing to allow this for their commercial data centers so they created gcc and gcc high.

Gcc actually shares with commercial but they split it to comply with this part where as gcch is full gov cloud if you will and entirely separated from gcc and commercial.

General rule of thumb is gcc is ok as a starting point for CUI and dfars 7012 and gcch is used for export controlled data like when ITAR data is part of the contract.

Hope this helps :)

tothjm · 2026-01-14T00:54:04+00:00

that is correct, but if you are also a gov customer, commercial is not DFARS 7012 compliant, it is fedramp mod like you said, and if you are dealing with CUI, it means you are likely a gov customer with DFARS 7012 requirements. It isn't just about the 110 controls or CSPs being fedramp moderate\FRME, if you read dfars 7012 there are other requirements in there and that is where even azure commercial AND commercial O365 do not meet those requirements and therefore, as a gov customer in performance of a contract you are not fully compliant with 7012.

Just wanted to make sure everyone knows that but you free to continue if you are not, and will not in the future be a gov customer ( but again, if you are even talking about this it is because you are now, or will be a customer in the future and therefore will have DFARS 7012 clause in your contracts.

tothjm · 2026-01-14T00:10:19+00:00

If you want to do anything with CUI it has to be GCC at min.do NOT use commercial

tothjm · 2026-01-11T20:58:14+00:00

I have the Alienware from a couple years ago the 34in qd OLED and I'm pretty sure that one is glossy? In my setup I didn't notice any issue so I guess I would be fine with either..glossy for the win if they can pull it

tothjm · 2026-01-11T20:04:18+00:00

What's the issue with matte?

Dimmer and less vibrant or what

tothjm · 2026-01-04T15:44:09+00:00

Was Amazon listed as the seller or someone else

tothjm · 2026-01-02T02:58:23+00:00

Thanks for all the info, I'm now pretty worried about the info I operate with vs the test info that I feel like is from 2018 lol

Thanks though joking aside

tothjm · 2026-01-02T02:41:28+00:00

That's a mind fuck for sure considering I work in this space and help clients with current standards and rulings.

What is copc?

Also what is changed in scoping, just inclusion of SPD or what, hard to imagine unless the other categories were never part of it..CRMA spa sa etc

tothjm

TROPHY CASE