u/JustanITperson

We had our DIBCAC DCMA Audit. Unfortunately, we got an automatic -203 because one of our SPA's was not FedRamp. They also ignored the CMMC scope and did the entire company. I do understand that yes, Under NIST 800-171 cloud assets that can process CUI must be FedRamp approved. But this whole time we were operating under the assumption that we must be CMMC compliant. I know the easy fix in this case is to just use a Fedramp approved security asset, which we are going to do. Our SPRS score was based on our CMMC scope. And then at the end the auditors said "youll do great with CMMC!" We were supposed to be following 800-171 as a stand alone and CMMC L2? Was this a stupid mistake on our end?