r/CMMC

Trying to figure out if there's actually a place for me in this space or if I'm wasting my time.

Background: Air Force vet, 4.5 years, mostly admin and logistics. Got out, did a compliance coordination gig at a VA medical center, relocated to Tampa and now I'm trying to pivot into something that actually uses what I know.

I have my SDVOSB and 8(a) certs through my own business and I've been studying 800-171 and CMMC 2.0 for a few months. I'm not chasing CCA, I know I don't have the technical background for assessor work and I'm not gonna fake it.

What I keep wondering is whether there's real demand for someone who's good at the documentation and coordination side. SSP support, evidence organization, GRC platform work, POA&M tracking. Not the engineering layer, the operational layer that keeps everything moving.

Do contractors actually hire for that specifically, or does it always get bundled into a technical role? Just want an honest read from people who are actually in it.

Dear CMMCers,

I'm seeking input on companies/platforms based on your experiences with them. I have scoured this subreddit and I have read a lot of good things about Previel, we plan to meet with them this week.

We are most attracted to PreVeil at this point mainly for the combination of:

• price point
• case studies
• detailed SRM
• number of NIST 800-171 controls addressed
• plus affordable compliance prep support via Compliance Accelerator.

But for the sake of presenting ownership with more than just one option, I'm trying to find others that are comparable, e.g. Aeroplicity, Virtru, RegDOX, or others you might recommend. It just seems that none of them hit the sweet spot PreVeil does as described above.

For context: We are in Aerospace and Defense, going for Level 2 compliance, most likely needing C3PAO assessment. I'm the CMMC project manager for my company, new to CMMC and IT, working alongside an MSP that handles IT for us but who has limited experience with CMMC. We are a small machine shop that will have about 20 people handling CUI and about 20 PCs in scope, plus the need to print CUI and transport it via USB from PC to shop machines (specialized assets).

We will likely:

1. engage an RPO to help with scoping
2. implement the platform (e.g. PreVeil)
3. after we've made progress on policies/procedures/updated SSP/etc. we'll have the RPO check our work and provide remediation guidance

Appreciate your input!

Coming in with no IT experience. I have 10 years as a FS auditor working in public accounting, leading audit, review and compliance engagements front to end and I want to get into CMMC. Obtained my security+ cert back in December, and I'm taking my ATP course now. Is it realistic to try to break in as a CCP or should I quit now?

Hey all,

I know this has been discussed before, but curious if anything has improved on the Zscaler side and if anyone is running this in production today.

We are exploring whether Zscaler (ZIA/ZPA) can replace our physical firewall.

Our requirements:

• A few IPSec VPN tunnels with contractors
• NAT (inbound/outbound)
• VLAN segmentation internally
• General firewalling

Goal is to eliminate the on-prem firewall if possible.

I understand Zscaler is more cloud proxy / zero trust, so not sure if it can fully cover traditional firewall roles.

Questions:

• Can it realistically replace a firewall in this setup?
• How are you handling IPSec, NAT, and VLANs?
• Are you still running a firewall alongside it?

Appreciate any real-world feedback :)

I’ve been so burnt out at work lately with CMMC.

It feels like nothing actually gets done:

• Can’t remove software because “user X really likes it”
• “We should be doing this” → “let’s see what company Y is doing first”
• “GCC High is too expensive” → so we go another direction
• Then someone talks to a contractor and now it’s “we need GCC High or we won’t pass”
• “Can we still use our favorite vendor?” → no → “maybe we can work around it”
• “Maybe we should pause CMMC” → next breath: “can we be ready by November?”

It honestly feels like we want the certification, but don’t want to make the changes required to actually get there.

Meanwhile I’m the one expected to build everything, document everything, and somehow make it all pass an audit.

Since it’s virtual it may be off the radar for cui, but I was curious if anyone runs Dell WMS in a gcc high environment? Or something similar to keep things as secure as possible.

We are looking to build an enclave that has hybrid connectivity to our on prem compute and data collection systems in labs.

My question isn’t about the controls. I am curious if any of the managed enclaves like Summit 7 or SecureFrame have options for connecting back to on prem. We have GPUs and need them for CUI research and we know they are heavily constrained on GCCH. Being able to cut down on our responsibilities to get started is obviously very appealing.

We have been in business for 50 years. 5 office staff and 30-40 field employees. Over the past few years we started working directly with SpaceX, and this has led to work with quite a few other aerospace companies. We do everything from painting a basic wall, to painting parts going into space, painting large/complicated steel tooling parts and structures, epoxy, 1K degree paint, etc. etc.

Anyways, last week an aerospace company contact reached out to me asking what level CMMC we were. I told him we were unfamiliar with this. Last night I was talking with an electrical contractor who does aerospace work, and he asked me the same question.

He said they're in the process of getting level 2, and they're in it about $40K so far.

My question: Is CMMC something a company of our size pursues?

I've been reading the posts in this sub, and reading though the recommended links and education. We're just a small (but established) painting contractor. We do get sent blueprints, drawings, and documents for RFPs from aerospace companies, so I imagine that would be applicable and put us in a niche pool of painting contractors.

I’ve been spending time reading posts here and trying to understand CMMC from a small business point of view.

The more I read, the more it feels like a lot of companies won’t fail because cybersecurity is insanely advanced.

They’ll fail because of stuff like:

• not knowing what actually applies to them

• unclear scope

• missing documentation

• no evidence ready

• not knowing what to fix first

• waiting too long to start

That feels less like a security problem and more like a clarity problem.

For those who’ve gone through it, what actually made it hard for you?

The controls themselves, or everything around them?

If your ERP system contains bill of materials (BOM) derived from CUI basic and/or CUI specified programs, would that automatically render the ERP in scope or are there ways to get around that?

Hi I may be working at a company where a CUI certificate may be required. Has any one ever tried traveling to China, Russia, Middle East who has been involved in projects with CUI info and has had issues?

The projects seem interesting but I’m concerned on whether it would impact my ability to travel.

Of course, I would not be traveling with that info with me.

Looking to setup a Proxmox server and it doesn't look like it has the FIPs accreditation needed for CMMC requirements. There are a few other gaps but we think we have solid mitigations / configurations to get around them, so FIPS is really the last roadblock to save on paying VMware pricing.

Does anyone have experience with using Proxmox and getting around this issue? I've looked at a cryptography binary solution from wolfssl to make Proxmox compliant but I'm not sure the labor and/or licensing they charge.

We have been looking at the requirements for the CMMC Level 2 assessment and honestly it feels like every time we solve one control, three more pop up that require some expensive new tool or a specialized consultant. I am all for security, but the overhead for a small firm to actually prove they are compliant is starting to feel like a full-time job in itself.

Are you guys actually trying to do this all in-house, or have you just given up and handed the keys to a managed service provider? I am trying to figure out where the line is between we can handle this and we are just going to mess this up and lose our eligibility. If you went with an outside team, was it actually worth the cost or did you still end up doing half the documentation work yourself anyway?

Howdy all.

We are a mid sized MSP and have been using screenconnect for RMM for the last 10+ years and the fact that they refuse to bring it to FIPS compliancy is killing us. So much so that with 20+ CMMC projects going on now, we have to explore other options.

That said, what are other MSPs doing for RMM in regards to CMMC 2 that can't move to a new platform right away?

Many thanks

Hey everyone,

I work as a software engineer and through my graduate studies in cybersecurity policy and my day to day work I kept seeing the same pain points for small DoD contractors. Understanding what each control actually requires, calculating SPRS correctly and generating documentation that holds up under scrutiny.

So I built a tool to solve this. Learned a ton along the way about where contractors actually get stuck in the self assessment process.

Happy to share what I found or answer any questions about NIST 800-171 and SPRS scoring. Also genuinely looking for feedback from anyone who has been through a real CMMC assessment recently

All uses in the domain utilize MFA. I have one local account (admin) on each laptop that does not have MFA. I use this as a break glass account. The control did not pass during the mock assessment. Can you use break glass accounts with an associated risk acceptance letter?

In the past couple months I've become the sole IT guy at a small engineering firm, and my bosses prime contractor is requiring level 2 CMMC for continued work. I previously did electromechanical assembly for him, but I'm in school for networking.Right now we're just a three man operation, including me.

So far i've been utilizing the official NIST publications and assesment documents such as this https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171Ar3.pdf to guide my approach to bringing us into compliance.

I've recently found out about the purview compliance assessment and I've been finding it incredibly helpful. Was just wondering what you professionals think about a small bussiness using this as evidence for an audit along with the rest of my documentation?

Any other helpful insights y'all might have is greatly appreciated <3

https://preview.redd.it/b6bdxhqojfvg1.png?width=1817&format=png&auto=webp&s=c057486c3bb58e39d12a05b1ea83610a65724627

I'm curious to hear how fully remote companies (ones with no physical office anywhere), have addressed the physical controls? In this scenario, do the PE controls switch over to Not Applicable?

If they still apply, what exactly does that look like in practice and during an assessment?

We purchased a Fortigate Firewall to pass CMMC Level 2 assessment but it is my first time using one, I have Cisco certs going back 20 years but our consultant recommended a Fortigate Next Gen Firewall. I want to pay someone to help me setup the firewall correctly instead of trying to figure it out myself. I have been taking the classes from Fortinet but would rather just pay for help. Firewall is running on FIPS 140-2 mode and working currently,but need help with stuff like VPN, locking down VLANS, ZTNA and EMS.

Need someone in the USA and US citizen, hopefully with CMMC knowledge and of course Fortigate knowledge.

Hi fellow CMMCers,

For those of you who have read Landoll's book (updated Oct 2025 version, or older versions) during your compliance efforts, I'm wondering if you have any feedback on the quality of the information included.

My first impression is that he did a good job referencing the official CFR and NIST texts, DFARS clauses, etc., and including the specific objectives for each control, but since I haven't read the whole book or all of the official texts (yet) I can't tell for sure. I'd like to use it as my primary resource/reference for rules and guidelines surrounding CMMC and objectives within each control, but if I am going to do that I want to make sure it's solid information.

To provide some context, I am new to CMMC and was hired by my company to manage the move towards compliance. We are a machine shop that handles CUI and will need level 2 certification, most likely with a C3PAO assessment.

After I started meeting with GCC High/GovCloud vendors I started realizing that if I want to truly compare these companies apples-to-apples I will need to understand exactly how their services work to help move my company towards compliance.

As a lot of you know, sales people from different GovCloud/RPO companies tend to tell a story of what we will need that may not line up exactly with the truth of the CMMC rules or what my company actually needs. Thus started my deep dive into the official texts, which are lengthy and technical.

Any feedback on the CMMC Assessment Handbook would be greatly appreciated!

If nobody has actually compared the official DoD/NIST texts to Landoll's handbook, then I will do it and post a follow-up here. This subreddit has been very helpful to me and I would be happy to contribute some value!

Keep calm and CMMC on.