Conversations from LinkedIn

Logo for linkedIn

This page is an index of great LinkedIn discussions and posts about CMMC and 800-171. It will be updated over time with new topics.

If you don’t have a LinkedIn account, you will still be able to see some comments, but not all. I highly recommend being signed in to LinkedIn for full effect.

Discussions with comments from the DoD, Carnegie Mellon University | Software Engineering Institute, the CMMC Accreditation Body, and other authorities are given priority in this index.

If you would like to recommend a great LinkedIn discussion for this page, please let us know at or comment below.

Non-technical CMMC discussions (Contractors and National Security)

Let’s not build a ten dollar fence around a one dollar horse! On cybersecurity costs for small businesses.

SPRS self assessment required for non-CUI contracts?

What’s next for CMMC? (Robert Metzger, Deborah Rodin, Eleanor Ross)

CMMC and operational technology systems (manufacturing)

Disruption to DoD’s supply chain if CMMC moves forward on pace

CMMC creates fertile ground for bid protests (Robert Metzger, Katie Arrington)

Sensitive Data (CUI , FCI, etc)

Are DIB aggregated security information (such as SSPs) considered CUI?


DNI tries to abort Controlled Unclassified Information policy

If a contract requires CMMC ML3, can FCI for that contract be held in a CMMC ML1 information system? (Poll shows 60/40 split)

CMMC Process Maturity discussions

CMMC compliance can’t be met by simply buying technical tools

CMMC Technical discussions (about specific practices)

AC.1.001 on how most companies fail the device objective

AC.2.005 on Privacy and Security Notices

IA.2.081 – password storage and one way hashing–lbV

RM.2.142 – vulnerability scanning, requirement for credentialed scans?

Clouds – can you encrypt your CUI in a non-FedRAMP cloud and still pass?

SC.3.183 – where does Deny traffic by default, allow by exception, apply?

Should endpoints that access VDI be in scope?

Are phone conversations in-scope?

FedRAMP reciprocity with CMMC and POA&Ms (Ted Dziekanowski)

CMMC Professionals (C3PAOs, Certified Assessors, Registered Practitioners, etc)

CMMC assessors are required to complete a Tier-3 (non-clearance) Suitability Determination

Review of CMMC Assessment Guide for Level 3 , version 1.10

ISO 17020

More on ISO 17020

How much will ISO 17020 cost? Reddit and Vince Scott

C3PAOs need to use FedRAMP High clouds (if they use clouds)

Assessment Procedures

Depth and thoroughness of assessment? CMMC references 171 Appendix D

DFARS 252.204-7012 , 7019 , 7020, 7021

Interview with Regan Edens about DFARS, FedRAMP, and AB authority. Additional discussion about FedRAMP cloud requirements.

DFARS, CUI, and the Catch-22

Cloud requirements

Technology and Security Products

Do I need Office 365 GCC High for CMMC Level 3? (Andy Sauer)

One thought on “Conversations from LinkedIn

  1. Bradley Fell says:

    I’m an Associate of ISC2 and I am a Cybersecurity vendor for MSP and Small business, I would like to become a CMMC auditor – but I see you have this requirement for college degree, why is this?
    Will my ISC2 designation suffice?

Leave a Reply

Your email address will not be published. Required fields are marked *