CMMC Burnout

Posted by MrJoeMe@reddit | sysadmin | View on Reddit | 2 comments

I am currently assisting 6 small-mid (15-40 employees) manufacturing clients with CMMC level 2 among the normal day to day IT functions. We have partnered with a couple different CMMC specialists that are certified and working themselves to C3pao. I've been in countless meetings, going over all the controls and assisting with securing the IT infrastructure. Those who are doing the same know many of the controls are what I'd consider "office management" type stuff which as IT, I have no control or say over. But that isn't the cause of my burn out. I can't take the US gov continuously changing policies and procedures with CMMC. It feels like blind leading the blind. I've been told one thing in a meeting, to be told something entirely different later. We have a 3rd group we are trying now to help clients with CMMC. I also don't understand how they expect companies with 5 office workers that wear multiple hats already, and 10-30 machinists comply with CMMC. I've also talked with several ISO auditors, what a joke that is too. Say do this and that, but no one does, even the big boys.

2 Comments

[-]

TXWayne@reddit

So CMMC L2 is at the most basic level compliance with NIST 800-171 which if these companies are currently handling CUI they should have already been compliant with for several years. CMMC is not changing any policies or procedures, CMMC is the third party assessment of the organization's compliance with NIST 800-171. Do these small companies currently have contracts with the DFARS 7012 clause and receive CUI? If they do not then there is no requirement to be compliant with NIST 800-171 and thus CMMC L2. The requirements for 800-171 have been static for some time but 171r3 is out in draft so that will be changing soon.

badlybane@reddit

Yea don't look at the CMMC focus on the NIST 800-171 side of things. the Biggest problem is one person is a talking to x 3rd party wanting money to get your contract for making you CMMC compliant. The other person is talking to another 3rd party wanting your contract for making you CMMC compliant. Since, all Security compliance is relatively "best effort" any one can say IMO this doesn't meat xyz criteria because we feel xyc about it. The truth is as long as you are checking the box off and can prove you can check the box off. You checked the box off. This also usually stems from Guy one or two not understanding what information meets certain criteria and if it requires a certain level. IE if you transaction only include a hash pointing to information in a protected 3rd party that is storing the information and the 3rd party is the one providing it to the end user via api etc. That's not the same as having the information in your systems. Thus you end up with 3rd parties purposely muddying the waters in an attempt to get a very lucrative contract where they just will provide you a boiler plate template document saying you checked the boxes and making very little if any real changes.

Reply to Post

2 Comments