CMMC Intelligence Database
Last Updated: 2026-03-14
Scope: CMMC 2.0 Level 2 assessments β real-world intel, templates, vendors, per-control notes
Status: π’ Active β nightly updates running
Quick Reference: Key Takeaways
- Documentation is 70% of the work β technical controls matter, but policy/procedure backing is what assessors verify
- Start with CUI flow β know where it comes from, goes, and is processed before anything else
- Scope tightly β small enclaves (3-6 users) are assessable in weeks vs months
- GCC High inheritance is your biggest lever β 30-40% of controls fully inherited; use Appendix J
- Pre-submit evidence to your C3PAO β dramatically cuts assessment time
- Prepare your people, not just your systems β assessors interview staff
Files
Reddit Research
- r/CMMC Summary β aggregated findings from ~65 Reddit threads, Jan-Mar 2026
- Megathread Notes β deep-read of the high-value "We Passed" megathread + linked posts
By Control Domain
| File |
Domain |
Richness |
| AC.md |
Access Control |
βββ β session termination, scoping, evidence tips |
| AT.md |
Awareness & Training |
β β stub |
| AU.md |
Audit & Accountability |
ββ β SIEM options, DoD ODPs |
| CM.md |
Configuration Management |
βββ β app execution policy, baselines, firewall |
| IA.md |
Identification & Authentication |
βββ β password complexity, MFA, FedRAMP password mgrs |
| IR.md |
Incident Response |
β β basic notes |
| MA.md |
Maintenance |
β β remote maintenance notes |
| MP.md |
Media Protection |
ββ β sanitization, BitLocker |
| PE.md |
Physical Protection |
β β stub |
| PS.md |
Personnel Security |
β β stub |
| RA.md |
Risk Assessment |
ββ β POA&M, GRC tools |
| CA.md |
Security Assessment |
βββ β SSP, mock assessments, SPRS |
| SC.md |
System & Communications Protection |
βββ β split tunneling, CUI email, FIPS |
| SI.md |
System & Information Integrity |
ββ β EDR, patch mgmt, continuous monitoring |
| SR.md |
Supply Chain Risk Management |
ββ β MSP in-scope, CAGE codes, false SPRS |
Vendors
- good.md β 15+ named vendors with source URLs, what they're good for
- avoid.md β red flags, warning signs, named vendors with issues
Templates
Lessons Learned
Assessment Cost Ranges (2025-2026)
| Org Size |
Architecture |
Total Range |
| <10 users, cloud enclave |
GCC H or PreVeil |
$20Kβ$40K |
| 20-30 users, cloud |
GCC H |
$30Kβ$50K |
| SMB any size, consulting only |
Cloud |
$45Kβ$80K |
| Enterprise hybrid |
500+ endpoints |
$100K+ |
| C3PAO assessment alone |
Any |
$30K+ minimum |
- Kieri Solutions β most recommended, technically rigorous, fair; 4 confirmed passes as of 2026-03-12
- Sentar β 2 confirmed passes in research
- Reef Systems β small/women-owned, engineering experience
- StrategicIT Solutions β confirmed pass with PreVeil + commercial M365
Vendors to Avoid
- Drata β AI hallucinations reported
- Any vendor claiming CMMC in "days/weeks"
- Any vendor charging for L1 AND L2 separately
Research Gaps (To Fill)
- PE domain (Physical Protection) β needs dedicated thread research
- PS domain (Personnel Security) β needs dedicated thread research
- AT domain (Awareness & Training) β training requirements, CUI-specific training
- More DIBCAC assessment experience (vs C3PAO)
- Manufacturing/OT environments (Solidworks, PDM enclaves are active threads)
- r/CMMC historical posts pre-2025 (paginated back to 2026-02 in this pass)
Changelog
2026-03-12 β Nightly Update Pass
- reddit/r-cmmc-summary.md β Added 2026-03-12 date header with 11 new posts summarized
- lessons-learned.md β Added "New Lessons (2026-03-12)" section with 9 new entries
- by-control/AU.md β Added AU.3.3.6 assessor ruling: CLI β on-demand reporting
- by-control/CM.md β Added baseline build detail from confirmed pass (Win 11 25H2, per-device-type, AI-assisted)
- by-control/CA.md β Added SSP format confirmed working example; first-submission pass rate (<30%)
- vendors/good.md β Added 4th confirmed Kieri Solutions pass (76 upvotes, 40-person DC company)
- Key intel: ISACA taking over CCA/CCP exams April 1st; Appendix J via email only; MSP W-2 claim = false
2026-03-13 β Nightly Update Pass
- reddit/r-cmmc-summary.md β Added 2026-03-13 section with 5 new posts: L1 MSP misinformation, C3PAO lead times, enclave/non-enclave collaboration, "Feeling Overwhelmed" construction thread
- lessons-learned.md β Added C3PAO lead time intel (8-12 weeks), L1 misinformation warning, organizational vs IT problem framing, cross-tenant collaboration tips, solo IT cost estimate ($100k/100 employees)
- vendors/good.md β Added 3 recently certified orgs (SAP NS2, NCAB Group USA, FGS LLC) + 2 GRC platforms (Secureframe AI, Exostar)
- Key intel: <800 certified nationwide as of Jan 2026; L1 = 15 controls NOT 110; GCC High cross-tenant guest access supported
2026-03-14 β Nightly Update Pass
- reddit/r-cmmc-summary.md β Added 2026-03-14 section with 7 new posts: LogMeIn RMM scope question, CM software review checklist, L1 MSP misinformation (confirmed), C3PAO lead times, "Feeling Overwhelmed" construction solo IT, enclave/non-enclave collaboration, CCP career advice
- lessons-learned.md β Added LogMeIn RMM SPA classification (confirmed pass), solo IT construction resources, CM software review checklist need
- vendors/good.md β Added S3 AeroDefense (new C3PAO), Prescient Security (new C3PAO), Compass MSP framework resource
- Key intel: LogMeIn can pass as SPA if locked down (file transfer/screenshot/copy-paste disabled); MSPs still giving wrong L1 info; C3PAO lead times 8-12 weeks; solo IT budget $100k/100 employees