Megathread: "We Passed Our CMMC Assessment and Here's What We Learned"
Source: https://old.reddit.com/r/CMMC/comments/1owyb9a/we_passed_our_cmmc_assessment_and_heres_what_we/
Date: 2025-11-14 (ongoing)
Score: 90 | Comments: 47+
This is the r/CMMC community's official megathread collecting passed-assessment experiences.
Key Community Advice (from thread creator medicaustik)
- If you found this community, you're probably taking it seriously enough
- It's okay to name your C3PAO, tools, and consultants β encouraged
- Share environment details (org size, scope, architecture)
- Assessor variability is real β "it depends on your assessor" is frustrating but true
Passed Assessment Reports (Firsthand)
Case 1 β Good4Next3years (January 2026)
- Org Size: 40+ users
- Scope: Enclave (3 assets, 3 users)
- Architecture: Full Cloud
- Cloud: M365 Commercial (Azure, Entra ID, Azure Arc, Purview, Intune) + PreVeil (AWS GovCloud) for CUI storage/transfer
- C3PAO: StrategicIT Solutions (https://strategicit-solutions.com/cmmc-certification-services/)
- Result: PASS (110/110, cert received Jan 2026, SPRS confirmed)
- Key takeaway: PreVeil + M365 Commercial can work together. CUI goes through PreVeil; everything else is commercial M365.
Case 2 β mcb1971 (January 12, 2026 assessment week)
- Org Size: 26 employees, enclave of 3 CUI users
- Architecture: 100% cloud
- Cloud: M365 GCC High, AvePoint Government Services for backups
- Result: PASS (110/110, no negative findings)
- Key lessons:
- Documentation is make-or-break. Clear written policies/procedures for EVERY control, even single-sentence statements
- Separate policy/procedure docs per domain (14 domains) β easier than one monolithic doc
- C3PAO requested ~80 optional evidence artifacts ahead of time β cut assessment time by ~2/3 (Access Control: planned 2 hours, took 45 minutes)
- Prep both documentation AND people
- Source: https://old.reddit.com/r/CMMC/comments/1owyb9a/
Case 3 β LoanSuspicious9284
- Org Size: 296 users, ~342 endpoints
- Scope: Enterprise
- Architecture: Cloud mostly (M365 + AWS)
- Consultant: Accusights (https://www.accusights.com/en/cmmc-compliance/) β $10,000 total including consultations + full mock
- C3PAO: Redspin
- Result: PASS (3 months A-Z)
- Warning: Used Drata before β "crazy AI hallucinations and too expensive, wouldn't recommend"
Case 4 β Sea_Nail_4626
- Org Size: 23 users
- Scope: Enclave, 6 users
- Architecture: Cloud
- Cloud: PreVeil for CUI send/receive + Microsoft Business Premium (Intune MDM, Defender, BitLocker, Authenticator for MFA)
- C3PAO: Sentar
- Result: PASS
- Notable: Passed with Business Premium (NOT GCC High) β community noted this is unusual, "nearly everyone insists it can only be done with GCCH"
- Timeline: 6 months start to finish, 1 FTE split time ops/IT + consultant for docs
Case 5 β lotsofxeons (MSP)
- Org Size: 25 users, 50 devices (client)
- Scope: Enterprise including specialized test equipment
- Architecture: Hybrid, mostly cloud
- Cloud: M365 GCC High
- C3PAO: Reef Systems
- Result: PASS
- MSP team: 1 CCA on staff, 2 technical people assigned to client
- Key advice:
- Know where CUI comes from, goes to, and where it's processed
- Scope all assets based on that flow β don't say "everything is in scope"
- Apply controls to scoped assets
Case 6 β MindlessStable3772 (link to separate post)
- Org Size: 800 users / 550 devices
- Scope: Enterprise
- Architecture: Hybrid
- Cloud: M365 GCC High
- C3PAO: Sentar
- IT Team: 8 IT / 4 Compliance
- Result: PASS
- Details: https://old.reddit.com/r/CMMC/comments/1ova7nt/
GRC Tool Discussion (from thread)
- Excel is completely viable for small orgs β "I am being serious" (jawillia2, score 6)
- Evidence locker = simple folder tree: one folder per domain, one subfolder per control
- Adobe Acrobat Pro: can convert entire folder tree to single PDF for easy sharing
- Drata, RegScale, Hyperproof mentioned as options with API syncing
- Drata: Warned against (AI hallucinations per LoanSuspicious9284)
Linked High-Value Thread: "Just Passed CMMC Level 2" (1,000 employee org)
Source: https://old.reddit.com/r/CMMC/comments/1ova7nt/just_passed_our_cmmc_level_2_certification/
Score: 40
- 10+ offices, ~1,000 employees
- GCC High + on-prem (500+ Windows and Linux endpoints)
- Internal IT team
- Outsourced SIEM with Shared Responsibility Matrix
- Tools: Bookstack (docs/GRC) and osTicket (ticketing)
- Passed with no POAMs mentioned
- Community comments: Linux management and privileged account separation were key concerns
Linked High-Value Post: "CMMC Audit β We Passed. Here's What Happened." (Kieri Solutions)
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/
Score: 75 | Date: 2026-03-09
- ~40 person company, DC area
- Was Mac shop on Google Workspace/Slack β migrated to Windows 11 + GCC High
- 4-person internal team with heavy exec involvement
- C3PAO: Kieri Solutions
- Result: PASS (110/110)
Key Findings:
- Google Workspace: "There was no way possible for us to be compliant... just putting more and more bandaids on"
- AWS Workspaces VDI β moved to physical hardware (better UX + CUI boundary enforcement)
- Migration vendor (unnamed) was disaster β hardening controls not implemented, missed Google Shared Drives in SharePoint migration
- Microsoft GCC High inheritance is your best friend β 30-40% of controls fully inherited from Microsoft, significant portion partial inheritance
- Resources to live in:
- Microsoft Appendix J (what's inherited)
- Microsoft CMMC Implementation Guide (how to implement what you don't get free)
- Also get Appendix J for Azure
- SSP format: One big Word doc, ~100 pages, every control listed
- Inherited: describe the inheritance, flag as inherited, include specific Microsoft control reference
- Kieri accepted this format with no complaints
- Lessons:
- You are what's in your SSP β define boundaries and scope from day one
- Know your firewall posture before audit (block-all inbound/outbound with allow-by-exception)
- Get baselines sorted early (took 1 full week to build baseline doc)
- Provide evidence in advance to cut assessment time
- Assessor variability: Had 2 different assessors for different control families β some hard, some easy
- Microsoft Sentinel: Mentioned as part of stack
"We Passed Our Level 2 Assessment" β Small Cloud-Native Shop
Source: https://old.reddit.com/r/CMMC/comments/1qq8prg/
Score: 81 | Date: 2026-01-29
- <30 employees, 100% cloud, GCC High
- Lots of export-controlled CUI
- Worked ~18 months on documentation, training, and control evidence
- Pre-assessment evidence sharing β assessment took only 3 days + 1 hour on day 4
- Assessors said "best prepared organization they've ever audited"
- 110/110, no negative findings
- Key insight from Navyauditor2 (commenter): Create an evidence locker, populate for each assessment objective before the assessment
Notable Quotes on Assessment Process
"Documentation will make or break you." β mcb1971
"You are what's in your SSP. You define your own boundaries and scope. Take that seriously from day one." β VP of Engineering, Kieri client
"Start with flow. YOU MUST KNOW WHERE THE CUI COMES FROM, GOES TO, AND WHERE IT'S PROCESSED." β lotsofxeons (MSP with 2 passed assessments)
"The info that is out there is genuinely more confusing than CMMC actually is." β lotsofxeons
"Microsoft GCC High inheritance is your single biggest lever." β Kieri client
"Skip any mock/gap from a consultant, get the mock assessment from your C3PAO. Way better." β lotsofxeons
"Assessor variability is real... what someone else experienced is not exactly what you'll get." β Kieri client
"The biggest headache is not one single control but that almost everything you do has to be backed by a policy or procedure that people need to learn and follow like a bible." β Adminvb292929 (12 assessments witnessed)