πŸ•ΈοΈ Ada Research Browser

r-cmmc-summary.md
Homeβ€ΊResearch Reportsβ€Ίr-cmmc-summary.md
← Back

r/CMMC Subreddit Research Summary

Research Date: 2026-03-11
Data Range: Posts from Jan 2026 – Mar 2026 (plus the Nov 2025 megathread)
Posts Reviewed: ~65 threads with >5 upvotes or >10 comments from pages 1-2 of subreddit

Top Themes from the Community

1. The Documentation Problem is Bigger Than the Technical Problem

2. Scope Your CUI Flow First β€” Everything Else Follows

3. Microsoft GCC High is the Most Common Stack

5. Assessor Variability is a Real Frustration

6. MSP Responsibility is Unclear for Many

Key Posts by Category

Assessment Experiences (Passed)

Date Title Score Link
2026-03-09 CMMC Audit – We Passed. Here's What Happened (Kieri) 77 https://old.reddit.com/r/CMMC/comments/1rpitjk/
2026-01-29 We passed our Level 2 assessment (110/110 small cloud org) 82 https://old.reddit.com/r/CMMC/comments/1qq8prg/
2025-11-14 Megathread: "We Passed Our CMMC Assessment" 90 https://old.reddit.com/r/CMMC/comments/1owyb9a/
2025 Just passed our CMMC Level 2 certification (1,000 emp) 40 https://old.reddit.com/r/CMMC/comments/1ova7nt/

Cost Intelligence

Date Title Score Link
2026-02-09 CMMC Level 1+2 small startup price ($210K quote discussion) 9 https://old.reddit.com/r/CMMC/comments/1r0jmsx/
2026-01-13 CMMC L2 consulting cost check 13 https://old.reddit.com/r/CMMC/comments/1qbn2zz/
2026-01-28 SMB Cost shock 11 https://old.reddit.com/r/CMMC/comments/1qpmn3k/

Control-Specific

Date Title Domain Link
2026-03-04 AC.L2-3.1.11 Session Termination AC https://old.reddit.com/r/CMMC/comments/1rkubyj/
2026-02-18 L2 3.4.7 Ports/Protocols/Services CM https://old.reddit.com/r/CMMC/comments/1r8ganf/
2026-01-08 CM.L2-3.4.8 Application Execution Policy CM https://old.reddit.com/r/CMMC/comments/1q7drdu/
2026-01-07 IA.L2-3.5.7 Password complexity IA https://old.reddit.com/r/CMMC/comments/1q6h6xt/
2026-01-16 NIST SP 800-171 Rev.3 AU - DoD ODP AU https://old.reddit.com/r/CMMC/comments/1qegxhh/

Documentation Packages (Community Reviews)

Date Title Score Link
2026-03-05 Experiences with CMMC documentation package vendors? 5 https://old.reddit.com/r/CMMC/comments/1rls675/
2026-02-02 Compliance Documentation Packs for CMMC 9 https://old.reddit.com/r/CMMC/comments/1qtqpjz/
2026-02-11 Free SSP Builder web app (Leguy42) 20 https://old.reddit.com/r/CMMC/comments/1r1taab/

Vendor / C3PAO Questions

Date Title Score Link
2025 Recommendations on C3PAO 4 https://old.reddit.com/r/CMMC/comments/1j0hfa2/
2024 Recommendations on CMMC Consultants 3 https://old.reddit.com/r/CMMC/comments/1cmplvx/

GRC Tools Discussion

2026-03-14 Posts (7 new threads)

LogMeIn RMM Scope Question (6 upvotes, 6 comments)

Change Management - New Software Review (4 upvotes, 6 comments)

CMMC Level 1 Requirements - MSP Misinformation (3 upvotes, 26 comments)

C3PAO Lead Times (3 upvotes, 18 comments)

Feeling Overwhelmed - Solo IT Construction Company (18 upvotes, 32 comments)

Enclave Users Working with Non-Enclave Users (3 upvotes, 9 comments)

CCP Career Advice (3 upvotes, 14 comments)

Common Mistakes Summary (from community across all posts)

  1. No leadership buy-in (fatal β€” compliance will fail)
  2. Scoping everything as in-scope (wrong and expensive)
  3. Not knowing CUI flow before starting
  4. Technical without documentation (will fail assessment)
  5. Relying on cheap consultants who don't verify their own work
  6. Not preparing people (employees who interact with assessors)
  7. Delaying documentation until technical is "done"
  8. Not having a firewall block-all policy before the audit
  9. Using commercial tools (Google Workspace, personal email) for CUI
  10. Assuming Microsoft inheritance = done (still must document your side)

Update: 2026-03-12

High-Signal Posts (Last 48h)

1. "CMMC Audit – We Passed. Here's What Happened." β€” 76 upvotes, 28 comments Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ - 40-person DC company, Mac/Google Workspace shop β†’ Windows 11 GCC High enclave - C3PAO: Kieri Solutions (4th community-confirmed pass). 110/110 score. - Timeline: 5 months to build from scratch (December online β†’ March assessment) - SSP: ~100-page Word document, one doc for all 110 controls - Hired unnamed vendor for migration; disaster β€” hardening controls NOT implemented, SharePoint migration missed Google Shared Drives entirely. DO NOT assume vendor is verifying their own work. - Inheritance: ~30-40% full inherits from GCC High; remainder are partial (still document your side) - To get Appendix J: email O365FedRAMP@microsoft.com (M365) or AzFedDoc@microsoft.com (Azure) - Sentinel: nail data connectors, retention, and users/groups β€” built-in packs have gaps, used Claude + KQL for custom alerts - BYOD MAM: C3PAO reviewed MAM config specifically, flagged items β€” not a checkbox - Physical assessment: Kieri came on-site, ~2-hour visit. Dedicated printer locked in server rack. - Separate comment from Redspin client: Redspin will do on-site if you have physical CUI or allow printing - Baseline doc: per-device-type sections (PCs, iPhones, Macs), Windows 11 25H2 as minimum. Used Claude + PowerShell output to build it faster. - Tools used: SnipeIT (asset management), JIRA Service Desk (IT tickets), Intune, Conditional Access - SSP implementation statements can double as work instructions if written thoroughly

2. "Feeling Overwhelmed" β€” 16 upvotes, 31 comments Source: https://old.reddit.com/r/CMMC/comments/1rqbl58/ - Construction company, 220 employees, 30-50% DoD, solo IT person - Scored -23 on 800-171 self-assessment; community advice: scope to the ~80 DoD workers, use MSSP - Pattern: management ignores it until GC emails start arriving, then panic - Community recommends: cloud enclave (GCC H or PreVeil), MSSP for monitoring

3. "Retooling the business for CMMC" β€” 10 upvotes, 11 comments Source: https://old.reddit.com/r/CMMC/comments/1rpyx99/ - Key insight from CMMC consultant: many small GovCon firms operate at 8% margins; absorbing compliance costs for themselves AND pass-through subs is business-breaking - "The IT controls are the least important conversation for a lot of small contractors" - LPTA environment means they can't price compliance into bids

4. "What actually makes an evidence package pass on first submission?" β€” 7 upvotes, 18 comments Source: https://old.reddit.com/r/CMMC/comments/1rnu0yr/ - Community reports first-submission pass rate may be under 30% - Folder/naming structure matters: clear per-control folders, not one dumped ZIP - Controls that look fine on paper but fail: AU controls (log on-demand reports), AC session controls, IR evidence

5. "CMMC Exam Cancellation" β€” BREAKING Source: https://old.reddit.com/r/CMMC/comments/1rmxurd/ - Measure Learning cancelled CCA exam slots early (before originally announced date) - ISACA taking over CCA/CCP exams April 1st; PSI will administer - CCP delta exam: $100 fee required to get CCP badge on CyberAB after passing - Advice: if you can sit before April 1 with PSI/Measure Learning, do it; or wait for ISACA version

6. "cyber ab marketplace feedback" β€” 7 upvotes Source: https://old.reddit.com/r/CMMC/comments/1rp00fh/ - CyberAB Marketplace has serious data quality issues: C3PAO search returns companies without C3PAO, SCF 3PAO mixed in, individual CCA credentials pointing to other orgs - Contact: cyberab.org/contact-us (slow response), no direct email known - Practical: verify C3PAO status directly with the firm before engaging

7. "Enclave users working with non-enclave users?" β€” 4 upvotes Source: https://old.reddit.com/r/CMMC/comments/1rr2t5w/ - 100-user org moving 10-15 CUI users to GCC High enclave - Challenge: keeping single domain for Teams identity while segregating CUI - Community notes: external domain collaboration with GCC High is possible but requires specific config; CUI users on separate identity is cleanest

8. "Terraform Enterprise and FIPS" β€” 2 upvotes Source: https://old.reddit.com/r/CMMC/comments/1rpwy58/ - GCCH + AWS GovCloud environment using Terraform - If Terraform doesn't handle/store/process CUI, FIPS compliance not required - Community consensus: tools that touch the boundary (infrastructure that controls CUI access) are in scope; build tools that only deploy and don't touch runtime data can be excluded

9. "CUI required online tools" β€” 7 upvotes, 12 comments Source: https://old.reddit.com/r/CMMC/comments/1rmtvi2/ - Tools from consultant recommendations for small company: - Kaseya Vulscan β†’ NIST 3.11.2 (vulnerability scanning) - Rocket Cyber β†’ SIEM for audit controls 3.3.1–3.3.9, 3.4.2, 3.10.6, 3.14.7 - Sophos MDR stack β†’ EDR/AV for 3.14.2–3.14.5 - Sophos VPN β†’ SC domain - Community note: don't over-engineer; many of these are covered by GCC H + Sentinel

10. "Continuous Monitoring MSP status" β€” 3 upvotes, 17 comments Source: https://old.reddit.com/r/CMMC/comments/1rmq8is/ - MSP claiming ISSM engineer must be W-2 employee for CMMC compliance β€” COMMUNITY SAYS FALSE - MSP can provide monitoring as a third-party service; no W-2 requirement in NIST 800-171 or CMMC regs - MSP is likely trying to expand engagement; find a new MSP if they insist

11. "Using CLI for logging Reports" β€” AU.3.3.6 Source: https://old.reddit.com/r/CMMC/comments/1rpexgm/ - Assessor told client: "Manual CLI commands is not a systemic capability. On-demand implies a ready-to-use reporting function, not manual forensic reconstruction." - Implication: Need actual SIEM dashboard/report capability, not ad-hoc CLI grepping

2026-03-13 β€” Nightly Update

New Posts Captured

Post ID Title Score Key Intel
1rrtptn CMMC Level one reqs 2 up, 22 comments MSP misinformation confirmed: MSP claimed L1 requires all 110 controls (wrong). Community confirmed L1 = 15 controls only. Official L1 Assessment Guide: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
1rrp19k C3PAO lead time inquiry 2 up, 13 comments Current lead times: 8-12 weeks is most common across C3PAOs. Some booking into early summer. "Better firms" at 90-120 days. Ask about audit schedule/duration when interviewing.
1rr2t5w Enclave users with non-enclave users 4 up, 8 comments Cross-tenant collaboration: GCC High supports inbound/outbound guest access with commercial tenants. Two-tenant sovereign ground approach. Don't need both PreVeil AND GCC High.
1rqbl58 Feeling Overwhelmed (construction) 18 up, 32 comments Solo IT, 220 employees: Community consensus: "CMMC is an organizational problem disguised as an IT problem." Cost estimate: ~$100k per 100 employees. Get exec buy-in first. Scope to 80 CUI-touching employees, not all 220.
1rpyx99 Retooling the business for CMMC 12 up, 15 comments Business transformation focus

Key Takeaways from 2026-03-13

  1. L1 Misinformation is Common: MSPs may claim L1 requires 110 controls. This is FALSE. L1 = 15 controls only. Point MSPs to official DoD Assessment Guide L1 v2.

  2. C3PAO Lead Times: 8-12 weeks is standard right now. As Nov 2026 Phase 2 deadline approaches, expect this to grow. Book early.

  3. CMMC is NOT an IT Problem: Multiple comments in "Feeling Overwhelmed" thread emphasized this. It requires organizational change, exec buy-in, and involvement from HR, Finance, Operations β€” not just IT.

  4. Construction/Manufacturing Specifics: Drawings marked CUI must be tracked through entire organization including subcontractors. Physical protections for buildings where CUI is stored.

  5. Cost Estimation: Community-suggested rough math: $100k per 100 employees. Varies by architecture and scope.

Sources (2026-03-13)

2026-03-14 β€” Nightly Update Pass

2026-03-15 β€” Nightly Update Pass

New Posts Captured

Post ID Title Score Key Intel
1ruiamk Does anyone read the CRM? 2 up, 10 comments CRM Review Essential: Assessors (C3PAO, DIBCAC) do require review of the Cloud Responsibility Matrix (CRM) to understand shared/inherited controls. Misinformation from Microsoft reps and some MSPs downplays this. Actionable: Request CRM from O365FedRamp@microsoft.com. Ensure FedRAMP approved cloud environment.
1rub61h Implementation of FIPS Cryptography 8 up, 17 comments CMMC 3.13.11 (FIPS): Debate on FIPS mode scoping. Assessors suggesting removing encryption (if not primary protection for CUI) to achieve compliance, which is counter-intuitive. Questions on enabling FIPS mode broadly vs. scoping.
1rtwmh3 Senior Leader Looking to Transition to CCA or LCCA Role 1 up, 6 comments Career Advice: Insights for professionals looking to transition into CMMC roles (CCP, CCA, LCCA). Discussion on market viability.
1rsnzyg Will LogMeIn (RMM) Pass CMMC? 4 up, 10 comments LogMeIn RMM Scope: If features like file transfer, screenshotting, copy/paste are disabled and strong policies are in place, LogMeIn can potentially be classified as a Security Protection Asset (SPA) and pass. Otherwise, as a CSP, it requires FedRAMP Moderate+.
1rsmdhz Change management - new software review 4 up, 6 comments CM Controls: Request for guidelines/checklists for reviewing new software before production to meet change management requirements.

Key Takeaways from 2026-03-15

  1. CRM Scrutiny: Despite vendor claims, CRMs are critical assessment documents. Companies must proactively obtain and understand their CSP's CRM, mapping it to their controls, especially for inherited responsibilities.
  2. FIPS Implementation Nuance (3.13.11): The interpretation of FIPS-validated cryptography for CUI remains a point of contention, with some assessors giving counter-intuitive advice regarding removing encryption. Proper scoping and understanding primary protection mechanisms are key.
  3. RMM Tools and SPA Classification: For tools like LogMeIn RMM, strict configuration (disabling sensitive features) and clear policies are essential to classify them as a Security Protection Asset (SPA) rather than a full CSP requiring FedRAMP.
  4. Continuous Change Management: The need for robust new software review processes highlights an ongoing challenge in Configuration Management (CM) for CMMC compliance.

Sources (2026-03-15)