Community
Classroom
Calendar
Members
Map
Leaderboards
About
Mar 15 • General discussion
Community Guidelines: Read This Before You Post
This community works because its members share openly, ask honest questions, and help each other solve real problems. To keep it that way, there are some clear boundaries everyone needs to understand and respect.
What You CAN Share
General questions about CMMC requirements, processes, and strategies. Example: "We are trying to decide between VLAN-based segmentation and a separate physical network for our CUI enclave. What have others done at our size?"
Lessons learned from your compliance journey (what worked, what did not, what you would do differently). These are some of the most valuable posts in the community.
Questions about specific NIST SP 800-171 practices, control families, or implementation approaches. Example: "How are people handling the audit log retention requirement when storage costs are a concern?"
Experiences with C3PAOs, assessment preparation, evidence gathering, and the assessment process itself (without disclosing proprietary assessment findings).
Career questions about the CCA, CCP, and consulting paths.
Questions about tooling and technology: firewalls, SIEM platforms, MFA solutions, cloud environments (GCC High, AWS GovCloud), endpoint protection, and similar topics.
University and higher education-specific CMMC challenges (enclave design, faculty engagement, institutional governance).
What You CANNOT Share - This is critical. Read it carefully.
Do NOT post any Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), or any data that carries CUI markings. This community is hosted on Skool, which is a commercial platform. It is not a CUI-authorized environment. It is not encrypted to FIPS 140-2 standards. It is not within anyone's Assessment Boundary. Posting CUI here would be a compliance violation for you and potentially for your organization.
Do NOT post specific technical details about your organization's security architecture that could be exploited. You can say "we use a FortiGate firewall at our boundary." You should not post your firewall rule set, your network diagram with IP addresses, your vulnerability scan results, or your SSP contents. Your CISO will get mad. I will get mad. Turbulence will be the expected result. Discuss approaches and strategies in general terms. Keep the specifics inside your organization.
Do NOT post classified information of any kind. This should go without saying, but it needs to be said.
Do NOT post contract-specific details that identify your customer, your contract value, your specific deliverables, or your SPRS score. You can discuss your compliance journey in general terms ("we are a 50-person manufacturer working toward Level 2") without revealing details that could identify your specific contracts or customers.
Do NOT post screenshots of your SSP, your POA&M with specific findings, your C3PAO assessment report, or other assessment artifacts. These documents contain sensitive organizational information and, in some cases, may reference CUI categories or system details that should not be shared publicly.
A simple rule of thumb: if the information would be useful to someone trying to attack your organization's systems or identify gaps in your defenses, do not post it here.
Community Conduct
Be helpful. Be honest. Be respectful. Disagree constructively. We are practitioners helping practitioners, and professional disagreement about implementation approaches is healthy. Personal attacks are not.
No spam.
No self-promotion of your consulting services, products, or paid offerings. This community is not your lead generation channel. If someone asks for a recommendation and your service is genuinely relevant, you may mention it once, briefly, AS A REPLY, with full transparency that it is your own offering.
Unsolicited pitches, repeated promotion, and posts that exist primarily to drive traffic to your website or sales funnel will be removed, and repeat offenders will be removed from the community. This applies to everyone, including vendors, consultants, tool providers, and C3PAOs.
If you see a post that appears to contain CUI, sensitive technical details, or violates these guidelines, please flag it or message me directly. Protecting each other is part of what a security-focused community does.
These guidelines exist to keep this space valuable and safe for everyone. I enforce them consistently and without exceptions or apologies.
-- JD Ussery
CMMC Readiness Vault
0
0 comments
Jd Ussery
1
Community Guidelines: Read This Before You Post
CMMC Readiness Vault
skool.com/cmmc-readiness-vault
Learn how to prepare for CMMC Compliance. Practitioner-led CMMC Readiness community. Real implementation guidance, templates, and peer support.
Powered by