Workshop Cohort FAQs
- What is a process acting on behalf of an authorized user?
- What does it mean to sanitize FCI/CUI, and how do I do it?
- What is device authentication in CMMC?
- How do I perform and report my CMMC Level 1 self-assessment?
- How do I perform and report my NIST 800-171/CMMC Level 2 self-assessment (SPRS) score?
- Is there a difference between FAR 52.204-21 and CMMC Level 1?
- How do I know if CMMC is not applicable to me?
- What is the difference between CMMC and FedRAMP?
- What is an enclave?
- I use a VPN, am I good?
- What are the consequences for failure to comply?
What is a process acting on behalf of an authorized user?
Check out our blog on this topic: https://www.totem.tech/processes-acting-on-behalf-of-authorized-users/.
What does it mean to sanitize FCI/CUI, and how do I do it?
Check out our blog on this topic: https://www.totem.tech/cui-sanitization-and-destruction-requirements-for-cmmc/.
What is device authentication in CMMC?
Check out our blog on this topic: https://www.totem.tech/device-authentication-cmmc/.
How do I perform and report my CMMC Level 1 self-assessment?
Check out our blog on this topic: https://www.totem.tech/cmmc-level-1-self-assessment-reporting/.
How do I perform and report my NIST 800-171/CMMC Level 2 self-assessment (SPRS) score?
Check out our blog on this topic: https://www.totem.tech/how-to-generate-and-report-your-dod-self-assessment-score/.
Is there a difference between FAR 52.204-21 and CMMC Level 1?
Check out our blog on this topic: https://www.totem.tech/cmmc-level-1/.
How do I know if CMMC is not applicable to me?
Check out our blog on this topic: https://www.totem.tech/when-is-cmmc-not-applicable/.
What is the difference between CMMC and FedRAMP?
Check out our blog on this topic: https://www.totem.tech/what-the-heck-is-the-difference-between-fedramp-and-cmmc/.
What is an enclave?
If you've been browsing around for solutions to help with CMMC compliance, you may have encountered vendors pitching you their "enclave". An enclave is essentially an isolated network segment, cloud environment, or other area that is intentionally designed for handling federal government information, such as Controlled Unclassified Information (CUI). For instance, a company may choose to isolate their CUI flow to a dedicated network segment and implement strict access controls to prevent CUI from spilling outside of that segment. This allows them to only have to implement NIST 800-171 within that enclave. Or, a company may choose to subscribe to a cloud CUI enclave operated by an external service provider and inherit many of the NIST 800-171 requirements. Enclave services can provide nice time savings for companies needing to comply with CMMC quickly, but they may not always be a good fit for their operational needs and are often very expensive. Be very careful when evaluating enclave providers, especially those using cloud services, ensuring that they have undergone appropriate FedRAMP authorization if CUI is going to be handled within that cloud environment.
Check out this blog on the topic: What the heck is a CMMC enclave?
I use a VPN, am I good?
Bottom line: NO. Commercial Virtual Private Networks (VPNs), like NordVPN, VPNpro, CyberGhost, Express VPN, etc. are simply an encrypted tunnel through the Internet that mask your workstation's IP address and make it look like your workstation is physically somewhere else. None of the features of any of these commercial VPNs fully satisfy any of the NIST 800-171 assessment objectives.
A corporate-controlled VPN on the other hand may satisfy some of the assessment objectives, but it depends on the purpose of the VPN, how it is setup and managed by your organization, the encryption protocols used, and so on. But simply turning on a VPN is not even necessarily a best security practice, let alone a practice that conforms to the FAR/DFARS/CMMC requirements.
What are the consequences for failing to comply?
Below is list of organizations the DoJ has fined for cybersecurity False Claims Act (FCA) violations:
| Organization | Number of Employees | Date | Settlement / Fine | Key Violation & CUI Context | Information Source |
| LOGZONE, Inc. | <30 | June 2026 | $507,144 | Falsely certified NIST SP 800-171 compliance by self-attesting a perfect score of 110 in the DoD Supplier Performance Risk System (SPRS). A subsequent Defense Contract Audit Agency (DCAA) assessment revealed their actual score was -170. | https://www.justice.gov/opa/pr/alabama-defense-contractor-agrees-pay-507144-resolve-false-claims-act-liability-relating |
| Aero Turbine Inc. (ATI) & Gallant Capital Partners | <100 | July 2025 | $1,750,000 | Failed to implement mandatory NIST SP 800-171 security controls on an Air Force contract. Crucially leaked CUI by providing technical files to an unauthorized software firm based in Egypt. Private equity owner held jointly liable. | https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims |
| Illumina, Inc. | 9000+ | July 2025 | $9,800,000 | Sold genomic sequencing systems to federal agencies while falsely representing that the underlying software adhered to required government data security and cybersecurity standards. | https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity |
| MORSECORP, Inc. | <150 | March 2025 | $4,600,000 | Submitted inaccurate basic assessment scores to the SPRS database regarding CUI security controls. Continued to leave the false scores uncorrected after a third-party gap analysis explicitly proved they only met 22% of required NIST controls. | https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud |
| Swiss Automation, Inc. | <300 | March 2025 | $421,234 | Precision machining subcontractor failed to safeguard ITAR-controlled technical blueprints and military drawings (CUI), resulting in unauthorized access by foreign nationals. | https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act |
| Pennsylvania State University | 35,000+ | October 2024 | $1,514,355 | Settled False Claims Act whistleblower allegations that it failed to implement required NIST SP 800-171 cybersecurity controls on contracts performed for the Department of Defense (DoD) and NASA between 2018 and 2023. | https://www.justice.gov/usao-edpa/pr/penn-state-agrees-pay-125-million-resolve-false-claims-act-allegations-relating-non |
| Raytheon Company | 185,000+ | Post-2021 | $8,400,000 | Resolved liability under the False Claims Act for failing to implement mandatory cybersecurity controls and maintain secure systems as required by multiple federal contracts. | https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating |
| Comprehensive Health Services LLC (CHS) | 2000+ | March 2022 | $930,000 | Failed to store confidential medical records on a secure, firewalled server required by State Department and DoD contracts, instead hosting them on an unencrypted internal drive accessible to unauthorized staff. | https://www.justice.gov/archives/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical |
