Workshop Cohort FAQs

What is a process acting on behalf of an authorized user?

Check out our blog on this topic: https://www.totem.tech/processes-acting-on-behalf-of-authorized-users/


 

What does it mean to sanitize FCI/CUI, and how do I do it?

Check out our blog on this topic: https://www.totem.tech/cui-sanitization-and-destruction-requirements-for-cmmc/


 

What is device authentication in CMMC?

Check out our blog on this topic: https://www.totem.tech/device-authentication-cmmc/


 

How do I perform and report my CMMC Level 1 self-assessment?

Check out our blog on this topic: https://www.totem.tech/cmmc-level-1-self-assessment-reporting/


 

How do I perform and report my NIST 800-171/CMMC Level 2 self-assessment (SPRS) score?

Check out our blog on this topic: https://www.totem.tech/how-to-generate-and-report-your-dod-self-assessment-score/


 

Is there a difference between FAR 52.204-21 and CMMC Level 1?

Check out our blog on this topic: https://www.totem.tech/cmmc-level-1/


 

How do I know if CMMC is not applicable to me?

Check out our blog on this topic: https://www.totem.tech/when-is-cmmc-not-applicable/


 

What is the difference between CMMC and FedRAMP?

Check out our blog on this topic: https://www.totem.tech/what-the-heck-is-the-difference-between-fedramp-and-cmmc/


 

What is an enclave?

If you've been browsing around for solutions to help with CMMC compliance, you may have encountered vendors pitching you their "enclave". An enclave is essentially an isolated network segment, cloud environment, or other area that is intentionally designed for handling federal government information, such as Controlled Unclassified Information (CUI). For instance, a company may choose to isolate their CUI flow to a dedicated network segment and implement strict access controls to prevent CUI from spilling outside of that segment. This allows them to only have to implement NIST 800-171 within that enclave. Or, a company may choose to subscribe to a cloud CUI enclave operated by an external service provider and inherit many of the NIST 800-171 requirements. Enclave services can provide nice time savings for companies needing to comply with CMMC quickly, but they may not always be a good fit for their operational needs and are often very expensive. Be very careful when evaluating enclave providers, especially those using cloud services, ensuring that they have undergone appropriate FedRAMP authorization if CUI is going to be handled within that cloud environment.

Check out this blog on the topic: What the heck is a CMMC enclave? 


 

I use a VPN, am I good?

Bottom line: NO.  Commercial Virtual Private Networks (VPNs), like NordVPN, VPNpro, CyberGhost, Express VPN, etc. are simply an encrypted tunnel through the Internet that mask your workstation's IP address and make it look like your workstation is physically somewhere else.  None of the features of any of these commercial VPNs fully satisfy any of the NIST 800-171 assessment objectives.  

A corporate-controlled VPN on the other hand may satisfy some of the assessment objectives, but it depends on the purpose of the VPN, how it is setup and managed by your organization, the encryption protocols used, and so on.  But simply turning on a VPN is not even necessarily a best security practice, let alone a practice that conforms to the FAR/DFARS/CMMC requirements. 


 

What are the consequences for failing to comply? 

Below is list of organizations the DoJ has fined for cybersecurity False Claims Act (FCA) violations:

Organization Number of Employees Date Settlement / Fine Key Violation & CUI Context Information Source
LOGZONE, Inc. <30 June 2026 $507,144 Falsely certified NIST SP 800-171 compliance by self-attesting a perfect score of 110 in the DoD Supplier Performance Risk System (SPRS). A subsequent Defense Contract Audit Agency (DCAA) assessment revealed their actual score was -170. https://www.justice.gov/opa/pr/alabama-defense-contractor-agrees-pay-507144-resolve-false-claims-act-liability-relating
Aero Turbine Inc. (ATI) & Gallant Capital Partners <100 July 2025 $1,750,000 Failed to implement mandatory NIST SP 800-171 security controls on an Air Force contract. Crucially leaked CUI by providing technical files to an unauthorized software firm based in Egypt. Private equity owner held jointly liable. https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims
Illumina, Inc. 9000+ July 2025 $9,800,000 Sold genomic sequencing systems to federal agencies while falsely representing that the underlying software adhered to required government data security and cybersecurity standards. https://www.justice.gov/opa/pr/illumina-inc-pay-98m-resolve-false-claims-act-allegations-arising-cybersecurity
MORSECORP, Inc. <150 March 2025 $4,600,000 Submitted inaccurate basic assessment scores to the SPRS database regarding CUI security controls. Continued to leave the false scores uncorrected after a third-party gap analysis explicitly proved they only met 22% of required NIST controls. https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud
Swiss Automation, Inc. <300 March 2025 $421,234 Precision machining subcontractor failed to safeguard ITAR-controlled technical blueprints and military drawings (CUI), resulting in unauthorized access by foreign nationals. https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act
Pennsylvania State University 35,000+ October 2024 $1,514,355 Settled False Claims Act whistleblower allegations that it failed to implement required NIST SP 800-171 cybersecurity controls on contracts performed for the Department of Defense (DoD) and NASA between 2018 and 2023. https://www.justice.gov/usao-edpa/pr/penn-state-agrees-pay-125-million-resolve-false-claims-act-allegations-relating-non
Raytheon Company 185,000+ Post-2021 $8,400,000 Resolved liability under the False Claims Act for failing to implement mandatory cybersecurity controls and maintain secure systems as required by multiple federal contracts. https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating
Comprehensive Health Services LLC (CHS) 2000+ March 2022 $930,000 Failed to store confidential medical records on a secure, firewalled server required by State Department and DoD contracts, instead hosting them on an unencrypted internal drive accessible to unauthorized staff. https://www.justice.gov/archives/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical