We are in the process of replacing multiple end-of-life applications. We are currently attempting to identify an application that offers feature parity for our old application; however it has not been easy. That puts us in a bind. What would a CMMC assessor say if they view the application and we tell him it will be retired in 2023? What are our options? – OVERWHELMED



First, I empathize on the search to find a replacement business application at any level. It is never easy because one may discover themselves at the crossroads of any number of situations or scenarios, including finding out that one may have legacy information systems or hardware that is incompatible with the new application.

To the question at hand – We are missing some contextualization, however, for the purposes of discussion, let us assume that:

  • The application in question still in use today.
  • The application in question is processing, storing and/or transmitting Controlled Unclassified Information (CUI).
  • The application in question is connected to your organization’s network via WiFi or Ethernet.
  • The assessor walks in today and assesses your organization today.

Assuming the above, the application would be in scope of a CMMC assessment because the application is still being used as part of your business processes and is still processing, storing and/or transmitting Controlled Unclassified Information (CUI).

Without knowing the full extent of one’s organization and operations, my only real recommendation would be to retain a firm who could help understand your organization better and gain a better understanding as to how to move forward in an affordable way.

However, given that there are multiple applications in play, there may be some CMMC scope creep. It would make good fiscal policy to retain cybersecurity professionals so that one can develop proper business requirements and help define what is or is not in scope.

Have a question for our CMMC Experts? Ask away.