Qualified Capacity · The Desk

The Desk

Discipline answers for DIB practitioners extending their quality systems to protect information. Intake, and archive.

How the Desk works

Questions arrive here. Answers publish within seven days, in the order they can be drafted with care. Five founding inquiries are in the archive at launch. Be one of the first practitioners whose live question shapes the corpus.

The Archive

5 Published in the archive

Live practitioner questions are reviewed before any question enters the public corpus.

The Archive · Founding Inquiries

Five founding inquiries, drawn from the practitioner conversations that shaped the book. Published as the founding archive on 30 April 2026. Distinguished from live practitioner submissions by the provenance note at the foot of each entry.

  1. Founding
    Inquiry 01

    Does my AS9100 corrective-action system count as CMMC incident response?

    The corrective-action discipline your quality manager already runs against nonconformity — containment, root-cause analysis, corrective action, verification — can be extended into the incident-response discipline NIST 800-171 expects for information-security incidents. What extends. What the C3PAO will still ask for.

    Quality Manager · NIST 800-171 IR family · AS9100 clause 10.2
  2. Founding
    Inquiry 02

    Which of the fourteen control families does my AS9100 QMS already cover?

    Most mature shops should start from a 4 Greens, 7 Ambers, and 3 Reds map. The map is your starting position — and your QMS is usually much further along than you think. The families where operating discipline exists. The families where cyber implementation must be added. The families where genuinely new technical capability is required.

    Shop Owner · All 14 families · Chapter 7 diagnostic
  3. Founding
    Inquiry 03

    How do I flow NIST 800-171 to my sub-tier suppliers through my existing AS9100 supplier management?

    DFARS 252.204-7012(m) flows the requirement. AS9100 clause 8.4 already governs the discipline — supplier qualification, flowdowns, monitoring, audits. The infrastructure to carry the information-protection requirement is already live in your quality system. Where it extends. Where the prime is watching.

    Supply Chain Director · DFARS 252.204-7012(m) · AS9100 clause 8.4
  4. Founding
    Inquiry 04

    Legacy CNC controllers that cannot do multi-factor authentication — what is the path forward under IA.L2-3.5.3?

    Legacy CNC controllers do not automatically require capital replacement, but they do require disciplined CMMC scoping. First determine whether the controller is out of scope, a CUI Asset, a Contractor Risk Managed Asset, a Specialized Asset, or part of a protected enclave. If the machine cannot run MFA natively, the path is usually architectural: isolate the controller, enforce MFA at the access layer, document the asset treatment in the SSP, and manage the equipment through risk-based shop-floor controls.

    IT Resource · CMMC scoping · Specialized Assets · IA.L2-3.5.3
  5. Founding
    Inquiry 05

    If an operator prints a CUI drawing, does every workstation on the shop floor fall in scope?

    The physical-digital boundary is the scoping question most shops have never been shown how to draw. Where the CUI Asset boundary begins. Where Contractor Risk Managed Assets start. Where Media Protection governs printed output. How a disciplined scope decision reduces the assessment surface without reducing the protection.

    Quality Manager · Scoping · Physical-digital boundary · Media Protection

Browse the full archive →

Submit a Question

The Desk welcomes questions about control-family scoping, clause-interpretation discipline, QMS-integration decisions, compensating-control paths, POA&M architecture, and the scoping decisions that govern where CUI lives in your shop. Ask the discipline question in front of you. One question per submission. Your answer is drafted, sanitized, cited, and published to the archive within seven days — or you receive a direct reply explaining why the question falls outside what the Desk can answer.

Submit practice questions only. Frame the discipline question in general terms. The Desk answers questions about the control families, the clauses, and the decisions practitioners face — not about your specific contract, environment, or incident.

Do not include

  • Your prime, your customer, your specific contract number, or your supplier relationships
  • Data, drawings, contract text, or other artifacts from your FCI or CUI environment
  • Trade-secret or proprietary information, including content marked proprietary under a prime's confidentiality clause or a supplier master agreement
  • Personally identifying information — employee names, third-party names, or details that identify specific individuals
  • Classified information — classified contracts are handled under NISPOM and DD Form 254, not CMMC; the Desk is not a venue for classified questions in any form
  • Your SPRS score, POA&M entries, SSP section references, or assessment screenshots
  • Network architectures, IP addresses, system topologies, or proprietary implementations you have built
  • Named vendor-plus-gap pairings — e.g. “our [vendor] firewall is missing [specific control]”
  • Assessor names, assessment dates, or descriptions of specific security incidents you have experienced

Ask in the abstract instead

Raw · do not submit “We run [vendor] firewalls and our CISO just said we are missing SC.L2-3.13.6 on our [named prime] contract.”
Abstract · do submit “A Tier-2 shop runs next-generation firewalls at the network boundary. How does SC.L2-3.13.6 apply to egress filtering for CUI-handling workstations?”
Raw · do not submit “Our 12 [vendor model] CNCs do not support MFA and our prime assessor just failed us on IA.L2-3.5.3.”
Abstract · do submit “A shop has legacy CNC controllers that do not support modern authentication. How should the controllers be scoped under 32 CFR 170.19, and when should the shop use Specialized Asset treatment with MFA enforced at the access layer?”

If the question cannot be asked without the specifics, take it to your RPO or C3PAO rather than here. The Desk is where the discipline questions live; your RPO and C3PAO are where your specific situation gets adjudicated.

How the Desk handles your submission Every submission is treated as untrusted until reviewed. Submissions are screened before they enter the Desk workflow. If a submission appears to contain CUI, FCI, classified information, export-controlled technical data, trade-secret information, personally identifying information, contract-specific detail, supplier-specific detail, network detail, incident detail, assessment detail, POA&M detail, SSP excerpts, screenshots, or proprietary implementation detail, the Desk may reject the submission, discard the prohibited content, or ask the submitter to restate the question in general terms. Only sanitized discipline questions and answers are retained for the public archive.

The Desk is not a substitute for assessor, counsel, or C3PAO judgment. For your specific situation, adjudicate with your RPO, C3PAO, or counsel.

Describe the discipline question — control family, clause reference, scoping situation. If a question needs context, give it in general terms per the guidance above. If it does not, keep it tight.

Quality manager, shop owner, supply-chain director, IT resource, plant manager, other. Kept for context; generalized before publication.

Used for one purpose: returning your answer. Not added to any list. Not shared.

Your submission is used only to review and answer the discipline question. Published entries never identify the asker, shop, customer, prime, supplier relationship, contract, system, incident, implementation, or assessment posture. Do not submit CUI, FCI, classified information, screenshots, contract text, network diagrams, vendor configurations, POA&M entries, SSP excerpts, assessment notes, or proprietary details.

Submission handled per our Privacy Policy →

How the Desk Answers

Every Desk answer — founding inquiry and future live response alike — passes the four-point sanitization template before publication. The five founding inquiries set the standard the Desk maintains going forward.

One · Asker

The asker is generalized.

Role and shop profile are preserved. Any detail that would identify a specific individual or organization is removed before the entry goes on the archive.

Two · Question

The question is tightened to its discipline.

Incidental sensitive details are stripped. What remains is the discipline question the practitioner actually brought to the Desk.

Three · Answer

Discipline guidance, not a determination.

Answers live at the discipline level. They are not conformance determinations. They are not regulatory interpretation. The line between guidance and assessor judgment is drawn explicitly in each entry.

Four · Citation

Authority is named.

Every answer cites to NIST SP 800-171 Rev 2, DFARS 252.204-7012, 32 CFR Part 170, or AS9100 clause as applicable — and closes with direction to an RPO, C3PAO, or counsel for situation-specific determinations.

Boundary

The Desk is not a substitute for assessor, counsel, or C3PAO judgment. It is where the discipline questions of the shop floor get sanitized, cited answers that help practitioners see the shape of the problem. For your specific situation, take the shape to your RPO, your C3PAO, or your counsel, and have it adjudicated there.

If it’s not qualified, it’s not capacity.™