Qualified Capacity · The Desk

The Archive

Sanitized practitioner questions. Cited discipline answers. The searchable record of how DIB shops turn quality-system discipline into enduring information protection.

5Published
answers
5Founding
inquiries
0Live practitioner
answers

Archive Posture

The founding inquiries were published as the initial Desk archive on 30 April 2026. Future entries will be live practitioner questions, sanitized before publication and distinguished by their submission and publication metadata.

Find an Answer

Answers

5 answers shown

No archive answers match that search. Clear the filters or search by clause, role, asset type, or discipline question.

  1. Founding Inquiry 05 · Published 30 April 2026

    If an operator prints a CUI drawing, does every workstation on the shop floor fall in scope?

    Printed CUI on the shop floor does not automatically pull every nearby PC into scope. Classify systems by actual data path and protect the printed media.

    Quality ManagerMedia ProtectionPhysical-Digital Boundary32 CFR 170.19
  2. Founding Inquiry 04 · Published 30 April 2026

    Legacy CNC controllers that cannot do multi-factor authentication — what is the path forward under IA.L2-3.5.3?

    Legacy CNC controllers do not automatically require replacement. The first move is CMMC asset categorization, followed by isolation and MFA at the access layer where needed.

    IT ResourceCMMC ScopingSpecialized AssetsIA.L2-3.5.3
  3. Founding Inquiry 03 · Published 30 April 2026

    How do I flow NIST 800-171 to my sub-tier suppliers through my existing AS9100 supplier management?

    DFARS keeps the clause legally intact; AS9100 8.4 becomes the operating carrier for supplier classification, flowdown, monitoring, and corrective action.

    Supply Chain DirectorSupplier FlowdownDFARS 252.204-7012(m)AS9100 8.4
  4. Founding Inquiry 02 · Published 30 April 2026

    Which of the fourteen control families does my AS9100 QMS already cover?

    A mature AS9100 QMS gives operating leverage across the 14 families, but the right starting map is 4 Greens, 7 Ambers, and 3 Reds — not automatic CMMC coverage.

    Shop OwnerQMS Mapping14 FamiliesSSP Mapping
  5. Founding Inquiry 01 · Published 30 April 2026

    Does my AS9100 corrective-action system count as CMMC incident response?

    AS9100 CAPA can be extended into the incident-response discipline NIST 800-171 expects, but it does not automatically satisfy CMMC incident response.

    Quality ManagerIncident ResponseNIST 800-171 3.6AS9100 10.2

Have a discipline question?

Submit it to The Desk in abstract form. No CUI. No FCI. No proprietary details. Just the discipline question.

Submit a Question
Return to The Desk

If it’s not qualified, it’s not capacity.™