CMMC intelligence,
no billable hours.
Practical guides written by compliance specialists. Everything you need to understand the framework before you engage anyone.
FIPS 140 "Validated" vs "Compliant" for CMMC
Control 3.13.11 is the number one reason companies fail CMMC assessments. Here's what the distinction between "validated" and "compliant" actually means — and how to get it right.
CMMC Attestation Risk: When "We're Compliant" Turns Into False Claims Exposure
Every SPRS upload is a legal representation to the federal government. Under the False Claims Act, misrepresenting cybersecurity compliance is fraud — and your own IT staff can be the ones to report it.
The COTS Trap in CMMC
One of the most persistent myths in the defense supply chain: "We use commercial applications, so we're exempt from CMMC." It sounds reasonable. It is wrong — and misreading this line is one of the most consequential scoping errors a contractor can make.
CMMC Level 2 Assessment Scope Explained
Before you can implement a single CMMC control, you have to answer one question: what, exactly, are you protecting? The answer determines whether your CMMC certification costs $50,000 or $500,000.
CMMC Remote Work: When Work-From-Home Devices Become In Scope
Remote work is one of the most underestimated scoping risks in CMMC. Most contractors assume that because CUI lives in the cloud, employees' home environments are automatically out of scope. They are not.
How to Write a CMMC SSP
If there is one document that determines whether a CMMC assessment moves efficiently or stalls on day one, it is the System Security Plan. Assessors treat it as the authoritative map tying your scope, assets, controls, and evidence together.
CMMC POA&Ms: What Can Be Deferred, the 180-Day Closeout Rule, and Conditional Status
Under DFARS 252.204-7021, a POA&M identifies tasks to be accomplished, details resources required, milestones, and scheduled completion dates. In CMMC, the rules governing what can be deferred — and for how long — are stricter than most contractors expect.
CMMC Physical Security Requirements: Visitor Logs, Escort Rules, and Walkthrough Evidence
Physical security surprises contractors more than any other CMMC domain. Organizations spend months on network architecture and SSP documentation — and then an assessor watches a delivery driver walk unescorted through the facility.
CMMC Assessment Explained: How Assessors Evaluate Evidence Using Examine, Interview, and Test
Under NIST SP 800-171A, a C3PAO assessor does not evaluate a control as a single pass/fail question. They evaluate a set of granular assessment objectives — and each one must independently meet the standard.
CMMC Level 1 vs Level 2: Self-Assessment, C3PAO Assessments, and What Triggers Each Level
CMMC Level 1 and Level 2 reflect two fundamentally different risk environments. Level 1 covers organizations handling Federal Contract Information — basic, non-public contract data. Level 2 covers organizations handling CUI.
FCI vs CUI for CMMC: Identification, Markings, and What to Do When It's Unclear
Two regulatory frameworks govern how the DoD handles non-public information in the defense supply chain, and they carry entirely different compliance obligations. Misidentifying one for the other changes your entire scope.
CMMC Enclaves Explained: How to Reduce Level 2 Scope with Segmentation and Containment
A CMMC enclave is a scope-reduction architecture that uses physical and logical separation techniques to contain CUI within a tightly defined assessment boundary — keeping the rest of the corporate environment out of scope.
CMMC and MSPs/External Service Providers: Scope, Shared Responsibility, and Evidence
The DoD CIO scoping guidance defines two terms that every contractor relying on external IT must understand. An External Service Provider (ESP) is any organization providing services to you that may affect the confidentiality of your CUI.
Security Protection Data (SPD) in CMMC: Why Logs and Monitoring Tools Expand Your Level 2 Scope
Your SIEM, your firewall logs, your vulnerability scan results, and the MSP managing them — none of these sit quietly outside your CMMC assessment boundary. The data these tools generate is classified as Security Protection Data.
Adequate vs Sufficient Evidence in CMMC: How to Prove Controls Without Document Dumping
Assessors make findings at the assessment objective level — one Not Met objective can fail the entire control practice. And assessors use judgment to determine when adequate and sufficient evidence has been presented to close an objective.
CMMC Readiness Review: What to Finish Before Hiring a C3PAO (and What Delays Assessments)
Under the Cyber AB CAP, the assessment process opens with a pre-assessment phase that includes a Certification Assessment Readiness Review. The lead assessor evaluates whether the organization has stable, documented controls before the formal assessment begins.
The CMMC Assessment Process (CAP): Phases, Outputs, and What Happens in Each Step
Sequence is not incidental in the CAP — it is jurisdictional. A C3PAO cannot move to Phase 2 without completing the Phase 1 readiness review. An interim certificate cannot be issued without a qualifying score and the absence of open high-risk POA&Ms.
CMMC Reporting Systems: eMASS vs SPRS — What Gets Submitted Where, and Why It Matters
The two systems serve different audiences and carry different data. Contractors post to SPRS. C3PAOs submit to eMASS. Confusing the two — or assuming that a C3PAO assessment means uploading your SSP — is a critical compliance error.
CMMC Evidence Retention: Hashing, Signatures, and How to Prove What Was True on Assessment Day
A CMMC assessment is a point-in-time determination — and that determination must be defensible for six years after the CMMC Status Date. The mechanism that makes it defensible without exposing proprietary security artifacts is cryptographic hashing.
CMMC Conflicts of Interest: What Assessors Cannot Do (and How Companies Avoid Violations)
The separation between consulting and assessing is not a procedural preference — it is a structural requirement of the CMMC ecosystem enforced by the Cyber AB through the CoPC. Its foundation is the ISO/IEC 17020 impartiality standard.
CMMC Scoring Explained: Met vs Not Met, Assessment Objectives, and Why One Gap Fails the Requirement
There is no curve. There is no "mostly compliant" outcome. Each of the 110 CMMC Level 2 control practices is decomposed into discrete assessment objectives — 320 in total — and each one is independently scored Met or Not Met.
GCC High vs Microsoft 365 Commercial for CMMC
Microsoft 365 Commercial cannot satisfy DFARS 7012 or support a defensible CMMC Level 2 assessment for CUI. Here is what GCC High changes — and when Commercial, GCC, or an enclave is the right architecture decision.
Preventing CUI Spill Into the Wrong Cloud Tenant
A CUI spill into a non-compliant cloud tenant is one of the fastest ways to fail a CMMC assessment. Here is how spills happen in practice — through email, sync clients, guest sharing, and shadow IT — and the enforceable controls that actually stop them.
How to Migrate to GCC High Without Expanding Scope by Accident
GCC High migrations are compliance projects, not IT projects. Every misstep — coexistence periods, duplicate repositories, legacy connectors left running — can drag new systems into your CMMC assessment boundary.
CMMC Backups: When Backup Repositories, Replicas, and Recovery Media Become In Scope
Backups that contain CUI are not outside your CMMC assessment boundary. Backup servers, repositories, immutable storage, offsite copies, tape, and the admin accounts that manage them are all assessable.
Offsite Backup Storage for CUI: FedRAMP, Encryption, and Boundary Logic
Moving CUI backups offsite does not move them out of scope. Whether the target is a cloud bucket, a colocation rack, or a managed backup provider, the compliance obligations travel with the data.
Do You Actually Need a SIEM for CMMC Level 2?
NIST SP 800-171 does not require a SIEM by name. But it requires audit log collection, review, correlation, alerting, and incident response — and the question is whether your environment can satisfy those requirements without one.
Audit Logging for CMMC: What to Collect, How Long to Keep It, and How to Show It
CMMC Level 2 requires audit logs from every in-scope system — collected, centralized, retained, reviewed, and producible on demand. Here is what to log, how long to keep it, and how to prove to an assessor that your log review process is real.
Vulnerability Scanning for CMMC: Authenticated Scans, Exceptions, and Remediation Evidence
CMMC Level 2 requires vulnerability scanning of in-scope systems — but the controls demand far more than running a monthly Nessus report. Authenticated scans, documented exceptions, patch SLAs, and remediation evidence are what assessors actually evaluate.
Patch Management for CMMC: What "Timely" Actually Looks Like in Practice
NIST SP 800-171 requires timely flaw remediation — but 'timely' is organization-defined, and 'we patch monthly' is not a patch management program. Here is what severity-based SLAs, emergency patching, and repeatable evidence actually look like for CMMC Level 2.
MFA for CMMC: Which Logins Need It, Which Accounts Need More, and Where Companies Get It Wrong
NIST SP 800-171 requires multi-factor authentication for remote access and privileged accounts — but the assessment objectives go further than most contractors expect. Here is which logins need MFA, which need phishing-resistant factors, and the common gaps assessors find.
Shared Responsibility in CMMC: What Your MSP, MSSP, and Internal Team Each Must Prove
When a CMMC assessment evaluates a control, the assessor does not care which party is responsible — they care whether the control is implemented and evidenced. Shared responsibility models fail when nobody can prove who owns what.
Choosing CMMC Consultants and C3PAOs: Red Flags, Conflicts, and Proposal Review
Hiring the wrong CMMC consultant costs more than the engagement fee — it costs time, produces unusable artifacts, and can disqualify your assessor. Here is how to evaluate proposals, spot red flags, and sequence your advisory and assessment partners correctly.
CMMC Cost Planning: What Actually Drives Budget Up or Down
Most defense contractors misbudget CMMC because they treat it as a single line item instead of a multi-year program with scope-dependent variables. Here is what actually drives cost — cloud architecture, endpoint count, provider relationships, and remediation depth.
Policy vs Procedure vs Evidence in CMMC
Assessors evaluate three distinct layers of documentation — policy, procedure, and evidence — and score them independently. A well-written policy with no corresponding procedure is an aspiration. A procedure with no supporting evidence is a claim.
NIST SP 800-171 Rev. 2 vs Rev. 3 for CMMC: What Contractors Should Use Right Now
CMMC Level 2 assessments are conducted against NIST SP 800-171 Revision 2 — not Revision 3. But Rev. 3 exists, contractors are reading it, and the confusion is producing premature rewrites, wasted budget, and conflicting advice. Here is what governs today.