Henry Toll
CMMC Compliance Specialist
11 articles
Adequate vs Sufficient Evidence in CMMC: How to Prove Controls Without Document Dumping
Assessors make findings at the assessment objective level — one Not Met objective can fail the entire control practice. And assessors use judgment to determine when adequate and sufficient evidence has been presented to close an objective.
CMMC Readiness Review: What to Finish Before Hiring a C3PAO (and What Delays Assessments)
Under the Cyber AB CAP, the assessment process opens with a pre-assessment phase that includes a Certification Assessment Readiness Review. The lead assessor evaluates whether the organization has stable, documented controls before the formal assessment begins.
The CMMC Assessment Process (CAP): Phases, Outputs, and What Happens in Each Step
Sequence is not incidental in the CAP — it is jurisdictional. A C3PAO cannot move to Phase 2 without completing the Phase 1 readiness review. An interim certificate cannot be issued without a qualifying score and the absence of open high-risk POA&Ms.
CMMC Reporting Systems: eMASS vs SPRS — What Gets Submitted Where, and Why It Matters
The two systems serve different audiences and carry different data. Contractors post to SPRS. C3PAOs submit to eMASS. Confusing the two — or assuming that a C3PAO assessment means uploading your SSP — is a critical compliance error.
CMMC Evidence Retention: Hashing, Signatures, and How to Prove What Was True on Assessment Day
A CMMC assessment is a point-in-time determination — and that determination must be defensible for six years after the CMMC Status Date. The mechanism that makes it defensible without exposing proprietary security artifacts is cryptographic hashing.
CMMC Conflicts of Interest: What Assessors Cannot Do (and How Companies Avoid Violations)
The separation between consulting and assessing is not a procedural preference — it is a structural requirement of the CMMC ecosystem enforced by the Cyber AB through the CoPC. Its foundation is the ISO/IEC 17020 impartiality standard.
CMMC Scoring Explained: Met vs Not Met, Assessment Objectives, and Why One Gap Fails the Requirement
There is no curve. There is no "mostly compliant" outcome. Each of the 110 CMMC Level 2 control practices is decomposed into discrete assessment objectives — 320 in total — and each one is independently scored Met or Not Met.
Choosing CMMC Consultants and C3PAOs: Red Flags, Conflicts, and Proposal Review
Hiring the wrong CMMC consultant costs more than the engagement fee — it costs time, produces unusable artifacts, and can disqualify your assessor. Here is how to evaluate proposals, spot red flags, and sequence your advisory and assessment partners correctly.
CMMC Cost Planning: What Actually Drives Budget Up or Down
Most defense contractors misbudget CMMC because they treat it as a single line item instead of a multi-year program with scope-dependent variables. Here is what actually drives cost — cloud architecture, endpoint count, provider relationships, and remediation depth.
Policy vs Procedure vs Evidence in CMMC
Assessors evaluate three distinct layers of documentation — policy, procedure, and evidence — and score them independently. A well-written policy with no corresponding procedure is an aspiration. A procedure with no supporting evidence is a claim.
NIST SP 800-171 Rev. 2 vs Rev. 3 for CMMC: What Contractors Should Use Right Now
CMMC Level 2 assessments are conducted against NIST SP 800-171 Revision 2 — not Revision 3. But Rev. 3 exists, contractors are reading it, and the confusion is producing premature rewrites, wasted budget, and conflicting advice. Here is what governs today.