Nikolai Spine

Learn why 'FIPS compliant' encryption fails CMMC assessments. Discover how to find your CMVP certificate number and the difference between validated vs. compliant modules for NIST SP 800-171 control 3.13.11.

Every SPRS score upload under DFARS 252.204-7019 is a legal representation to the federal government. Learn how the False Claims Act applies to CMMC self-assessments and what the Aerojet Rocketdyne case means for your attestation.

A COTS (Commercially Available Off-the-Shelf) item is exempt from CMMC under DFARS 252.204-7021,but only if sold without modification under FAR 2.101. Learn the legal test and where 'commercial' stops meaning 'exempt.'

Master CMMC Level 2 scoping under 32 CFR Part 170. Learn how to categorize CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets to shrink your assessment boundary and reduce compliance costs.

Remote work is one of the most underestimated CMMC scoping risks. Learn when work-from-home devices enter your assessment boundary, how MDM and VDI affect scope under NIST SP 800-171, and how to document remote access in your SSP.

Step-by-step guide to writing a CMMC System Security Plan (SSP). Learn how to map all 320 NIST SP 800-171A assessment objectives to verifiable evidence and prepare your SSP for a C3PAO audit.

Understand the CMMC 180-day POA&M closeout rule under DFARS 252.204-7021. Learn which 1-point and 3-point controls are eligible for deferral, the minimum 88/110 SPRS score threshold, and how Conditional CMMC Status works.

Microsoft 365 Commercial cannot satisfy DFARS 252.204-7012 or support a defensible CMMC Level 2 assessment for CUI. Learn when GCC High is required, when GCC or a CUI enclave is sufficient, and how FedRAMP Moderate authorization fits in.

A CUI spill into a non-compliant cloud tenant fails CMMC assessments and triggers DFARS 252.204-7012 incident reporting. Learn how spills happen through email, sync clients, and shadow IT,and the enforceable DLP and conditional access controls that stop them.

GCC High migrations are compliance projects, not IT projects. Learn how coexistence periods, duplicate repositories, and legacy connectors drag new systems into your CMMC boundary,and how to plan a scope-neutral migration.

Backups containing CUI are fully in scope for CMMC Level 2 assessment. Backup servers, immutable repositories, offsite replicas, tape, and their admin accounts are all assessable under NIST SP 800-171. Learn how to scope and evidence your backup architecture.

Moving CUI backups offsite does not move them out of CMMC scope. Learn when offsite backup targets require FedRAMP Moderate authorization, how FIPS 140-validated encryption at rest applies, and where the assessment boundary follows the data.