Nicholas Spine
CMMC Compliance Specialist
12 articles
FIPS 140 "Validated" vs "Compliant" for CMMC
Control 3.13.11 is the number one reason companies fail CMMC assessments. Here's what the distinction between "validated" and "compliant" actually means — and how to get it right.
CMMC Attestation Risk: When "We're Compliant" Turns Into False Claims Exposure
Every SPRS upload is a legal representation to the federal government. Under the False Claims Act, misrepresenting cybersecurity compliance is fraud — and your own IT staff can be the ones to report it.
The COTS Trap in CMMC
One of the most persistent myths in the defense supply chain: "We use commercial applications, so we're exempt from CMMC." It sounds reasonable. It is wrong — and misreading this line is one of the most consequential scoping errors a contractor can make.
CMMC Level 2 Assessment Scope Explained
Before you can implement a single CMMC control, you have to answer one question: what, exactly, are you protecting? The answer determines whether your CMMC certification costs $50,000 or $500,000.
CMMC Remote Work: When Work-From-Home Devices Become In Scope
Remote work is one of the most underestimated scoping risks in CMMC. Most contractors assume that because CUI lives in the cloud, employees' home environments are automatically out of scope. They are not.
How to Write a CMMC SSP
If there is one document that determines whether a CMMC assessment moves efficiently or stalls on day one, it is the System Security Plan. Assessors treat it as the authoritative map tying your scope, assets, controls, and evidence together.
CMMC POA&Ms: What Can Be Deferred, the 180-Day Closeout Rule, and Conditional Status
Under DFARS 252.204-7021, a POA&M identifies tasks to be accomplished, details resources required, milestones, and scheduled completion dates. In CMMC, the rules governing what can be deferred — and for how long — are stricter than most contractors expect.
GCC High vs Microsoft 365 Commercial for CMMC
Microsoft 365 Commercial cannot satisfy DFARS 7012 or support a defensible CMMC Level 2 assessment for CUI. Here is what GCC High changes — and when Commercial, GCC, or an enclave is the right architecture decision.
Preventing CUI Spill Into the Wrong Cloud Tenant
A CUI spill into a non-compliant cloud tenant is one of the fastest ways to fail a CMMC assessment. Here is how spills happen in practice — through email, sync clients, guest sharing, and shadow IT — and the enforceable controls that actually stop them.
How to Migrate to GCC High Without Expanding Scope by Accident
GCC High migrations are compliance projects, not IT projects. Every misstep — coexistence periods, duplicate repositories, legacy connectors left running — can drag new systems into your CMMC assessment boundary.
CMMC Backups: When Backup Repositories, Replicas, and Recovery Media Become In Scope
Backups that contain CUI are not outside your CMMC assessment boundary. Backup servers, repositories, immutable storage, offsite copies, tape, and the admin accounts that manage them are all assessable.
Offsite Backup Storage for CUI: FedRAMP, Encryption, and Boundary Logic
Moving CUI backups offsite does not move them out of scope. Whether the target is a cloud bucket, a colocation rack, or a managed backup provider, the compliance obligations travel with the data.