Sam Sporidis
CMMC Compliance Specialist
13 articles
CMMC Physical Security Requirements: Visitor Logs, Escort Rules, and Walkthrough Evidence
Physical security surprises contractors more than any other CMMC domain. Organizations spend months on network architecture and SSP documentation — and then an assessor watches a delivery driver walk unescorted through the facility.
CMMC Assessment Explained: How Assessors Evaluate Evidence Using Examine, Interview, and Test
Under NIST SP 800-171A, a C3PAO assessor does not evaluate a control as a single pass/fail question. They evaluate a set of granular assessment objectives — and each one must independently meet the standard.
CMMC Level 1 vs Level 2: Self-Assessment, C3PAO Assessments, and What Triggers Each Level
CMMC Level 1 and Level 2 reflect two fundamentally different risk environments. Level 1 covers organizations handling Federal Contract Information — basic, non-public contract data. Level 2 covers organizations handling CUI.
FCI vs CUI for CMMC: Identification, Markings, and What to Do When It's Unclear
Two regulatory frameworks govern how the DoD handles non-public information in the defense supply chain, and they carry entirely different compliance obligations. Misidentifying one for the other changes your entire scope.
CMMC Enclaves Explained: How to Reduce Level 2 Scope with Segmentation and Containment
A CMMC enclave is a scope-reduction architecture that uses physical and logical separation techniques to contain CUI within a tightly defined assessment boundary — keeping the rest of the corporate environment out of scope.
CMMC and MSPs/External Service Providers: Scope, Shared Responsibility, and Evidence
The DoD CIO scoping guidance defines two terms that every contractor relying on external IT must understand. An External Service Provider (ESP) is any organization providing services to you that may affect the confidentiality of your CUI.
Security Protection Data (SPD) in CMMC: Why Logs and Monitoring Tools Expand Your Level 2 Scope
Your SIEM, your firewall logs, your vulnerability scan results, and the MSP managing them — none of these sit quietly outside your CMMC assessment boundary. The data these tools generate is classified as Security Protection Data.
Do You Actually Need a SIEM for CMMC Level 2?
NIST SP 800-171 does not require a SIEM by name. But it requires audit log collection, review, correlation, alerting, and incident response — and the question is whether your environment can satisfy those requirements without one.
Audit Logging for CMMC: What to Collect, How Long to Keep It, and How to Show It
CMMC Level 2 requires audit logs from every in-scope system — collected, centralized, retained, reviewed, and producible on demand. Here is what to log, how long to keep it, and how to prove to an assessor that your log review process is real.
Vulnerability Scanning for CMMC: Authenticated Scans, Exceptions, and Remediation Evidence
CMMC Level 2 requires vulnerability scanning of in-scope systems — but the controls demand far more than running a monthly Nessus report. Authenticated scans, documented exceptions, patch SLAs, and remediation evidence are what assessors actually evaluate.
Patch Management for CMMC: What "Timely" Actually Looks Like in Practice
NIST SP 800-171 requires timely flaw remediation — but 'timely' is organization-defined, and 'we patch monthly' is not a patch management program. Here is what severity-based SLAs, emergency patching, and repeatable evidence actually look like for CMMC Level 2.
MFA for CMMC: Which Logins Need It, Which Accounts Need More, and Where Companies Get It Wrong
NIST SP 800-171 requires multi-factor authentication for remote access and privileged accounts — but the assessment objectives go further than most contractors expect. Here is which logins need MFA, which need phishing-resistant factors, and the common gaps assessors find.
Shared Responsibility in CMMC: What Your MSP, MSSP, and Internal Team Each Must Prove
When a CMMC assessment evaluates a control, the assessor does not care which party is responsible — they care whether the control is implemented and evidenced. Shared responsibility models fail when nobody can prove who owns what.