The $0 CMMC Level 2 Compliance Fallacy

Government representatives have stated that complying with CMMC 2.0 Level 2 shouldn’t cost contractors or the government anything, because contractors have been attesting to the government that they are doing these things for years. This article explores why this is correct only for a small minority (17 out of 110) of the controls in CMMC 2.0 Level 2.

When is CUI not CUI?

Imagine the following scenario: As part of Project Road Runner, a new initiative, the United States Army, a portion of the Department of Defense (“DoD”) wants to purchase three dozen anvils. The anvils must meet specific size, strength, and weight requirements. DoD has already performed a search and is not able to find a COTS (more…)

On NIST SP 800-171, NFO Controls and Polices, Procedures, and Plans

With CMMC 2.0, DoD removed process maturity as an assessed requirement. Some commentators are suggesting that NIST 800-171’s “NFO” controls inherently require policies. We explore the requirement in this article.

Analysis of CMMC 2.0

Former CMMC-AB board of directors James Goepel, Mark Berman, and Ben Tchoubineh authored a letter to the President which analyzes why CMMC 2.0 is inconsistent with the President’s recent Executive Order and is harmful to our national security.

CMMC and the Cybersecurity Executive Order

The Executive Order issued May 12, 2021 on Improving the Nation’s Cybersecurity casts some clouds over the CMMC program. This article provides short-term guidance for defense contractors.

Updated CMMC Maturity Level 1 Gap Analysis Tool Available

Our CMMC Maturity Level 1 Gap Analysis tool has been updated to include fields for recording Objective Evidence. Objective Evidence is information that demonstrates that your organization has adequately adopted a specific CMMC practice. The Objective Evidence is presented to the CMMC Certified Assessor or Assessment Team during assessment.