Practitioner research on CMMC compliance for defense contractors and their legal counsel.
New Control Analysis & Defensible Implementation
Identifying Unauthorized Use: The Policy Half of CMMC SI.L2-3.14.7
NIST SP 800-171A splits SI.L2-3.14.7 into two distinct assessment objectives: authorized use is defined, and unauthorized use is identified. Most CMMC implementations address only the second, treating 3.14.7 as a monitoring control and investing in SIEM, DLP, and CASB coverage without producing the policy artifact that gives detection its reference point. This paper proposes the authorization-first reading of the control as the more defensible interpretation, walks through the six elements of the authorization baseline (acceptable use policy, role-based access expectations, approved application inventory, approved data movement patterns, approved remote access conditions, and approved third-party and ESP interactions), explains how each element maps to related AC, CM, PS, and MP controls the contractor already documents, and carries a worked example through a fictional ten-person CNC machine shop to show what defensible implementation looks like in practice. The paper also addresses the distinction between access control and authorized use, the asymmetric risk borne by contractors whose implementations address only objective [b], and the forward compatibility of the authorization baseline through the Revision 2 to Revision 3 transition.
After the Starting Line: What Post-November 2026 Looks Like for the Defense Industrial Base
Most CMMC content focuses on how to prepare for the Phase 2 deadline. This paper addresses a different question: what happens after it arrives. It examines the structural consequences of the certification divide across the defense industrial base, including contract recompetition disruption, supply chain restructuring and subtier supplier contraction, the affirming official's sustained personal liability under 32 CFR 170.22, False Claims Act exposure from annual SPRS affirmations, the rolling wave of conditional certification lapses through 2028, workforce consolidation among certified firms, and the regulatory divergence created by GSA's adoption of NIST SP 800-171 Revision 3. The paper also addresses the dual capacity constraint created by fewer than 100 C3PAOs and fewer than 250 credentialed RPAs serving a population of 80,000 organizations, and draws on the author's direct experience in Y2K code remediation for the financial services industry to contrast proactive mobilization with the wait-and-see posture observed across the current defense industrial base.
No Certification, No Contract: A Practical Guide to CMMC Eligibility for Defense Subcontractor Executives
Under current DoD contracting rules, a company that does not hold the required CMMC certification at the time of award is not eligible to receive the contract. This paper decodes the specific contract instruments that enforce that condition: the DFARS 252.204-7021 flow-down clause, the DFARS 252.204-7025 solicitation provision, the Supplier Enablement Inquiry, and the structured compliance questionnaire. It includes a 10-question sample questionnaire reflecting what prime contractors are currently sending to subcontractors, an analysis of what each question reveals about readiness posture, and the SPRS delta advisory on when to pause forward compliance assertions and engage counsel before proceeding to a C3PAO assessment.
Can You Subcontract Without CMMC Certification? What the Phased Rollout Actually Means for Defense Subcontractors
The answer depends on when the subcontract is awarded, what information flows down from the prime, and which phase of the CMMC rollout applies at the time of award. This paper walks through the DFARS 252.204-7021 flowdown mechanics, explains how 32 CFR 170.23 determines which CMMC level applies to a given subcontractor, distinguishes the Phase 1 self-assessment default from the Phase 2 mandatory C3PAO certification requirement beginning November 2026, addresses the conditional certification pathway and its 180-day remediation window, examines how prime contractors are already filtering suppliers by CMMC readiness ahead of the formal mandate, and covers the False Claims Act enforcement precedents that apply when subcontractors misrepresent compliance posture in SPRS.
CMMC Phase 1 Realities: Addressing the Technical Documentation and Scoping Gaps Identified by the GAO
The GAO's March 2026 report found that DoD has not assessed the external factors that could prevent CMMC from meeting its goals. Industry data confirms the scale of the problem: only 1% of contractors report full readiness, the median SPRS score is 60 against a required 110, and 25% of companies seeking certification have experienced failed pre-assessments. This paper examines the two correctable deficiencies driving these outcomes, incomplete System Security Plans and poorly defined asset scoping, and addresses why GRC tools do not produce compliant SSPs, why CMMC is not an IT project, and how False Claims Act enforcement is accelerating against contractors whose recorded claims and verified results do not align.
Navigating the CMMC Ecosystem: The Straight Facts for the Management Executive
A comprehensive structural guide to the CMMC 2.0 ecosystem for executives responsible for contract eligibility and corporate compliance. This paper maps the governing structure, credentialed roles, and regulatory separation between enablement and assessment. It covers CMMC level determination, the four-phase enforcement timeline, subcontractor flowdown requirements, the economics of certification, a practical 12 to 18 month certification sequence, C3PAO assessment capacity constraints, the full assessment process including the Limited Practice Deficiency Correction Program, SPRS score integrity and False Claims Act exposure, the certification lifecycle, and a prioritized risk framework for executive decision-making.
The MSP/ESP Paradox: When Your Managed Service Provider Becomes Your Compliance Problem
Most defense contractors assume their managed service provider operates outside the CMMC assessment boundary. Under 32 CFR Part 170, that assumption is incorrect. This paper examines how MSP tools and hosted platforms create External Service Provider classification, why Security Protection Data brings provider infrastructure into scope even when CUI is not directly processed, the FedRAMP Moderate equivalency requirements that apply to cloud services including GRC platforms, and the False Claims Act exposure that attaches when ESP deficiencies undermine the accuracy of SPRS affirmations.
The Secure Area Strategy: CUI Scope Reduction for Defense Aerospace Manufacturers
For defense aerospace manufacturers operating production environments where full network-level CMMC compliance would require securing the entire enterprise, the Secure Area strategy offers a practical alternative. This white paper presents the Secure Area strategy as a practical scoping approach, reducing the compliance boundary to what can be defended without disrupting manufacturing operations.
Multifactor Authentication for the CMMC Environment: Controls, Conflicts, and Implementation Realities
CMMC Level 2 requires multifactor authentication for all network access to CUI-scoped systems, yet the implementation introduces conflicts with media protection, mobile device management, and audit logging controls that many contractors do not anticipate. This paper examines IA.L2-3.5.3 in the context of the full control set, evaluates FIDO2, PIV/CAC, hardware OTP, TOTP, push, and SMS authenticator options against both compliance and operational criteria, resolves the USB device class conflict between hardware authenticators and MP.L2-3.8.7 removable media restrictions, analyzes the personal device risk under AC.L2-3.1.18 and AC.L2-3.1.19, and includes a ready-to-adapt System Security Plan entry with the evidence types assessors will request. The paper also addresses POA&M limitations for MFA, FIPS 140 validated hardware keys, biometric fallback considerations for manufacturing environments, and key issuance and revocation lifecycle management.
Before You Hire a CMMC Consultant: A Contractor's Guide to Verifying CMMC Practitioner Credentials
The demand for CMMC consulting services is growing faster than the supply of credentialed practitioners, and that imbalance has created an environment where it is difficult for a contractor to distinguish between a qualified consultant and one who is not what they claim to be. This paper explains the credentialed roles within the CMMC ecosystem (RP, RPA, CCA, CCP, C3PAO), describes why the CyberAB created the Registered Practitioner credential specifically for consulting, identifies the CyberAB Marketplace as the single source of truth for credential verification, and summarizes the Code of Professional Conduct provisions on conflict of interest, scope of practice, and accuracy of representation. It addresses C3PAO consulting and referral arrangements, the three-year prohibition, disclosure requirements under the CoPC v2.0, and the DoD oversight authority under 32 CFR 170.8 that allows the Department of Defense to review and act on assessments conducted under improper circumstances. The paper provides six verification steps, eight red flags, and a description of what a credible engagement looks like. Every regulatory and policy claim is footnoted to the specific CFR section or CoPC provision that supports it.
The Bottleneck: CMMC Assessment Capacity and What It Means for Your Timeline
With CMMC Phase 2 enforcement approaching in November 2026, the number of authorized C3PAOs cannot keep pace with the volume of contractors requiring assessment. This paper examines the capacity arithmetic, explains why remediation timelines of 12 to 18 months must be factored before scheduling an assessment, and makes the case for targeting conditional certification at 88 out of 110 as a deliberate strategic outcome.
Required Training Under CMMC Level 2: What Assessors Will Actually Evaluate
Most contractors assume that an annual security awareness course satisfies the Awareness and Training control family. It does not. CMMC Level 2 requires three distinct training obligations under AT.L2-3.2.1, 3.2.2, and 3.2.3, each with its own assessment objectives, content requirements, and evidence standards. This paper examines each control individually, addresses how training content differs between secure perimeter and workstation-centric environments, and provides a practical framework for building a program that satisfies all three.
Need Funds for Your CMMC Program? Federal and State Grant Funding for CMMC Readiness in Defense Manufacturing
CMMC readiness costs are real, but they do not have to be absorbed entirely out of operating budget. This paper maps the federal and state funding architecture available to small and medium-sized manufacturers, including the NIST MEP National Network cost-share model, the OLDCC Defense Manufacturing Community Support Program, and state-level grant programs in Connecticut, New York, Massachusetts, and Georgia. It makes the case for treating CMMC implementation as a subsidized capital investment rather than a compliance expense, and walks through the sequencing required to secure grant approval before committing to a project.
Assessment artifacts are federal records the moment they contain or protect CUI. This document covers SHA-256 file hashing, the artifact lifecycle from creation through archival, TOCTOU and CWE-367 integrity risks, and a nine-step evidence repository workflow designed to ensure that the documentation you present to a C3PAO can withstand scrutiny.
A complete fictional CMMC Level 2 documentation set built around "Cogswell Cogs, Inc." for educational purposes. Includes a System Security Plan iterated through multiple review cycles, a Plan of Action and Milestones, and supporting crosswalk materials. Intended as a reference for understanding the structure, depth, and specificity that assessment documentation requires.