Practitioner insights on CMMC implementation, assessment preparation, and the compliance challenges defense contractors face right now.
.svg)
CMMC compliance is no longer just an IT issue. With Phase 2 hitting November 10, 2026, primes already enforcing flow-downs, and the False Claims Act creating real legal exposure, BD teams that ignore CMMC are putting their pipelines at risk.
.svg)
The most common source of assessment failure starts with scope. If you can't trace where CUI enters, moves through, and exits your environment, everything downstream is built on assumptions.
.svg)
Assessors evaluate policies, procedures, training programs, and whether your organization actually follows them. That is an organizational discipline, not a system configuration.
NAVFAC just posted a notice on SAM.gov: A/E/C firms on IDIQ contracts will need CMMC Level 2 by November 2026. If your firm designs or builds on military installations, the compliance clock is running.
Not every CMMC consultant has been on the assessor side of the table. Not every firm works at the control level. Here's how to tell the difference before you sign.
Most organizations can configure access permissions. Fewer can demonstrate to an assessor that those permissions are enforced consistently, reviewed periodically, and documented.
NIST 800-171 Rev 3 cut the control count from 110 to 97. Sounds simpler. But assessment objectives jumped from 320 to 510, and nearly half require net-new effort.
Conditional access policies are where CMMC access control requirements meet your Azure environment. Here's how to configure them so they satisfy both your assessor and your users.
Annual awareness videos check a box. They don't change how people handle CUI. Here's what a training program that satisfies assessors and actually works looks like.
Enclaves are a legitimate tool for narrowing your CMMC scope. But an enclave is infrastructure, not a compliance program. Here's what's still missing after the enclave is deployed.
Universities conducting DoD-funded research face a CMMC compliance challenge that looks nothing like what a defense contractor faces. Decentralized IT, shared infrastructure, and a culture built on open collaboration all work against controlled environments.
The most common questions in every initial conversation: how much will this cost and how long will it take? Here's an honest breakdown of what drives both numbers.
Registered Practitioner Organization
The Cyber AB
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.