Notes from the compliance beat.

Working guides for small defense contractors navigating CMMC, NIST 800-171, DFARS, ITAR, and the platform decisions that follow.

Filter by
34 of 34 posts
No. 034 07.03.26
External Hard Drive Encryption for CMMC and CUI

How to encrypt external drives in a way that protects CUI and survives a C3PAO assessment: method selection, BitLocker and macOS workflows, key recovery, and the evidence trail auditors expect.

cmmccompliancesecurity
July 3, 2026 21 min read Read →
No. 033 06.27.26
Privileged Access Management for CMMC Level 2

How small defense contractors use PAM to control admin access to CUI systems: credential vaulting, session control, least privilege elevation, NIST 800-171 control mapping, and audit evidence.

cmmccompliancesecurity
June 27, 2026 19 min read Read →
No. 032 06.20.26
Role-Based Access Control for CMMC Level 2

How defense contractors use RBAC to prove who can access CUI and why: role matrix design, NIST 800-171 control mapping, phased rollout, and the audit evidence assessors expect.

cmmccompliancesecurity
June 20, 2026 16 min read Read →
No. 031 06.13.26
Supply Chain Risk Management for Small Defense Contractors

A practical SCRM approach for the DIB: rank suppliers by impact, apply lifecycle controls, meet NIST 800-171 and DFARS expectations, and keep evidence auditors can sample.

cmmccompliancesmall-business
June 13, 2026 20 min read Read →
No. 030 06.06.26
What Is Shoulder Surfing? Why It Still Matters for CUI

Shoulder surfing is a low-tech attack with high-stakes consequences for defense contractors. How visual exposure of CUI happens, why assessors care, and the controls that actually work.

cmmcsecuritysmall-business
June 6, 2026 14 min read Read →
No. 029 05.30.26
Building a CMMC-Ready User Provisioning Workflow

How small defense contractors build a user provisioning workflow that survives CMMC Level 2 assessment: access policies, a practical RBAC matrix, lifecycle automation, and audit evidence.

cmmccompliancesmall-business
May 30, 2026 20 min read Read →
No. 028 05.23.26
ITAR Controlled Technical Data: A Program Manager's Handling Guide

ITAR controlled technical data changes who can see files, where they live, and how teams collaborate. How to classify, mark, authorize, and handle it.

cmmccompliancesmall-business
May 23, 2026 16 min read Read →
No. 027 05.16.26
Critical Infrastructure Protection (CIP) for Small Defense Contractors

Critical infrastructure protection now reaches small DIB contractors. What it means under CMMC and DFARS, and how to build it without enterprise spend.

cmmccompliancesmall-businesssecurity
May 16, 2026 19 min read Read →
No. 026 05.09.26
Compliance Automation Tools for Defense Contractors: A Practical Guide

Compliance automation replaces spreadsheet evidence hunts with continuous monitoring. What these tools do, what they don't, and how to evaluate vendors.

cmmccompliancesmall-business
May 9, 2026 12 min read Read →
No. 025 05.02.26
What Is an SSP? The CMMC Level 2 System Security Plan, Explained

An SSP describes how a contractor protects CUI. What it must cover, how to build it from a template, and what makes it credible to a C3PAO.

cmmccompliancesmall-business
May 2, 2026 18 min read Read →
No. 024 04.27.26
PreVeil vs GCC High for CMMC: Which Is Right for You?

Comparing PreVeil and GCC High for CMMC compliance: cost, deployment, scope, and operational trade-offs for small defense contractors.

cmmccomplianceemailsmall-business
April 27, 2026 8 min read Read →
No. 023 04.24.26
CMMC Compliance Solutions: GCC High vs Enclave for Small Contractors

How small defense contractors should compare CMMC compliance solutions. GCC High vs enclave architectures, total cost of ownership, and what to ask vendors.

cmmccompliancesmall-business
April 24, 2026 17 min read Read →
No. 022 04.22.26
What Is a POA&M? A Working Guide for CMMC Level 2 Contractors

A POA&M tracks the security gaps a contractor still needs to close. Here is how to structure one, what belongs on it, and the CMMC Level 2 limits on its use.

cmmccompliancesmall-business
April 22, 2026 16 min read Read →
No. 021 04.20.26
What Is DFARS? A Practical Guide for Small Defense Contractors

DFARS sets cybersecurity and CUI handling rules for DoD contractors. Here are the clauses that matter, how they overlap with NIST and CMMC, and what flowdown means.

cmmccompliancesmall-business
April 20, 2026 14 min read Read →
No. 020 04.19.26
CMMC Level 2 Access Control Policies: A Working Guide for Small Contractors

Access control is where many small defense contractors discover the gap between owning security tools and running an auditable security system. Here is how to build a policy that holds up.

cmmccompliancesmall-businesssecurity
April 19, 2026 18 min read Read →
No. 019 04.16.26
What Is ITAR Compliance? A Guide for Small Defense Contractors

ITAR controls who can access defense data and where it lives. Here's how it works, how it overlaps with CMMC, and what small contractors need to do.

cmmccompliancesmall-business
April 16, 2026 16 min read Read →
No. 018 04.15.26
CMMC Level 2 Requirements: A Practical Guide for Small Defense Contractors

CMMC Level 2 covers 110 NIST 800-171 controls across 14 domains. Here is how small contractors should scope, implement, and prepare for a C3PAO assessment.

cmmccompliancesmall-business
April 15, 2026 13 min read Read →
No. 017 04.13.26
CMMC vs FedRAMP: How They Relate and Which One You Need

FedRAMP authorizes cloud services. CMMC certifies defense contractors. Here's how the two frameworks connect, when each applies, and what DFARS actually requires.

cmmccompliance
April 13, 2026 9 min read Read →
No. 016 04.12.26
ITAR Requirements for Employees: Access Control for Small Defense Contractors

ITAR restricts access to defense technical data to authorized U.S. persons, even when the access happens inside the U.S. Here is how small contractors should structure employee access, onboarding, and remote work controls.

cmmccompliancesmall-businesssecurity
April 12, 2026 19 min read Read →
No. 015 04.10.26
What Is FIPS Compliant? Validated vs Compliant for Defense Contractors

Most guidance on FIPS compliance treats it like a feature checkbox. For defense contractors, the real question is whether the cryptographic module is validated through a process an auditor can verify.

cmmccompliancesecurity
April 10, 2026 15 min read Read →
No. 014 04.07.26
What Is Controlled Unclassified Information (CUI)?

CUI is the federal label for sensitive unclassified data. Here is what it is, how it is marked, and how defense contractors must protect it.

cmmccompliance
April 7, 2026 10 min read Read →
No. 013 04.03.26
CMMC Compliance Assessment: What to Expect and How to Prepare

A CMMC compliance assessment verifies that your security controls meet DoD requirements. Here is what the audit involves, the three levels, and how to prepare.

cmmccompliance
April 3, 2026 10 min read Read →
No. 012 03.31.26
How Safe Is Google Drive for CUI and Defense Contractors?

Google Drive is secure for commercial use, but the standard version is not compliant for CUI. Here is where it fails CMMC and NIST 800-171 requirements.

cmmccompliancesecurity
March 31, 2026 10 min read Read →
No. 011 03.28.26
What Is NIST 800-171? Requirements Explained for Defense Contractors

NIST 800-171 defines the 110 security controls defense contractors must implement to protect CUI. Here is what it requires, who must comply, and how it connects to CMMC.

cmmccompliance
March 28, 2026 10 min read Read →
No. 010 03.27.26
Active Directory Audit for CMMC and NIST 800-171

How to audit your Active Directory environment for CMMC Level 2 compliance. PowerShell scripts, NIST 800-171 control mapping, and a prioritized remediation framework.

cmmccompliancesecurity
March 27, 2026 8 min read Read →
No. 009 03.27.26
What Does CMMC Stand For? A Defense Contractor's Guide

CMMC stands for Cybersecurity Maturity Model Certification. Here is what it means for defense contractors, what the levels require, and how to get started.

cmmccompliance
March 27, 2026 6 min read Read →
No. 008 03.24.26
CMMC Email Pricing 2026: GCC High vs PreVeil vs Google (Real Costs)

What CMMC-compliant email actually costs a 15-person defense contractor in year 1 and year 3. Licensing, migration, hidden fees broken down by provider.

cmmcemailcompliancesmall-business
March 24, 2026 5 min read Read →
No. 007 03.24.26
CMMC Level 2 Email Controls: What Your C3PAO Will Ask

The specific NIST 800-171 controls your C3PAO assessor will examine for your email system. Mapped to practices with what they expect to see for each one.

cmmcemailcompliance
March 24, 2026 6 min read Read →
No. 006 03.24.26
DFARS 72-Hour Cyber Incident Reporting: What It Means for Your Email System

DFARS 252.204-7012 requires reporting cyber incidents to the DoD within 72 hours. Most email systems cannot support this. Here is what the clause actually requires.

cmmccomplianceemail
March 24, 2026 6 min read Read →
No. 005 03.24.26
FedRAMP Moderate vs High for CMMC Email: Which Level You Need

DFARS 252.204-7012 requires FedRAMP Moderate for CUI email. Here's which providers have it, which fail the bar, and why High isn't required for CMMC Level 2.

cmmccomplianceemail
March 24, 2026 7 min read Read →
No. 004 03.24.26
Moving from Office 365 to CMMC Compliant Email: Without the $200K Bill

You don't need GCC High to get compliant. Here's how to plan an email migration for CMMC Level 2 without rebuilding your entire Microsoft environment.

cmmcemailcompliancesmall-business
March 24, 2026 6 min read Read →
No. 003 03.21.26
CMMC Compliant Email Providers in 2026: What Actually Meets the Requirements

Not every email provider that claims CMMC compliance actually meets the requirements. Here is what CMMC Level 2 demands from your email system and which providers deliver.

cmmcemailcompliance
March 21, 2026 6 min read Read →
No. 002 03.20.26
Encrypted CUI Is Still CUI: Why Encryption Alone Does Not Decontrol Your Data

Encrypting Controlled Unclassified Information does not remove its control designation. Here is what 32 CFR Part 2002 actually says and what it means for your CMMC compliance.

cmmccomplianceemail
March 20, 2026 3 min read Read →
No. 001 02.27.26
CMMC Compliant Email for Small Business: What You Actually Need

Most small defense contractors overpay for compliant email or use tools that don't meet the requirements. Here's what CMMC actually requires and how to evaluate your options.

cmmcemailcompliancesmall-business
February 27, 2026 2 min read Read →