For DoD contractors, the difference between CMMC Level 2 and Level 3 is not incremental β it directly affects contract eligibility, audit scrutiny, and security program maturity. Level 2 applies to most contractors handling CUI and maps to NIST SP 800-171's 110 controls, assessed by a C3PAO. Level 3 adds controls from NIST SP 800-172, targets organizations supporting higher-risk defense programs, and requires a government-led assessment rather than a C3PAO assessment. This article explains the key differences across framework scope, threat focus, assessment type, and security maturity requirements.
Expert IT Leadership Blogs |
DoD contractors handling CUI are required to submit a NIST SP 800-171 self-assessment score into the Supplier Performance Risk System (SPRS). That score is the foundation CMMC readiness is built on β and under the False Claims Act, knowingly submitting an inflated score is a legal liability. This article explains how SPRS scoring works (the 110-control assessment methodology, how points are calculated, how POAMs affect the score), how SPRS scores connect to CMMC assessment preparation, and the most common errors contractors make that inflate scores and create downstream compliance risk.
Controlled Unclassified Information β CUI β is the data category that triggers CMMC compliance obligations for DoD contractors. Define it too narrowly and you leave actual CUI unprotected. Define it too broadly and you expand your compliance boundary unnecessarily, multiplying certification cost and complexity. This article explains what CUI actually is under 32 CFR Part 2002, how to identify it in your environment, how scoping decisions affect your CMMC assessment boundary, common CUI identification mistakes that contractors make, and why accurate scoping is one of the highest-ROI steps in CMMC preparation.
DFARS β the Defense Federal Acquisition Regulation Supplement β is the regulatory framework governing cybersecurity obligations for DoD contractors. Most contractors know the name; fewer understand what each clause requires operationally and how they connect to CMMC. This article walks through the four DFARS cybersecurity clauses: 252.204-7012 (NIST SP 800-171 implementation and cyber incident reporting), 252.204-7019 (SPRS score submission), 252.204-7020 (DoD assessment rights), and 252.204-7021 (CMMC certification requirement) β what each requires, when each applies, and the consequences of non-compliance including False Claims Act exposure.
NIST published the final SP 800-171 Revision 3 on May 14, 2024 β but a DoD Class Deviation issued two weeks earlier requires contractors subject to DFARS 252.204-7012 to continue complying with Revision 2. CMMC Level 2 assessments still use Rev 2. SPRS scores are still calculated against Rev 2. C3PAO assessors are not authorized to evaluate against Rev 3. This article explains what actually changed between Rev 2 and Rev 3 (organization, control families, new controls), why it doesn't affect current CMMC obligations, and what contractors should watch for as the framework evolves.
A mid-sized manufacturer migrated its ERP to Azure. Six months later, finance found three unused VM instances burning $4,000 per month, a developer had left a storage bucket publicly accessible, and no one documented who approved the configuration change behind last quarter's two-hour outage. These aren't cloud platform failures β they're governance failures. This article covers what cloud governance actually controls (access, cost, security, compliance), how to build a governance framework across five domains, and the specific policies that prevent the cost sprawl, misconfiguration exposure, and compliance drift that affect most organizations within a year of cloud migration.
Twenty-nine percent of law firms have experienced a security breach, per the ABA's 2023 Legal Technology Survey β rising to 60% for firms of 500 or more attorneys. Password-related compromises are among the leading causes: credential theft, password reuse, and phishing attacks targeting attorney credentials don't require sophisticated exploitation. Law firms also face an ethical dimension β most state bar rules now treat inadequate security as a competence and confidentiality issue. This article covers the specific password security controls law firms need, why MFA alone isn't enough, and how to implement a credential management program that satisfies both bar requirements and client outside counsel guidelines.
The DoD's January 2025 FAR CUI Rule estimate puts three-year CMMC Level 2 compliance costs for a representative small business at approximately $487,970. Organizations with structured security programs already in place spend significantly less than those starting from scratch. This article identifies five specific strategies defense contractors can use to reduce compliance costs: scoping the CUI boundary accurately, leveraging existing security investments, using RPO-approved tools that map to multiple CMMC controls, phasing remediation by risk priority, and engaging a GRC partner early rather than discovering gaps during the C3PAO assessment.
CMMC compliance requires more than implementing controls β it requires working within a specific certification ecosystem. C3PAOs (Certified Third-Party Assessment Organizations) are the only organizations authorized to assess and certify Level 2 compliance. This article explains how the CMMC ecosystem is structured, what C3PAOs actually do during an assessment (evidence review, interviews, system testing), how to select and prepare for a C3PAO engagement, and what the difference is between a Registered Practitioner Organization helping you prepare versus the C3PAO that certifies you.
A Louisiana medical group received a $480,000 OCR settlement in 2023 β not because of a sophisticated attack, but because it had never conducted a security risk analysis and had no procedures to review system activity records. HIPAA compliance costs real money: security tools, annual risk assessments, workforce training, and documentation overhead. The question isn't whether to spend it β it's how to allocate it without leaving the gaps regulators find. This article breaks down where HIPAA compliance budget actually goes, what's mandatory versus optional, and how to build a defensible budget that holds up under OCR scrutiny.