top of page



SPA, ESP, CSP - What's the Difference, and Why it Matters
In practice, SPA/CSP/ESP split important hairs and are often confused. Each label has crucially specific connotations for CMMC assessments.

Vincent Scott
Apr 75 min read


Thoughts on CMMC Assessment Readiness
“Most companies think they’re ready. They are not. CMMC is brutal , and the sooner businesses accept that, the better chance they have of...

Vincent Scott
Mar 172 min read


How to Simplify the PIEE Recipe
According to the DoD, uploading a NIST self-assessment score is supposed to be as easy as an easy-bake pie. If you are a prime already...

Chloe Bernard
Jan 32 min read


CMMC and Contract Negotiation
CMMC is an enterprise challenge — not just an IT challenge...this blog focuses on efforts required to negotiate contract specificity and...

Milt Songy
Dec 19, 20245 min read


CMMC: Compliance Mt. Everest
I would assert that CMMC is by far the most challenging cybersecurity assessment methodology ever; the federal compliance Mt. Everest.

Vincent Scott
Dec 12, 20243 min read


When do I get the points?
Many companies today are working to update their SPRS score. The standard model for this is to conduct an assessment, assign a score,...

Vincent Scott
Nov 18, 20243 min read


What's an Evidence Locker, and why do I need one?
Well, the short answer is because you have to because they make you. Wait, evidence locker appears nowhere in the rule. You are making...

Chloe Bernard
Nov 4, 20244 min read


32 CFR 170 Final Rule: 10 Initial Impressions
I have completed my initial skim of the 470 pages of the 32CFR170 Final Rule. I think it's a huge improvement over the proposed version.

Vincent Scott
Oct 24, 20242 min read


What kind of training does a L2 CMMC require?
Cybersecurity Maturity Model Certification (CMMC) includes a list of controls that dictate training requirements for relevant employees:...

Shelby Scott
Oct 15, 20243 min read


Do I Need to Have a SIEM for CMMC?
The DoD is rolling out their new cybersecurity audit plan around NIST SP 800-171: Cybersecurity Maturity Model Certification, or CMMC....

Vincent Scott
Sep 26, 20243 min read


The Power of Definition
This ‘power’ allows organizations to define crucial variables for themselves as they document their information security architecture.

Shelby Scott
Aug 28, 20246 min read


10 Cybersecurity Tips for Small Business
Tip 1. You're not too small to be a target. I once had a person in a major corporation say to me, “We are a soap and diaper company. Who...

Vincent Scott
Aug 7, 20244 min read


The Challenge of CMMC Documentation
Ah, documentation. The most beloved part of every cybersecurity and IT professional's day. If only they could have more paperwork, then...

Vincent Scott
Jul 22, 202410 min read


Mini Blog: CTI in a Nutshell
Controlled Technical Information (CTI) is really at the heart of what DoD wants/needs to have protected as a part of many ongoing DoD...

Vincent Scott
Jul 10, 20242 min read


Understanding Microsoft Windows Copilot+ Recall
Microsoft's introduction of the Copilot+ Recall feature has sparked significant concern within the cybersecurity and compliance...

Nick Martin
Jun 10, 20246 min read


COOEY Kittens!
The CMMC ecosystem has experienced a major increase in activity in 2024.This ramp-up has seen us lean on a number of new analogies when...

Shelby Scott
May 24, 20244 min read


What is Periodic?
How often should our company review our compliance with the NIST SP 800-171 security requirements?
Jacob Scott
Apr 18, 20242 min read


DFARS FAQ and Contractor Noncompliance
On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case...
Jacob Scott
Apr 4, 20243 min read


CMMC Myths
The origin story of Cybersecurity Maturity Model Certification (CMMC) goes back more than 20 years. Having roots in 32 CFR 2002, the...

Shelby Scott
Feb 26, 20248 min read


How to conduct a DoD Cyber Self-Assessment?
What the heck is this spurrrs thing people keep talking about? And why did my prime just ask us if we have one? The Supplier Performance...

Vincent Scott
Feb 5, 20247 min read
bottom of page