All three concepts are defined in the CMMC rule, and represent expansions and clarifications of short entries in NIST 800-171.  They have not been discussed much in the professional public dialogue, and I suspect that this is because they clearly conflict with the, “Bring the Hammer!  No Mercy!” mentality that underlies the philosophical direction of these discussions of late.  Although there is certainly legitimate cause for angst around implementation, swinging the pendulum

Many companies in the Defense Industrial Base (DIB) are working to update their SPRS score . Traditionally, this has been a simple exercise: conduct a self-assessment, calculate the score, upload it to SPRS, and move on. For organizations preparing for CMMC compliance, however, the process looks different. SPRS Scoring as an Executive Metric Most CMMC-bound organizations now use their SPRS score as a progress indicator, not a one-time submission. The pattern often looks like

🧪 The Experiment Begins  It started as a controlled late-night test of CrewAI and LangChain — a proof-of-concept for how autonomous AI agents could assist in applied research and compliance automation.  Each agent was powered by a fine-tuned LLM, tailored for cybersecurity engineering. Each had explicit permission controls, sandboxed within a development container. The agents could think, plan, and execute tasks — but only within the rules I set.  At least, that was the idea

A long-time requirement for any auditable process or standard has been documentation. It makes you wonder if early cave paintings quickly...

In order to answer this question, let’s examine the regulatory security requirements that may drive the need for CUI banners.  First, we...

In practice, SPA/CSP/ESP split important hairs and are often confused. Each label has crucially specific connotations for CMMC assessments.

“Most companies think they’re ready. They are not. CMMC is brutal , and the sooner businesses accept that, the better chance they have of...

According to the DoD, uploading a NIST self-assessment score is supposed to be as easy as an easy-bake pie. If you are a prime already...

CMMC is an enterprise challenge — not just an IT challenge...this blog focuses on efforts required to negotiate contract specificity and...

I would assert that CMMC is by far the most challenging cybersecurity assessment methodology ever; the federal compliance Mt. Everest.

Many companies today are working to update their SPRS score. The standard model for this is to conduct an assessment, assign a score,...

Well, the short answer is because you have to because they make you. Wait, evidence locker appears nowhere in the rule. You are making...

I have completed my initial skim of the 470 pages of the 32CFR170 Final Rule. I think it's a huge improvement over the proposed version.

Cybersecurity Maturity Model Certification (CMMC) includes a list of controls that dictate training requirements for relevant employees:...

The DoD is rolling out their new cybersecurity audit plan around NIST SP 800-171: Cybersecurity Maturity Model Certification, or CMMC....

This ‘power’ allows organizations to define crucial variables for themselves as they document their information security architecture.

Tip 1. You're not too small to be a target.  I once had a person in a major corporation say to me, “We are a soap and diaper company. Who...

Ah, documentation.  The most beloved part of every cybersecurity and IT professional's day. If only they could have more paperwork, then...

Controlled Technical Information (CTI) is really at the heart of what DoD wants/needs to have protected as a part of many ongoing DoD...

Microsoft's introduction of the Copilot+ Recall feature has sparked significant concern within the cybersecurity and compliance...