Posts

Engineering notes on CMMC, OSCAL, and why the GRC tooling you've seen isn't the GRC tooling you need.

CMMC Phase 2 Deadline: What DIB Contractors Must Do Before November 10, 2026

2026-04-30 · 13 min read · regulatory

Phase 2 is when DoD can require C3PAO third-party assessments in contracts. Self-attestation is no longer enough. What changes, who is affected, and the 12–18 month action plan every contractor needs.

CMMC Level 2 POA&M: Conditional Certification Guide

2026-04-30 · 11 min read · buyer guide

How to use a Plan of Action & Milestones to earn conditional CMMC Level 2 certification, which practices cannot be deferred, and how to close all gaps before the 180-day window expires.

FedRAMP Moderate Inheritance for CMMC Level 2: What You Can and Can't Inherit

2026-04-30 · 10 min read · architecture

What AWS GovCloud, Azure Government, and GCC High actually cover for CMMC L2 — and the controls you still own. How to document inheritance so it survives a C3PAO assessment.

The Complete CMMC Level 2 Assessment Checklist for 2026

2026-04-30 · 12 min read · buyer guide

All 110 CMMC Level 2 practices organized by domain with readiness tips. Use this structured checklist to prepare for your C3PAO assessment.

SPRS Score Explained: How to Calculate and Improve Your Score

2026-04-30 · 10 min read · buyer guide

What the SPRS score is, how it's calculated using the DoD Assessment Methodology, what a good score looks like, and which controls to prioritize for maximum point recovery.

Defining Your CUI Boundary: A Practical Guide for Contractors

2026-04-30 · 9 min read · architecture

The single most important decision in your CMMC journey. How to scope your authorization boundary, avoid common mistakes, and document it for assessors.

Evidence-as-Code: Why Machine-Readable Compliance is the Future

2026-04-30 · 8 min read · architecture

Screenshot evidence is fragile, undated, and unverifiable. Evidence-as-code produces signed, reproducible OSCAL artifacts that assessors can trace from claim to proof.

HIPAA Security Rule 2026 Changes: What Healthcare Organizations Need to Know

2026-04-30 · 9 min read · regulatory

The proposed HIPAA Security Rule update eliminates the addressable/required distinction, mandates encryption and MFA, and adds network segmentation requirements. Here's how to prepare.

The SSP is code. Stop treating it like a Word document.

2026-04-12 · 8 min read · architecture

Why we deliver System Security Plans as Goal Structuring Notation assurance cases, assembled from a signed pipeline. Every Solution node points at machine-verifiable evidence.

Why CMMC L2 breaks every general-purpose GRC platform.

2026-04-12 · 6 min read · buyer guide

Vanta, Drata, and Hyperproof are good at SOC 2 and ISO 27001. CMMC L2 is a different problem. The difference isn't controls — it's where the controls run and who owns the evidence.