Practitioner writing,
not vendor copy.
The kind of technical detail that actually helps a team prepare for an assessment. No listicles, no sponsored content, no generic "best practices" posts. What we write we've done.
FedRAMP's 2026 incident communications overhaul: new reporting timeframes, the PAIN rating, and the July 4 deadline
On June 3, 2026 FedRAMP issued the initial outcome of RFC-0031 — the last major guidance change feeding its Consolidated Rules for 2026 — a rebuilt incident communications regime with class-based reporting timeframes as tight as 15 minutes, a renamed impact rating, an optional fast-path default, and the removal of direct CISA reporting. It is mandatory July 4, 2026 for new 20x certifications and January 1, 2027 for Rev5. A practitioner read on what changed and what to do now.
AI is coming to CMMC and DFARS: NDAA Section 1513, the June 2026 AI Executive Order, and what defense contractors should prepare for
Two formal signals dropped within two weeks of each other in mid-2026: NDAA FY26 Section 1513 requires DoD to deliver a CMMC-for-AI framework plan to Congress by June 16, 2026, and the June 2 AI Executive Order directs federal agencies to prepare federal and private-sector systems for advanced AI. The two together mark the first formal staging of AI/ML security obligations into DFARS and CMMC. This is the practitioner read on what's actually known, what's still speculative, and what defense contractors should be doing now.
FedRAMP Rev 5 control mapping: the new controls, the renumbered ones, and what each costs to implement
A practitioner's control-by-control map of the FedRAMP Rev 5 baseline three years in. The 24-ish net-new controls across PT, SR, and PM, the restructured enhancements in AC, AU, SC, IA, and the dollar and engineering cost of implementing each cluster — including what 3PAOs accept as evidence and which controls add ongoing burden vs one-time documentation work.
FedRAMP Rev 5 and DoD IL5 CSP SRG v1r3: the overlap, the delta, and parallel implementation
FedRAMP Rev 5 satisfies 70-80% of DoD IL5 v1r3, but the remaining 20-30% is concentrated in specific control families and drives the bulk of the work. A practitioner's breakdown of which Rev 5 controls map directly to IL5, where IL5 substantially diverges, and how to sequence parallel implementation so evidence and documentation serve both authorizations from a single source of truth.
FedRAMP Rev 5 SSP changes: retrofitting a Rev 4 System Security Plan, section by section
The FedRAMP Rev 5 System Security Plan is not a re-skin of the Rev 4 template — privacy moves into the main body, supply chain becomes a real section, continuous monitoring expectations harden, and every cross-reference needs revisiting. This is the section-by-section practitioner walkthrough of what changes in the document itself, where retrofits go wrong, and how long the work actually takes.
What 815 cleared-contractor security violations actually look like — and what causes them
GAO Report 26-107861 (April 2026) revealed that DCSA documented 815 security violations across 4,600+ contractor reviews in FY2025, plus 1,032 open security vulnerabilities. Data spills accounted for ~60%, improper classified storage 11.5%, unauthorized access 6.5%, physical losses 6.3%, improper transfers 5.6%. This article walks through what each category looks like in practice, what causes them, and the architectural choices that prevent each pattern.
DoD Zero Trust for defense contractors: the September 30, 2027 Target Level deadline and how it intersects with CMMC
DoD's Zero Trust Strategy sets a hard September 30, 2027 deadline for Defense Industrial Base contractors to achieve Target Level capabilities — 91 distinct outcomes across seven pillars (User, Device, Application, Data, Network, Automation, Visibility). Missing the deadline means contract ineligibility — no new awards, no option exercises, no extensions. This article unpacks the seven pillars, the 91 capability outcomes, where Zero Trust demands more than CMMC Level 2, and a sequencing plan that builds toward both simultaneously.
Your System Security Plan is too long, too short, or written for the wrong reader — what C3PAO and 3PAO assessors actually read
The System Security Plan is the foundational document for CMMC Level 2, FedRAMP Moderate, IL5, and most other federal-aligned compliance regimes. Most SSPs are written for compliance theater rather than for the assessor who has to evaluate them. This article walks through what assessors actually do with an SSP across three reads, what good control-implementation narratives look like (with a worked example), section-by-section length norms by framework, and the seven red flags assessors flag in real engagements.
CMMC Level 2: what it actually costs — engagement, tools, C3PAO assessment, and year 2
An honest breakdown of CMMC Level 2 cost in 2026: engagement fees ($150K–$500K), C3PAO assessment ($60K–$150K), GCC High and M365 licensing, tooling stack, and the year-2 operational costs most programs forget to budget. Covers three cost archetypes — platform-led, firm-led, Big 4 — and what drives CMMC cost up or down in practice.
What changed in compliance — Q2 2026 briefing: CMMC Phase 2, DOJ enforcement, ICD 705, FedRAMP 20x, and the DoD Zero Trust cliff
A practitioner briefing on the most consequential compliance-landscape changes heading into Q2 2026. Covers the CMMC Phase 2 cliff (November 10, 2026), the DOJ False Claims Act enforcement wave against defense contractors, the CSP SRG v1r3 update adding 170 new IL5 controls, the 2025 ICD 705 overhaul affecting SCIFs, FedRAMP 20x Phase 2 pilots, the DFARS 7019/7020 rewrite, NIST 800-171 Rev 3 organization-defined parameters, the expired ISO 27001:2013 certification baseline, GSA's new civilian-contractor CUI requirements, and DoD Zero Trust's September 30, 2027 Target Level deadline.
How defense primes actually evaluate CMMC-certified subcontractors — beyond the SPRS score
Defense primes (Lockheed Martin, Raytheon, General Dynamics, Northrop Grumman, BAE, Boeing Defense) evaluate subcontractor cyber posture through a specific sequence of checks that goes well beyond the SPRS score or a CMMC certificate. This article covers what Tier-1 prime procurement and supply-chain-risk teams actually look for, the questions subs don't expect, the red flags that disqualify vendors, and what to prepare before your first prime evaluation.
Why '30-day compliance' is a red flag, not a feature — and what real maturity actually takes
A growing number of compliance platforms advertise SOC 2, ISO 27001, or even CMMC in 30 days — sometimes 30 minutes. The claim is technically defensible only for point-in-time readiness snapshots, and enterprise and federal buyers read it as a signal of thin operational discipline. Here's what 30 days actually buys you, what buyers hear when they see the claim, and the honest minimum timelines for each major framework.
CMMC POA&M done right: what to include, anonymized examples, and what assessors accept
A POA&M is a required CMMC artifact but its format, granularity, and tone are not tightly specified. Done well it's a credibility-building document. Done poorly it signals program weakness. This article shows anonymized POA&M entries, walks through what assessors actually look for, and covers the specific rules around which findings can and cannot land on a POA&M for Level 2 certification.
CMMC self-assessment vs C3PAO: which path applies, and when it matters
CMMC Level 2 has two assessment paths — self-assessment and C3PAO third-party assessment. Which one applies is not a choice; it's determined by the CUI you handle and the contract's specific clauses. Here's how to figure out which path your program actually requires, and what each one looks like in practice.
FedRAMP Moderate realistic timeline: what 12 to 18 months actually looks like
A month-by-month breakdown of what first-time FedRAMP Moderate authorization actually takes — from sponsor selection through P-ATO or Agency ATO. Where CSPs underestimate scope, where timelines commonly slip, and how to sequence the program so it lands on the customer-driven deadline.
FedRAMP Rev 5 transition: the delta from Rev 4 and what breaks if you delay
FedRAMP migrated from NIST SP 800-53 Rev 4 to Rev 5 in 2023. The transition adds new control families, restructures existing ones, and raises the evidence bar on continuous monitoring. This article walks through what changed, how authorized CSPs are handling the migration, and what happens to authorizations that don't complete the transition.
Your first defense contract: the IT checklist for the 90 days after award
A venture-backed defense startup wins its first CUI-handling contract. What actually needs to be in place in the first 90 days — cloud tenant, identity, endpoints, policies, logging, CUI enclave, training, documentation. A practitioner's checklist, with the realistic sequencing.
Inside an IL5 assessment: the controls that burn CSPs first
A practitioner's look at where Cloud Service Providers actually lose time during DoD Impact Level 5 assessment. US-citizen operator verification, FIPS 140 boundaries, continuous monitoring maturity, insider threat integration, and the supply-chain and cryptographic depth that surprises first-time CSPs.
ISO 27001:2022 transition: what changed from 2013, and what to do if you missed the October 2025 deadline
ISO 27001:2022 replaced the 2013 edition with restructured Annex A (133 controls collapsed to 93), eleven new controls, and modernized clauses. The IAF transition deadline was October 31, 2025. This article walks through the delta, the transition audit process, and what organizations still on 2013 need to do now.
ISO 27001:2022 for cloud-native SaaS: designing an ISMS that fits the product
ISO 27001:2022 certification for cloud-native SaaS companies looks different from the textbook treatment. The standard was written for organizations with physical infrastructure, long-tenure employees, and formal document workflows — not for Series B SaaS with a three-person security team and everything in Git. This article is how we adapt the ISMS to fit.
SCIF vs SAPF: the difference, and why programs pick the wrong one
Sensitive Compartmented Information Facilities and Special Access Program Facilities look similar from the outside but accredit under different authorities and handle different information types. Picking the wrong variant — or conflating them — leads to rework that costs months. Here's the practitioner's read on which one you actually need.
CMMC Level 2 timeline: what 6 to 9 months actually looks like
A month-by-month breakdown of a realistic CMMC Level 2 engagement — from kickoff through C3PAO assessment. Includes which activities happen in parallel, which are sequential, where timelines most commonly slip, and how the CMMC Phase 2 November 2026 deadline changes the math.
Your first SCIF: a playbook for venture-backed defense startups
What a venture-backed defense startup needs to know before committing to its first SCIF or SAPF. Sponsor relationships, ICD 705 compliance, AO engagement, facility timelines, the three decisions that cost the most rework, and realistic expectations for a first-time accreditation program.
AWS GovCloud vs Azure GCC High: choosing the right cloud for a CMMC-ready defense startup
AWS GovCloud and Microsoft Azure GCC High are the two serious choices for a defense startup building CMMC-ready infrastructure. They are not interchangeable. This article walks through the decision framework — productivity tooling, licensing, personnel citizenship, cloud-native services, and the workload types where each excels.
SOC 2 vs ISO 27001: which to pursue first, when to pursue both
SOC 2 and ISO 27001 are the two most common commercial compliance frameworks, and most SaaS companies will eventually need both. The decision about which to tackle first — and whether to run them in sequence or in parallel — depends on your customer mix, geography, and existing controls. A practitioner's decision framework.
Vanta, Drata, and the limits of software-only SOC 2: when to bring in an architect
SOC 2 automation platforms like Vanta, Drata, and Secureframe handle 70% of straightforward engagements well. The other 30% — complex environments, multi-entity structures, international subsidiaries, unusual controls — need architectural judgment the platforms can't deliver. Here's how to tell which side of the line you're on.
CMMC Level 2: What assessors actually look for — and what they quietly ignore
A practitioner's read on the Level 2 assessment process. Which domains get drilled, the evidence that closes packages, the compensating controls assessors accept, and the five most common failure modes that sink otherwise-ready organizations.
SCIF and SAPF accreditation: a practitioner's sequencing playbook
How to sequence the design, construction, and accreditation of a Sensitive Compartmented Information Facility or Special Access Program Facility. Covers sponsor coordination, ICD 705 and CNSSI 1253 mapping, multi-enclave classified network integration, and the construction-accreditation handshake where most first-time builds stall.
Designing a CUI enclave: seven architectural mistakes that survive through implementation
The seven CUI enclave design mistakes we see on every first-time engagement. Each one is expensive to fix after build-out. All of them are avoidable at the architecture phase. Practitioner-level detail, not a checklist.
FedRAMP to DoD CC SRG IL4 and IL5: the upgrade path most CSPs underestimate
How to sequence FedRAMP Moderate → Impact Level 4 → Impact Level 5 authorizations so DoD work does not require rebuilding the authorization package twice. Covers DoD-specific controls, DISA PA, Agency vs JAB sponsorship, and where CSPs repeatedly underestimate the incremental scope.
SOC 2 Type II: evidence patterns that survive the observation window
What auditors actually look for during a SOC 2 Type II observation window — and the operational patterns that produce passable evidence as a byproduct rather than a reconstructive exercise in the final month. Covers access reviews, change management, incident response, and vendor oversight, with specific artifact templates.
DFARS 252.204-7012: the 72-hour reporting gap most contractors miss until their first incident
What the DFARS cyber incident clause actually requires, why the 72-hour clock starts earlier than most programs assume, and what an evidence-ready reporting response looks like. Including the specific DC3 path and the documentation set your incident response plan needs to pre-stage.