Latest insights.
DFARS 252.204-7012: history and current applicability
DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in DoD contracts since 2015 and remains the underlying authority for CUI-han…
NIST SP 800-171: Rev. 2 vs Rev. 3
NIST published Revision 3 of SP 800-171 in May 2024. The CMMC Program rule (32 CFR Part 170) currently references Revision 2 as the underlying control catalog. Both documents are p…
The C3PAO ecosystem: who they are, where they are
Authorized CMMC Third Party Assessment Organizations (C3PAOs) conduct Level 2 certification assessments. The Cyber-AB maintains the authoritative marketplace listing of authorized …
CMMC phased rollout: Phase 1 through Phase 4
DoD has published a four-phase rollout schedule for CMMC, beginning when the DFARS implementation rule becomes effective and ramping over three years. The phase descriptions below …
CMMC 2.0 Final Rule: timeline and structure
The CMMC 2.0 Program rule (32 CFR Part 170) was published in the Federal Register in October 2024 and took effect in December 2024. The dates and document structure below are drawn…