Plain-English guides for the small DoD contractor doing this themselves. Every one is written by a working practitioner, not a marketing team — scope it down, document it right, pass for a fraction of the quotes you've been handed. Veteran-run, DIY, built for shops with 5, 15, or 50 people and no dedicated security staff.
New to all this? Start here. What CMMC is, why it exists, who needs it, the levels, and the timeline — no jargon, no fear-selling.
Read the guide →Level 1 protects FCI with 15 basic safeguards you self-assess. Level 2 protects CUI across all 110 controls. Here's how to tell which your contract requires.
Read the guide →The Audit & Accountability controls need real logging — not a filing cabinet of raw logs. The SMB-friendly SIEM a small shop can actually run.
Read the guide →Phishing training isn't optional — it's a control family. What the Awareness & Training requirements need, and how a small team runs a real program.
Read the guide →Offsite, immutable, encrypted copies that satisfy Media Protection and survive ransomware — the 3-2-1 rule, done right, for a small shop.
Read the guide →How SPF, DKIM, and DMARC stop attackers from impersonating your domain — the email-authentication layer behind the SC controls and phishing defense.
Read the guide →Stop hardening the whole company. Scope CUI into a small segmented enclave and shrink the assessment boundary — the single biggest cost lever a small shop has.
Read the guide →The real line items behind the $116k–$138k consultant quotes — and the DIY path that gets you 80% of the way there for a fraction of it. No hand-waving.
Read the guide →Firewalla, Protectli/pfSense, or UniFi — matched to your shop size, with the honest line on what a firewall does and doesn't do for FIPS.
Read the guide →The honest answer: usually not — if you scope CUI right and handle encryption with FIPS-validated software. What assessors actually require.
Read the guide →How phishing-resistant hardware keys satisfy the multifactor controls — a real setup walkthrough: buy, enroll, register a backup, enforce.
Read the guide →Encrypted, versioned, recoverable backups plus NIST 800-88 media sanitization — the Media Protection gear list for a small shop.
Read the guide →The chain a veteran has watched happen: a White House order becomes a NIST standard, a DFARS clause, a CMMC requirement — and finally the SSP on your desk.
Read the guide →The government went zero trust. You're not an agency — but its five pillars still land on your shop through CMMC. Each one, translated into what you actually do.
Read the guide →The June 2025 order rolled back some software-attestation mandates. But NIST 800-171, DFARS 7012, and CMMC are untouched — here's what actually moved.
Read the guide →Every cloud tool touching your CUI has to meet a FedRAMP bar. The difference between "Authorized" and "Moderate Equivalent" — and how to verify a vendor before you trust it.
Read the guide →The System Security Plan is the document your assessor lives in. What goes in it, what gets shops failed, and how to write yours without a template mill.
Read the guide →How the DoD scoring methodology deducts points, why one missed control can cost you five, and what a negative score signals to the prime evaluating your bid.
Read the guide →Level 1, Level 2 self-assessment, and Level 2 third-party certification — which one your contracts require, and the Nov 10, 2026 line that changes it.
Read the guide →Every control family needs a documented policy behind it. The full list, what each one has to say, and why the wording matters more than the length.
Read the guide →A Plan of Action & Milestones buys you time on open controls — but only if it's specific, dated, and credible. How to write one that doesn't sink you.
Read the guide →Whether you handle Federal Contract Information or Controlled Unclassified Information decides Level 1 vs Level 2. How to tell, and why it drives every cost.
Read the guide →