Insights

Blog

Newest-first writing from the practical and research lanes, with filters to narrow the feed by topic.

Highlighted Reading

Research Apr 26, 2026 Featured

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

A composite case study of a 350-person defense subcontractor with 47 suppliers and 15 months to reach CMMC Level 2 — and the scope-discipline strategy that makes it possible.

CMMC
NIST
Risk Management
DIB
Supply Chain

Feed

Practical May 4, 2026

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

The Change Healthcare incident made business-associate cybersecurity a board-level healthcare risk. Contract language is not enough.

HIPAA
Healthcare
Supply Chain
Incident Response
Risk Management

Practical May 4, 2026

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

A practical sequencing guide for healthcare ransomware resilience using NIST SP 800-53 control families.

Healthcare
Ransomware
NIST
Incident Response
Risk Management

Practical May 4, 2026

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

The Change Healthcare breach shows why healthcare organizations need NIST control depth beyond the HIPAA Security Rule floor.

HIPAA
NIST
Healthcare
Risk Management
Ransomware

Practical May 4, 2026

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

A practical comparison of the major security frameworks for healthcare organizations with HIPAA, SEC, privacy, and ransomware risk.

HIPAA
NIST
HITRUST
ISO 27001
Healthcare

Research May 4, 2026

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

A full research paper applying NIST SP 800-66r2 and SP 800-53r5 to healthcare compliance after Change Healthcare.

HIPAA
NIST
Healthcare
Risk Management
Supply Chain

Practical Apr 26, 2026

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

If your program runs on CIS Controls v8 IG1, here is what that gets you against the 110 NIST SP 800-171 practices a C3PAO assesses — and where the gaps are.

CMMC
NIST
CIS Controls
Compliance
DIB

Research Apr 19, 2026

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

How ADSAI tools are changing the attack surface for defense contractors: five threat vectors, the dual-use paradox, and a layered defense framework built on mission continuity.

Threat Intelligence
AI Security
Risk Management
Critical Infrastructure

Practical Apr 19, 2026 Featured

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

A plain-language breakdown of CMMC 2.0's three levels, two assessment paths, POA&M rules, phase-in schedule, and the real cost numbers from DoD's regulatory impact analysis.

CMMC
Assessment
Compliance
DIB

Practical Apr 19, 2026

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

How Plans of Action and Milestones work under the CMMC 2.0 final rule — the 80% implementation floor, which controls block conditional certification, and what happens at day 180.

CMMC
Compliance
DIB

Practical Apr 19, 2026

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

CUI vs FCI explained — how each category determines your CMMC level, which DFARS clauses apply, and what scoping errors create the most compliance exposure.

CMMC
DFARS
Compliance
DIB

Practical Apr 19, 2026

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

What a DFARS 7012 cyber incident report must contain, when the 72-hour clock starts, what to preserve, and common reporting errors that create compliance exposure.

DFARS
Compliance
DIB

Practical Apr 19, 2026

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

What DFARS 7012, 7019, 7020, and 7021 actually require — incident reporting, SPRS scoring, DoD assessment authority, and CMMC award conditions for defense contractors.

CMMC
DFARS
Compliance
DIB

Research Apr 19, 2026 Featured

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

A practitioner analysis of how FISMA, DFARS, CMMC, CIRCIA, and sector-specific statutes interact — and where the current framework still breaks down.

CMMC
DFARS
FISMA
Policy
Supply Chain

Practical Apr 19, 2026

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

CMMC 2.0 still references NIST SP 800-171 Rev 2, but NIST published Rev 3 in May 2024. Here is what the version gap means for your SSP, C3PAO assessment, and compliance roadmap.

CMMC
NIST
Compliance
DIB

Practical Apr 19, 2026

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment

How the DoD SPRS scoring methodology works, what the -203 to 110 scale means, and what common scoring mistakes cost contractors at award time.

CMMC
DFARS
Compliance
DIB

Blog

No posts match these filters

Highlighted Reading

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

More Posts

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment

Blog

Blog filters

No posts match these filters

Highlighted Reading

Inside a CMMC Level 2 Journey: A Mid-Tier DIB Contractor Case Study

More Posts

Change Healthcare and Business Associate Risk: What Healthcare Supply Chains Need to Prove

Healthcare Ransomware Control Priorities: The NIST 800-53 Families To Move First

Why HIPAA Compliance Is Not Enough: A NIST Control Roadmap After Change Healthcare

NIST vs HITRUST, ISO 27001, COBIT, and CIS: Which Framework Fits Healthcare Compliance?

Prioritized Controls for Compliance: A Healthcare Case Study of UnitedHealth Group

The CIS Controls v8 IG1 → NIST SP 800-171 Crosswalk for DIB Contractors

AI-Enabled Threats Against Defense Contractors: How ADSAI Is Changing the Attack Surface

CMMC 2.0 Levels, Assessment Paths, and What Certification Actually Costs

CMMC POA&M Rules: The 80 Percent Threshold, 5/3-Point Restriction, and 180-Day Window

CUI vs FCI: What the Difference Means for Your DFARS and CMMC Obligations

DFARS 7012 Incident Reporting: What to Include in a 72-Hour Cyber Incident Report

The DFARS Clause Stack: What 7012, 7019, 7020, and 7021 Actually Require

Federal Cybersecurity Law and the Defense Industrial Base: Fragmentation, Implementation Lag, and the Case for Reform

NIST SP 800-171 Revision 3 Is Published. Your CMMC Assessment Still Uses Revision 2.

SPRS Scoring: How to Self-Score Your NIST SP 800-171 Assessment