Insights

Practical CMMC, written by people who do the work.

No thought leadership fluff. No reposted vendor whitepapers. Technical articles, regulatory updates, and implementation guides drawn from real engagements — written for senior practitioners, defense contractors, and the people who'll actually have to sign the affirmation.

5 Long-form articles published, with three more in the pipeline

85 Minutes of reading covering scoping, SPRS, and funding economics

100% Drawn from real engagements with US defense contractors

Take the 5-min Readiness Assessor No signup · Browser only · Five minutes

Latest · Featured

May 13, 2026 · 24 min read For CEOs

You just heard about CMMC. The conversation before the certification.

A plain-English primer for the CEO who has just been told their business needs to do something about CMMC. What it is, why it's happening, the real penalties for getting it wrong — and the decision you have to make before the certification decision.

Read the article →

Deepak Pal Singh, Founder & Principal · CMMC Registered Practitioner

Five takeaways

**CMMC isn't new rules.** The 110 controls behind it (NIST SP 800-171) have been a contractual requirement since 2017 via DFARS 252.204-7012. CMMC is the verification of rules you were already supposed to be following.
**Three penalty layers, in order of immediacy:** contracts (no certification, no new DoD work), legal (False Claims Act exposure with treble damages), personal (the CEO or CFO who signs the annual affirmation has personal criminal exposure under 18 USC § 1001).
**The enforcement is real and recent.** The MORSE Corp $4.6M settlement (March 2025) and the Danielle Hillmer criminal indictment (December 2025) are not the ceiling. They're the floor. The DoJ recovered $52M+ across nine cybersecurity FCA cases in FY2025 alone.
**The stay-or-go decision is the real first decision** — and it's the conversation nobody else will have with you. It depends on six factors, and the maths is different for every business. Some contractors should certify. Some shouldn't.
**Honest paths through this exist.** The article ends with the first three decisions that matter and free resources you can use this week — no email required.

Earlier articles

May 12, 2026 · 18 min read CUI

How to identify CUI: A practical guide for defense contractors.

A plain-English 2026 guide to finding the Controlled Unclassified Information you handle — the four-step process, the five categories that matter, the recent DoJ enforcement that's raising the stakes, and what to do this week.

Read the article →

April 15, 2026 · 14 min read Enclaves

How CMMC enclaves cut your assessment scope by 60–70% — and where they fail.

Most defense contractors making this decision get it wrong, and pay $150,000 to $300,000 for it. Here's how enclaves actually work, where they fail at first contact with an assessor, and the four questions to answer before you build.

Wondering if an enclave fits your environment? Book a Discovery Call →

Read the article →

March 18, 2026 · 14 min read Scoring

What your SPRS score actually means in 2026.

Last year's enforcement record changed the cost of being wrong: $52 million across nine False Claims Act settlements, five of them filed by whistleblowers. The MORSECORP case turned a reported 104 into an actual −142 and a $4.6 million check. Here's how the score actually works, why most self-reported numbers are wrong, and what to do this week if yours is one of them.

Don't know your tier yet? Take the 5-minute Readiness Assessor →

Read the article →

February 11, 2026 · 15 min read Cost

Who actually pays for CMMC? The math by tier.

The most contested question in defense contracting isn't whether CMMC is fair. It's whether you can recover the cost. DoD, consultants, contractors — three voices on LinkedIn, all saying different things, all partially right. The honest answer depends on your tier and your contract mix. Here's what FAR Part 31 actually does, what state grants cover, why the federal tax credit isn't coming, and the math for the three contractor tiers that make up most of the affected market.

Want to talk through funding economics for your tier? Book a Discovery Call →

Read the article →

In the pipeline

Articles in progress.

Three articles drafted, working through final edits. Coverage moves down the journey toward implementation, pre-cert, and the post-cert questions most contractors don't think to ask until it's too late.

Implementation Implementation phasing: which controls to close first, and the dependency map most teams get wrong.
Post-cert FCA exposure for the person who signs the affirmation — what 2025 enforcement actually means.
Pre-cert The Customer Responsibility Matrix you don't yet have — and why your C3PAO will ask for it first.

You just heard about CMMC. The conversation before the certification.

How to identify CUI: A practical guide for defense contractors.

How CMMC enclaves cut your assessment scope by 60–70% — and where they fail.

What your SPRS score actually means in 2026.

Who actually pays for CMMC? The math by tier.

Articles in progress.

Get notified when each piece publishes.