Stop Fumbling Through Your CMMC Assessment

Practice-by-practice guidance for small defense contractors, written by someone who has actually been in the assessment room. Plain English. No vendor pitch. No "schedule a call."

Start Here Browse Practices
110
Practices Covered
14
NIST Families
Nov 2026
Phase 2 Deadline
~80K
Contractors Who Need This

The problem nobody talks about

You probably already have most of what you need to pass. The tools are there. The policies exist somewhere. Maybe your MSP handles half of it.

But when the assessor asks "how does your organization handle least privilege for administrative accounts?" can you answer that in two sentences? Can you point to exactly where your SSP defines it and show evidence it's happening?

That's where most small contractors fall apart. They have the controls. They just never practiced translating what they do into what the assessor needs to hear.

This site covers the hardest practices to explain, the ones where I've seen the most people stumble, with the kind of guidance you'd get from someone sitting next to you in the assessment room.

Browse by family

110 practices across 14 families. Pick a family to see every practice guide in it.

AC (22)
Access Control
Who gets in, what they can do, and how you prove it.
AT (3)
Awareness and Training
Security training and insider threat awareness.
AU (9)
Audit and Accountability
Logging, review, and who looked at what.
CM (9)
Configuration Management
Baselines, change control, and least functionality.
IA (11)
Identification and Authentication
MFA, passwords, and proving you are who you say.
IR (3)
Incident Response
Your plan, your test, and your tracking.
MA (6)
Maintenance
Remote maintenance, tools, and personnel controls.
MP (9)
Media Protection
USB drives, backups, sanitization, and CUI marking.
PS (2)
Personnel Security
Screening and what happens when someone leaves.
PE (6)
Physical Protection
Facility access, visitor logs, and home offices.
RA (3)
Risk Assessment
Vulnerability scanning and remediation timelines.
CA (4)
Security Assessment
POA&Ms, control monitoring, and your SSP.
SC (16)
System and Communications Protection
Encryption, boundaries, and network segmentation.
SI (7)
System and Information Integrity
AV/EDR, patching, and monitoring.

Recently updated

SI.L2-3.14.7 Identify Unauthorized Use SI.L2-3.14.6 Monitor Communications SI.L2-3.14.5 System and File Scanning SI.L2-3.14.4 Update Malicious Code Protection SI.L2-3.14.3 Security Alerts

Who writes this

This site is built by people who have spent years helping small defense contractors prepare for and survive Level 2 assessments. We've been in the room when the assessor asks to see your privileged accounts live and your SSP doesn't match what's on screen.

We don't sell MSSP services. Nobody pays us to recommend their product. The practice guides on this site are the actual product. This information should exist somewhere that isn't paywalled or buried in a 200-page PDF.

More about us

Don't know where to begin?

Two starting points depending on where you are.

Just found out I need CMMC I need a prep timeline