Home › Guides & Resources

Guides & Resources

Plain-English guides to CMMC and NIST SP 800-171 for small defense contractors — and the latest regulatory updates worth knowing. All free.

New · Flagship reference

The Control Implementation Library

Every NIST 800-171 requirement in plain English — what it means, what an assessor actually looks for, where teams trip up, and the evidence you need. The implementation guide the standard doesn't give you.

66 controls live · all 14 families · free, no signup
Open the Control Library →

Guides

SPRS Scoring

How to Calculate Your SPRS Score (2026)

The scoring math in plain English — point weights, the −203 to +110 range, the SSP gate, and the gaps that cost most contractors the most.

Read the guide → System Security Plan

What Is an SSP — and How to Write One

The document that gates your CMMC assessment, explained: what it is, what goes in it, the POA&M, and how to produce one without a consultant.

Read the guide → CMMC Basics

NIST 800-171 vs CMMC: What Small Contractors Need to Know

How the two relate, the CMMC levels, self-assessment vs third-party (C3PAO), and exactly what your business has to do.

Read the guide → Quick Wins

The 5-Point SPRS Controls to Fix First

Not all 110 requirements are worth the same. The 5-point controls move your score the fastest — here's which heavy ones to fix first, in plain English, with the practical fix for each.

Read the guide → CMMC Level 2

CMMC Level 2 Self-Assessment: The Complete Guide

Self-assessment vs. third-party (C3PAO), and the step-by-step path through scoping, scoring, your SSP, POA&M rules, and the annual affirmation — in plain English.

Read the guide → Scoping

CMMC Asset Scoping: What's In Scope (and What's Not)

The five asset categories, how an enclave shrinks your scope, what becomes Not Applicable, and the VDI / GCC High question — the highest-leverage decision in your CMMC effort.

Read the guide → MFA · 3.5.3

Does a Microsoft PIN Count as MFA?

A plain PIN is single-factor; Windows Hello for Business qualifies. The difference that trips up small contractors — and the safe bar for the MFA control.

Read the guide → POA&M

What Is a POA&M — and the 180-Day Clock

How you handle the gaps you haven't closed — and the strict CMMC rules on what you can defer: the 88/110 minimum, 1-point-only, and the 180-day closeout.

Read the guide → Audit · 3.3

Audit Logging for CMMC: The 3.3 Family Made Simple

Along with access control, the most commonly failed area. What to log, retention, protecting logs, and actually reviewing them — the whole audit family in plain English.

Read the guide → Affirmation · FCA

The CMMC Annual Affirmation — What You're Signing

Your assessment isn't the finish line. Every year a senior official affirms continued compliance in SPRS — and a stale score now carries real False Claims Act risk.

Read the guide → Incident Response · 3.6

Incident Response — and the 72-Hour Rule

The 3.6 family in plain English, plus the DFARS 72-hour DoD reporting clock most small contractors don't know is ticking — and a workable IR plan.

Read the guide →

More guides on the way — media protection, configuration management, and a growing per-control library.

Stop reading, start scoring

Both tools are free and run in your browser.

SPRS Calculator → SSP Generator →