With CMMC Phase 2 enforcement beginning November 10, 2026, contractors who have not yet moved CUI workloads into a FedRAMP-authorized environment are running out of time to do it deliberately.
Expert IT Leadership Blogs |
The decisions made in the first few hours after a security incident determine most of what follows, how far the damage spreads, whether data is recoverable, what your legal exposure looks like, and whether your insurer pays out. This playbook covers what needs to happen in the first 72 hours: how to contain without destroying evidence, who to call and in what order, what your notification obligations actually are, and the mistakes that turn a manageable incident into a much worse one.
CMMC is no longer a future requirement. Phase 1 enforcement began November 2025. Phase 2, mandatory C3PAO third-party assessments, begins November 2026. This guide covers who needs certification, what each level requires, how assessment works, what it costs, and how to prepare without losing bids while you do it.
Cyber insurance underwriting is now a technical audit. Insurers verify controls with external scans, require evidence not attestations, and deny claims when forensic review finds gaps that were attested away.
Most defense contractors need CMMC Level 2 certification before competing for DoD contracts. Phase 1 is live as of November 10, 2025, SPRS scores are required now. Phase 2, when C3PAO third-party assessments become mandatory, begins November 2026. For small contractors starting from scratch, 12 to 18 months is a realistic preparation timeline. This guide covers what CMMC actually requires, what the path costs, and where most organizations go wrong before they ever reach an assessment.
For DoD contractors, the difference between CMMC Level 2 and Level 3 is not incremental, it directly affects contract eligibility, audit scrutiny, and security program maturity. Level 2 applies to most contractors handling CUI and maps to NIST SP 800-171's 110 controls, assessed by a C3PAO. Level 3 adds controls from NIST SP 800-172, targets organizations supporting higher-risk defense programs, and requires a government-led assessment rather than a C3PAO assessment.
The HIPAA Security Rule requires two separate activities that organizations routinely conflate: a risk analysis under 45 CFR 164.308(a)(1)(ii)(A) that identifies and rates threats and vulnerabilities to ePHI, and risk management under 164.308(a)(1)(ii)(B) that implements controls to reduce those risks. OCR's enforcement initiative expanded in 2026 to target risk management failures, not just absent risk analyses. A third activity, the breach notification risk assessment under 164.402, is a separate incident-specific obligation.
DoD contractors handling CUI are required to submit a NIST SP 800-171 self-assessment score into the Supplier Performance Risk System (SPRS). That score is the foundation CMMC readiness is built on, and under the False Claims Act, knowingly submitting an inflated score is a legal liability.
HIPAA compliance is not a certification you earn and move on from, it is an ongoing operational requirement enforced more aggressively each year. OCR surpassed 50 enforcement actions in 2026, with risk analysis failures and missing Business Associate Agreements as the primary targets. The proposed 2026 Security Rule update eliminates the addressable safeguard flexibility most organizations rely on, making MFA, encryption at rest and in transit, annual penetration testing, and network segmentation mandatory. This guide covers who HIPAA applies to, what each rule requires, how to determine whether an incident is reportable, what the 2026 changes mean in practice, and how state laws in California, Texas, and New York add obligations beyond the federal baseline.
Controlled Unclassified Information, CUI, is the data category that triggers CMMC compliance obligations for DoD contractors. Define it too narrowly and you leave actual CUI unprotected. Define it too broadly and you expand your compliance boundary unnecessarily, multiplying certification cost and complexity.