Independence
Editorial coverage is independent of vendors and sponsors. Sponsors do not have editorial-approval rights over their own coverage or over coverage of competitors. The editorial team alone determines who is reviewed, what is said, and whether a provider receives an Editorial Pick designation.
Primary-source citation
Every regulatory claim is cited to a primary source — the CMMC Final Rule at 32 CFR Part 170, NIST SP 800-171 Rev. 3, NIST SP 800-172, the DFARS cybersecurity clauses, the Cyber AB's CMMC Assessment Process document, and authoritative DoD publications. Secondary sources are used for context but are not treated as the binding interpretation of the rule.
Review labels only when earned
"Reviewed by [Name, Credentials]" labels appear only on pages that have actually been reviewed by a named Subject Matter Advisor. On pages without that review, the honest label "Editorial research — not formally reviewed by a CMMC Subject Matter Advisor" appears in its place. We do not claim review where none has occurred. See Editorial Review Process.
What we will not claim
- We do not claim hands-on assessment, hands-on platform trial, or hands-on evaluation that did not occur.
- We do not invent author or advisor headshots, names, or credentials.
- We do not fabricate customer quotes, testimonials, or sample sizes ("We talked to 50 CISOs").
- We do not give legal, contractual, or compliance advice in the first person.
- We do not state specific certification timeline guarantees on behalf of providers.
- We do not display fake "As Seen In" press logos, fake DoD affiliation badges, or fake Cyber AB affiliation.
Sponsored content separation
Every provider verdict card carries an explicit badge: SPONSORED (paid placement, meets a minimum quality threshold) or EDITORIAL PICK (selected by the editorial team via methodology). Never both, never absent. Outbound sponsored links carry rel="sponsored noopener" and explicit "sponsored link · paid placement" microcopy. Full policy in our Editorial & Advertising Policy.
Escalation of contested claims
Where a factual claim about regulatory requirements is contested — for example, where the application of POA&M eligibility to a specific control is genuinely uncertain under the Final Rule — we escalate to a Subject Matter Advisor for review before publication and mark the resulting passage as advisor-reviewed. When no advisor review has occurred, the contested-claim treatment is omitted and the regulatory text is presented with a pointer to the binding interpreter (contracting officer, Cyber AB, or qualified counsel).
Treatment of evolving regulation
CMMC is an actively evolving regulatory environment. We distinguish what the rule requires today (cited to the published version) from what has been proposed but not finalized. We do not present proposed-but-not-final regulatory states as binding.