The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Methodology

How we research CMMC and evaluate providers

Primary-source citation, honest evaluation labels, and explicit separation of editorial content from sponsored placements — so you can see exactly how strong each claim is.

The Defense Compliance Report

Publisher policy page — maintained by The Defense Compliance Report. This page explains our editorial, privacy, advertising, or contact practices and is not CMMC, legal, contractual, cybersecurity, or compliance advice.

Research philosophy

The Defense Compliance Report covers a regulatory subject with real contractual stakes. Our research approach reflects that: every factual claim about CMMC requirements, assessment process, or DoD acquisition mechanics is sourced from a primary regulatory or authoritative document. Where the regulation is genuinely ambiguous, we say so and identify the binding interpreter (the contracting officer, the Cyber AB, or qualified counsel).

What we publish

The Defense Compliance Report currently publishes three types of content, each with a different depth label and different guarantees:

(a) Provider-category guidance

Pillar pages covering CMMC requirements, assessment types, cost structures, scoping rules, and provider categories. These pages are anchored to primary regulatory sources — 32 CFR Part 170, DFARS cybersecurity clauses, NIST SP 800-171 Rev. 2, Cyber AB Marketplace role definitions. They describe buyer-fit criteria by provider category; they do not name or rank individual providers. Coverage includes the CMMC level structure, DFARS acquisition clauses, SPRS scoring, CUI scoping, and the assessment lifecycle.

(b) Source-checked provider profiles

Public-source profiles of named CMMC providers that have public evidence of Cyber AB status or CMMC certification. Each profile carries all of the following, visible on the page:

Live source-checked provider profiles include pages in /cmmc-providers/ (OSIbeyond, Cenverity, Secureframe, and others) as well as named-provider review pages such as /ntiva-cmmc-review/, /exostar-cmmc-review/, and /kiteworks-cmmc-review/. Each carries a dated “what we verified” section and a compensation disclosure.

(c) The CMMC routing tool

The /find-my-path/ tool maps your CMMC level, FCI/CUI scope, current environment, and timeline to provider categories — not to named providers. It does not endorse, rank, or score specific firms. It does not accept CUI, classified information, or sensitive contract details. The routing logic is documented as plain crawlable text at /find-my-path/how-it-works/.

Primary-source citation protocol

Our primary sources include the CMMC Final Rule at 32 CFR Part 170, the NIST SP 800-171 Revision 2 and SP 800-172 publications, the DFARS cybersecurity clauses (252.204-7012, 7019, 7020, and 7021), the Cyber AB's CMMC Assessment Process (CAP) document, DoD CIO scoping and assessment guidance, and the SPRS user guide published by DoD. Material regulatory claims on the homepage and in deep-dive coverage are tied to primary-source citations, citation boxes, or links to official source material. Short explanatory passages may summarize those cited sources, but binding interpretations should always be verified against the official source. Where the canonical link is paywalled or login-walled, we link to the most public alternative.

Provider evaluation protocol

Our provider evaluation has five tiers, and we label every review with the tier that actually applied. The depth label is published on each provider profile — we do not generalize tiers across a publication.

Credential verification

For C3PAO, RPO, CCP, and CCA claims, we verify status against the Cyber AB Marketplace at the time of evaluation. Credential status, marketplace authorization, and provider offerings change over time. Readers should verify provider status directly in the Cyber AB Marketplace before engaging any provider — our verification reflects the state at evaluation, not today.

The CMMC Path Framework

The CMMC Path Framework is a named decision framework for CMMC buyers — a citable artifact you can reference in planning documents and internal briefings. It maps five inputs to a provider-category recommendation:

  1. Contract clause. Is DFARS 252.204-7021 present? If so, what level and status does it require — Level 1 (self), Level 2 (self-assessment), Level 2 (C3PAO), or Level 3 (DIBCAC)?
  2. FCI/CUI scope. What regulated data do you handle, where does it live, and which systems are in scope? (The boundary drawn here determines the size, cost, and complexity of the compliance effort.)
  3. Current environment. On-premises, commercial Microsoft 365, GCC, GCC High, or a cloud service provider — and does it meet FedRAMP Moderate equivalency for CUI handling?
  4. Current maturity.No SSP started → SSP in progress → SSP complete → NIST 800-171 self-assessment scored and posted to SPRS → under active POA&M remediation.
  5. Timeline. Phase 1 (current — Level 1 and Level 2 self-assessments required); Phase 2 (from November 2026 — C3PAO certifications in applicable solicitations). What is your contract deadline and how much lead time remains?

The framework outputs a provider-category recommendation — self-only / readiness RPO / CUI enclave / MSP + readiness / C3PAO only / combination — plus a checklist of questions to ask any provider in that category before engaging. The interactive routing tool at /find-my-path/ runs this framework in two minutes. The plain-text routing logic is at /find-my-path/how-it-works/, and the framework is summarized on the provider categories page.

DCR Quote Readiness Score (0–5)

The DCR Quote Readiness Score is a five-dimension score of the buyer's readiness to request and meaningfully compare quotes — not a score of any provider, not a compliance score, and not related to SPRS. One point per dimension:

  1. CMMC level confirmed. The contract clause has been read and the required level and assessment type are known — not assumed.
  2. CUI scope defined. The CUI boundary has been drawn: what data, which systems, which people. An SSP is started or in progress. (Quotes received before this step describe scope for a different problem than yours.)
  3. Assessment type confirmed. Self-assessment or C3PAO assessment — sourced from the DFARS provision (252.204-7025) in the solicitation, not guessed from the level alone.
  4. Provider category identified. You know which type you need — CUI enclave, readiness/RPO, MSP + readiness, GRC software, C3PAO, or a combination. Quotes in different categories are not comparable.
  5. Timeline anchored. The Phase deadline is known, the lead time from your current maturity to the required status has been calculated, and the engagement start date is set.

A score of 5 means you are ready to request comparable quotes and evaluate them fairly. A score below 3 typically means any quote you receive will be difficult to compare accurately — and budget estimates from that stage almost always require revision once scope is properly defined.

Award scoring rubric

When Editorial Pick designations and category-specific awards (BEST FOR…) are issued, they are made by the editorial team. No awards have been issued as of launch. The factors the editorial team weighs include: regulatory rigor and primary-source-anchored methodology; transparency of pricing and engagement structure; fit for the specified buyer profile; published independence posture; credential verification at time of evaluation; and the substantive quality of customer reference conversations where they were conducted. Awards are recompeted at each annual update, not carried over.

Sponsored and affiliate disclosure

The publication is supported in part by sponsored placements, affiliate referral fees, and lead-routing fees from matched providers. Sponsored content is labeled with the SPONSORED badge on every verdict card and with explicit "sponsored link · paid placement" microcopy on outbound CTAs. Affiliate and sponsored-link semantics are enforced via rel="sponsored noopener" on every outbound link. Full detail is documented in our Editorial & Advertising Policy.

Conflict-of-interest handling

When a sponsor is also a candidate for editorial evaluation in the same category, we either (a) include the sponsor in editorial review and explicitly disclose the sponsor relationship in the review, or (b) decline to editorially evaluate the sponsor in that category. We never silently award an Editorial Pick to a paying sponsor and we never apply both badges to the same card.

Reader corrections and provider submissions

Corrections are submitted via our corrections page and processed under the workflow documented there. Providers wishing to be considered for editorial evaluation can submit via our contact page under the "provider submission" inquiry type.

Update cadence

Pillar pages are reviewed when material regulatory changes occur and during scheduled editorial maintenance. Each substantive review updates the visible Last Reviewed date. Source-checked provider profiles are re-verified at least quarterly for Cyber AB Marketplace status, compensation relationship changes, and any material change in the provider's CMMC certification or product offering. The verification date on each profile reflects the most recent check, not the original publication date.