Methodology

Research philosophy

The Defense Compliance Report covers a regulatory subject with real contractual stakes. Our research approach reflects that: every factual claim about CMMC requirements, assessment process, or DoD acquisition mechanics is sourced from a primary regulatory or authoritative document. Where the regulation is genuinely ambiguous, we say so and identify the binding interpreter (the contracting officer, the Cyber AB, or qualified counsel).

Primary-source citation protocol

Our primary sources include the CMMC Final Rule at 32 CFR Part 170, the NIST SP 800-171 Rev. 3 and SP 800-172 publications, the DFARS cybersecurity clauses (252.204-7012, 7019, 7020, and 7021), the Cyber AB's CMMC Assessment Process (CAP) document, DoD CIO scoping and assessment guidance, and the SPRS user guide published by DoD. Every regulatory claim on the homepage and in deep-dive coverage appears in a citation box with a monospace primary citation, a short plain-English summary, and a link to the official source. Where the canonical link is paywalled or login-walled, we link to the most public alternative.

Provider evaluation protocol

Our provider evaluation has four tiers, and we label every review with the tier that actually applied. The depth label is published on each provider verdict card — we do not generalize tiers across a publication.

Documentation review.We read the vendor's public materials, regulatory positioning, methodology statements, and any published case studies.
Documentation review + customer reference calls. We add structured conversations with current customer references the vendor provided, plus any independent references we can confirm.
Documentation review + customer reference calls + hands-on platform trial. For GRC and CUI-handling platforms, we add a hands-on evaluation against a defined assessment scenario.
Vendor briefing only. Used as the lowest-rigor tier and labeled as such. We do not publish Editorial Pick designations on the basis of a briefing alone.

Credential verification

For C3PAO, RPO, CCP, and CCA claims, we verify status against the Cyber AB Marketplace at the time of publication. Status changes over time; readers should reverify directly before engaging any provider.

Award scoring rubric

Editorial Pick designations and category-specific awards (BEST FOR…) are made by the editorial team. The factors we weigh include: regulatory rigor and primary-source-anchored methodology; transparency of pricing and engagement structure; fit for the specified buyer profile; published independence posture; credential verification; and the substantive quality of customer reference conversations where they were conducted. Awards are recompeted at each annual update, not carried over.

Conflict-of-interest handling

When a sponsor is also a candidate for editorial evaluation in the same category, we either (a) include the sponsor in editorial review and explicitly disclose the sponsor relationship in the review, or (b) decline to editorially evaluate the sponsor in that category. We never silently award an Editorial Pick to a paying sponsor and we never apply both badges to the same card.

Reader corrections and provider submissions

Corrections are submitted via our corrections page and processed under the workflow documented there. Providers wishing to be considered for editorial evaluation can submit via our contact page under the "provider submission" inquiry type.

Update cadence

Pillar pages (the homepage CMMC guide, category deep dives, and guides cited by primary sources) are reviewed on a continuous basis as the regulatory environment changes, with a documented Last Reviewed date refreshed at each review. Vendor reviews are revisited annually or when material changes to vendor status or offering are reported.

How we research CMMC and evaluate providers