The Attribution Gap: Who's Accountable When AI Agents Handle CUI?
AI agents are processing CUI in DIB environments today. CMMC was written before they existed. The attribution gap is the audit problem no one has closed.
Resources
Guides, analysis, and field notes on CMMC compliance and NIST 800-171 for defense contractors.
AI agents are processing CUI in DIB environments today. CMMC was written before they existed. The attribution gap is the audit problem no one has closed.
A practical operating system for RPOs that run both consulting and assessment practices, built around the three-year consultant rule in 32 CFR § 170.8(b)(17)(ii)(G) and CoPC v2.0 Article III.
Incumbents are repositioning toward AI without rebuilding underneath. Mid-tier vendors are adopting agentic as a category descriptor. The funding wave validates the category, not specific vendors. A four-question rubric for buyers who have to live with their choice across multiple regulatory cycles.
The May 2026 CISA contractor leak shows why your CMMC boundary includes your vendors. Phase 2 assessors will not accept the 'that is our vendor's problem' framing.
A practical, regulation-grounded guide to reading and applying CUI banner markings: control, category, and dissemination, in the order they appear.
Disclosure isn't a universal solvent for CMMC conflicts of interest. A practical guide to which conflicts disclosure resolves and which require stepping away, grounded in 32 CFR § 170.8(b)(17) and CoPC v2.0.
Phase 1 of the CMMC final rule began November 10, 2025. Six months in, the binding constraint turned out to be assessor capacity and evidence quality, not control implementation.
A working practitioner's filter for applying the Cyber AB CMMC Code of Professional Conduct v2.0 in live engagements, mapped to the eight guiding principles in force since 16 December 2024.
Level 1 scoping is one binary question applied to people, technology, facilities, and ESPs. Here's the methodology, the four categories, the common mistakes, and the pre-assessment work that determines everything downstream.
Your SSP describes a company that no longer exists. Drift is structural, not behavioral. Here's why discipline cannot fix it and what a living system of record actually is.
Zero Trust isn't a CMMC requirement, but the mapping changes how AC, IA, SC, and AU controls operate. Here's where ZTA accelerates evidence and where it creates new demands.
Incumbent GRC platforms are repositioning toward AI and adding frameworks without rebuilding the architecture underneath. That's a coherent strategy for cross-framework SMB. It's also where the ceiling holds for CMMC. Here's why, and what contractors should be testing for.
CMMC names five specialized asset categories with their own scoping rules. Here's what they are, where they appear, and how they're treated at L1, L2, and L3.
A walkthrough of the Customer Responsibility Matrix that survives a CMMC assessment, the four deployment patterns, the five control families that get disputed, and the boundary language that holds up.
Most contractors are told they need GCC High before anyone runs a CUI flow analysis. This guide walks the architectural decision that drives 2-4x licensing math.
A CUI enclave can cut your CMMC scope by 5-10x. Architecture patterns, boundary controls, scope-creep failure modes, and decision criteria for picking your enclave.
The questions practitioners ask about CMMC citations, acronyms, and role boundaries, answered with sourced citations to 32 CFR Part 170, FAR, DFARS, NIST 800-171, and the COPC.
CMMC has three distinct mechanisms for handling NOT MET requirements. Most practitioners conflate them. Here's what 32 CFR Part 170 actually says about timing, eligibility, and the difference between industry shorthand and regulatory terminology.
The most consistent finding in CMMC assessment retrospectives is not a controls gap. It is an evidence gap. The audit isn't about controls. It's about evidence the controls actually ran.
SOC 2 and CMMC serve different purposes, different standards bodies, and different legal consequences. Here's what your SOC 2 report doesn't cover.
The GAO identified external risks that could undermine CMMC implementation, including assessor capacity, contractor readiness, and ecosystem coordination challenges. Learn what the watchdog report means for your certification timeline and what the DoD is being told to fix.
GSA quietly released CUI protection requirements based on NIST 800-171 Rev 3, creating a parallel compliance standard alongside CMMC's Rev 2 baseline. Learn what this means for contractors who work with both DoD and civilian agencies.
Every CMMC vendor claims AI. Few explain what their AI actually does. Learn how to evaluate AI claims in compliance software, which automation genuinely helps, and what questions to ask before you buy.
Enterprise GRC platforms are rushing to add CMMC modules, but bolting compliance onto a SOC 2 engine doesn't produce assessment-ready output. Learn why CMMC-specific capabilities matter more than the feature list, and what to look for in a compliance platform.
Industry data suggests that fewer than 1% of defense industrial base contractors are ready for CMMC certification. Learn what's driving the readiness gap, why the numbers are worse than they look, and what it means for your compliance timeline and competitive position.
The CMMC compliance software market has 15+ vendors with different approaches. Learn what to look for, how to evaluate platforms vs point tools vs GRC suites, and what actually matters for assessment readiness.
Failing a CMMC assessment means no certification and no contract eligibility. Learn what happens after a failed assessment, what your options are, how much a second assessment costs, and how to prevent failure in the first place.
When your MSP is an in-scope ESP, you need documented control ownership for your CMMC assessment. Learn how to divide security responsibilities, build a customer responsibility matrix, and avoid the ambiguity that creates assessment findings.
MSPs face rising CMMC demand with limited capacity. Learn how advisors can help them scale readiness through automation, visibility, and smarter evidence control.
A POA&M documents your unmet CMMC requirements and your plan to close them. Learn what a POA&M must include, which requirements are POA&M-eligible, how the 180-day clock works, and how to manage POA&M closure for Level 2 certification.
NIST 800-171 Rev 3 is published but CMMC still references Rev 2. Learn the key differences between revisions, why the DoD hasn't adopted Rev 3 yet, and how to prepare without getting ahead of the requirement.
Advisors are feeling the CMMC crunch. See how Deep Fathom helps firms deliver readiness faster with one workspace that ends every action in proof.
Scoping errors cause more CMMC assessment failures than missing controls. This guide covers how to identify CUI, define your assessment boundary, categorize assets, reduce scope through segmentation, and avoid the mistakes that derail assessments.
There aren't enough authorized CMMC assessors for the number of contractors who need certification. Learn why the C3PAO capacity gap is a real scheduling risk, how it affects your certification timeline, and what to do about it.
CMMC applies to every tier of the defense supply chain. Subcontractors who handle CUI must hold the required certification level or their primes can't award them work. Learn what subs need to know about flow-down, scoping, and preparing for certification.
DFARS 252.204-7012 is the contract clause that requires defense contractors to implement NIST 800-171 and report cyber incidents. This guide explains what the clause requires, who it applies to, and how it connects to CMMC.
CMMC Level 2 equals full NIST 800-171 implementation. Learn the 110 controls that define readiness, the top evidence failures, and how Deep Fathom automates proof to keep compliance continuous.
If your MSP handles CUI or security protection data, they're in your CMMC assessment scope. Learn when your MSP qualifies as an ESP, what that means for your certification, and how to structure the relationship for assessment success.
RPOs, MSPs, and C3PAOs play different roles in CMMC compliance. Learn what each one does, how they relate to each other, which ones you need, and how to avoid common mistakes when building your compliance team.
Manufacturers face unique CMMC challenges: CNC machines on networks, CUI on shop floors, legacy equipment without modern encryption. How to scope and certify.
Learn six hidden CMMC traps and how Deep Fathom helps defense contractors escape them with guided, audit-ready compliance.
CMMC Level 2 certification costs range from $50,000 to $300,000+ depending on your starting point. This guide breaks down assessment fees, preparation costs, ongoing expenses, and where small contractors can save.
CMMC certification takes 6-18 months of preparation plus the assessment itself. Learn the realistic timeline for each phase, what drives delays, and how to accelerate your path to Level 2 certification.
The DoD confirmed CMMC Phase 1 enforcement begins in late 2025. Learn what the start date means for current contracts, which solicitations will include CMMC requirements first, and why the preparation window is shorter than most contractors think.
The DoD’s final DFARS rule makes CMMC a contractual reality: effective mid-November 2025 with a three-year phase-in that reshapes defense contracting.
Your SSP is the most important document in your CMMC assessment. This guide covers what to include, how to structure it, common mistakes that produce findings, and how to keep it current as your environment changes.
CMMC Level 2 offers two assessment paths, self-assessment and C3PAO certification. Learn which one your contracts require, how they differ in rigor and cost, and what each path means for contract eligibility.
Most contractors mis-score CMMC self-assessments, creating false confidence. See how Deep Fathom delivers audit-ready clarity, not illusions.
Small defense contractors make up 73% of the DIB but face the same CMMC requirements as large primes. This guide covers what small businesses need to know about costs, timelines, scope reduction, and how to get certified without an internal compliance team.
Primes demand proof, not promises. Learn how Deep Fathom equips subs with quick, auditable evidence to prove resilience and keep contracts.
CMMC and FedRAMP are both federal cybersecurity frameworks, but they serve different purposes and audiences. Learn how they relate and which one you need.
CMMC assessors aren’t swayed by binders or glossy PDFs... they want traceable, consistent proof. Deep Fathom helps contractors replace posturing with audit-ready documentation, evidence, and POA&Ms that hold up under real assessment.
CMMC creates a massive service opportunity for MSPs and RPOs. Learn how to build a CMMC compliance practice, what services to offer, how to structure engagements, and how to scale delivery without burning out your team.
Use this CMMC compliance checklist to prepare for your Level 2 assessment. Covers scoping, documentation, evidence collection, technical controls, personnel readiness, and C3PAO engagement.
CMMC Level 1 requires 15 security requirements across dozens of assessment objectives. Learn who needs it, the self-assessment process, costs, and pitfalls.
CMMC Level 1 isn’t a free pass— contractors must meet all 15 practices and prove readiness. Learn where small businesses go wrong, why primes demand evidence, and how Deep Fathom makes compliance clear, fast, and reliable.
Preparing for a CMMC assessment takes 6-18 months. This step-by-step guide covers scoping, documentation, evidence collection, C3PAO selection, and what to expect during your Level 2 certification assessment.
Generic compliance templates collapse under audit. Deep Fathom replaces guesswork with context—linking real systems, evidence, and controls to deliver documentation that actually holds up. Build credibility, not copy-paste compliance.
CMMC assessments verify implementation, not paperwork. Learn how C3PAOs examine, interview, and test, and how Agentic AI automates traceable proof that holds up under audit.
CMMC and NIST 800-171 are related but different. NIST defines 110 security controls. CMMC verifies you implemented them. Learn where they overlap, where they diverge, and what it means for your compliance program.
CMMC 2.0 requires defense contractors to prove cybersecurity compliance to keep DoD contracts. Learn the three levels, enforcement timeline, assessment costs, and how to prepare for certification.
DFARS 7019 and 7020 make self-assessments auditable. Learn how DIBCAC validates SPRS scores and how Deep Fathom’s Agentic AI closes the evidence gap with continuous, verifiable proof.