[{"data":1,"prerenderedAt":2811},["ShallowReactive",2],{"\u002Fglossary\u002Fmulti-factor-authentication":3,"\u002Fglossary\u002Fmulti-factor-authentication__related-terms":155,"explore-glossary-cmmc-\u002Fglossary\u002Fmulti-factor-authentication":162,"explore-topics-cmmc-\u002Fglossary\u002Fmulti-factor-authentication":972,"explore-hub-cmmc":1860,"explore-compare-vs-\u002Fglossary\u002Fmulti-factor-authentication":2370,"explore-compare-\u002Fglossary\u002Fmulti-factor-authentication":2536,"explore-blog-cmmc-\u002Fglossary\u002Fmulti-factor-authentication":2657,"explore-industry-cmmc":1362},{"id":4,"title":5,"body":6,"description":123,"extension":133,"lastUpdated":134,"meta":135,"navigation":136,"path":137,"relatedFrameworks":138,"relatedTerms":145,"seo":149,"slug":152,"stem":153,"term":13,"__hash__":154},"glossary\u002F8.glossary\u002Fmulti-factor-authentication.md","Multi Factor Authentication",{"type":7,"value":8,"toc":122},"minimark",[9,14,18,23,26,49,53,56,88,92,109,113],[10,11,13],"h2",{"id":12},"what-is-multi-factor-authentication","What is Multi-Factor Authentication?",[15,16,17],"p",{},"Multi-Factor Authentication (MFA) is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system or application. By combining multiple factors, MFA significantly reduces the risk of unauthorized access even if one factor (such as a password) is compromised.",[19,20,22],"h3",{"id":21},"what-are-the-authentication-factors-used-in-mfa","What are the authentication factors used in MFA?",[15,24,25],{},"MFA combines factors from different categories:",[27,28,29,37,43],"ul",{},[30,31,32,36],"li",{},[33,34,35],"strong",{},"Something you know"," — passwords, PINs, security questions",[30,38,39,42],{},[33,40,41],{},"Something you have"," — mobile phones (SMS or authenticator apps), hardware tokens, smart cards",[30,44,45,48],{},[33,46,47],{},"Something you are"," — biometrics such as fingerprints, facial recognition, or iris scans",[19,50,52],{"id":51},"how-do-compliance-frameworks-address-mfa","How do compliance frameworks address MFA?",[15,54,55],{},"MFA is required or strongly recommended across all major frameworks:",[27,57,58,64,70,76,82],{},[30,59,60,63],{},[33,61,62],{},"SOC 2"," — CC6.1 requires multi-factor authentication for access to sensitive systems",[30,65,66,69],{},[33,67,68],{},"ISO 27001"," — A.8.5 addresses secure authentication including multi-factor methods",[30,71,72,75],{},[33,73,74],{},"HIPAA"," — while not explicitly mandating MFA, the Security Rule requires access controls that effectively necessitate it for ePHI systems",[30,77,78,81],{},[33,79,80],{},"PCI DSS"," — Requirement 8.3 mandates MFA for all remote access to the cardholder data environment",[30,83,84,87],{},[33,85,86],{},"NIST CSF"," — PR.AC-7 recommends multi-factor authentication as part of identity management",[19,89,91],{"id":90},"what-are-implementation-best-practices","What are implementation best practices?",[27,93,94,97,100,103,106],{},[30,95,96],{},"Require MFA for all user accounts, not just administrators",[30,98,99],{},"Prefer authenticator apps or hardware tokens over SMS-based codes (which are vulnerable to SIM swapping)",[30,101,102],{},"Implement MFA on VPN, cloud console, email, and any system containing sensitive data",[30,104,105],{},"Provide backup recovery methods (recovery codes, backup devices) to prevent lockouts",[30,107,108],{},"Monitor and alert on MFA bypass attempts or disabled MFA",[19,110,112],{"id":111},"how-does-episki-help-with-mfa","How does episki help with MFA?",[15,114,115,116,121],{},"episki tracks MFA policies, monitors enforcement across systems, and documents MFA evidence for compliance audits. Learn more on our ",[117,118,120],"a",{"href":119},"\u002Fframeworks","compliance platform",".",{"title":123,"searchDepth":124,"depth":124,"links":125},"",2,[126],{"id":12,"depth":124,"text":13,"children":127},[128,130,131,132],{"id":21,"depth":129,"text":22},3,{"id":51,"depth":129,"text":52},{"id":90,"depth":129,"text":91},{"id":111,"depth":129,"text":112},"md","2026-04-16",{},true,"\u002Fglossary\u002Fmulti-factor-authentication",[139,140,141,142,143,144],"cmmc","soc2","iso27001","hipaa","pci","nistcsf",[146,147,148],"access-control","least-privilege","encryption",{"title":150,"description":151},"What is Multi-Factor Authentication (MFA)? Definition & Compliance Guide","Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.","multi-factor-authentication","8.glossary\u002Fmulti-factor-authentication","UJQZ8l9dqE7trtvjUWb1iVTulmNQa1j2-kVTUOaUB34",[156,158,160],{"slug":146,"term":157},"What is Access Control?",{"slug":148,"term":159},"What is Encryption?",{"slug":147,"term":161},"What is Least Privilege?",[163,724],{"id":164,"title":165,"body":166,"description":123,"extension":133,"lastUpdated":134,"meta":712,"navigation":136,"path":713,"relatedFrameworks":714,"relatedTerms":715,"seo":719,"slug":146,"stem":722,"term":157,"__hash__":723},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":7,"value":167,"toc":698},[168,171,174,178,181,207,211,217,223,229,235,239,242,248,265,271,285,291,302,306,309,361,365,368,382,386,389,412,416,419,469,473,476,596,599,602,631,635,641,644,680,683,686,689,693],[10,169,157],{"id":170},"what-is-access-control",[15,172,173],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[19,175,177],{"id":176},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[15,179,180],{},"Access control is built on several foundational principles:",[27,182,183,189,195,201],{},[30,184,185,188],{},[33,186,187],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[30,190,191,194],{},[33,192,193],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[30,196,197,200],{},[33,198,199],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[30,202,203,206],{},[33,204,205],{},"Default deny"," — access is denied by default unless explicitly granted",[19,208,210],{"id":209},"what-are-the-types-of-access-control","What are the types of access control?",[15,212,213,216],{},[33,214,215],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[15,218,219,222],{},[33,220,221],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[15,224,225,228],{},[33,226,227],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[15,230,231,234],{},[33,232,233],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[19,236,238],{"id":237},"what-are-access-control-components","What are access control components?",[15,240,241],{},"A complete access control program addresses:",[15,243,244,247],{},[33,245,246],{},"Authentication"," — verifying the identity of users:",[27,249,250,253,256,259,262],{},[30,251,252],{},"Passwords and passphrases",[30,254,255],{},"Multi-factor authentication (MFA)",[30,257,258],{},"Single sign-on (SSO)",[30,260,261],{},"Biometric authentication",[30,263,264],{},"Certificate-based authentication",[15,266,267,270],{},[33,268,269],{},"Authorization"," — determining what authenticated users can do:",[27,272,273,276,279,282],{},[30,274,275],{},"Permission assignments",[30,277,278],{},"Role definitions",[30,280,281],{},"Access control lists",[30,283,284],{},"Policy enforcement points",[15,286,287,290],{},[33,288,289],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[27,292,293,296,299],{},[30,294,295],{},"Provisioning (granting access when hired or role changes)",[30,297,298],{},"Review (periodic access certification)",[30,300,301],{},"Deprovisioning (revoking access upon termination or role change)",[19,303,305],{"id":304},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[15,307,308],{},"Every major framework requires access control:",[27,310,311,319,332,345,353],{},[30,312,313,318],{},[33,314,315],{},[117,316,62],{"href":317},"\u002Fframeworks\u002Fsoc2"," — CC6.1 through CC6.8 cover logical and physical access controls",[30,320,321,326,327,331],{},[33,322,323],{},[117,324,68],{"href":325},"\u002Fframeworks\u002Fiso27001"," — ",[117,328,330],{"href":329},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[30,333,334,339,340,344],{},[33,335,336],{},[117,337,74],{"href":338},"\u002Fframeworks\u002Fhipaa"," — the ",[117,341,343],{"href":342},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[30,346,347,352],{},[33,348,349],{},[117,350,80],{"href":351},"\u002Fframeworks\u002Fpci"," — Requirements 7 and 8 address access restriction and user identification",[30,354,355,360],{},[33,356,357],{},[117,358,86],{"href":359},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[19,362,364],{"id":363},"what-are-access-reviews","What are access reviews?",[15,366,367],{},"Regular access reviews (also called access certifications) are a critical control:",[27,369,370,373,376,379],{},[30,371,372],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[30,374,375],{},"Verify that access aligns with current job responsibilities",[30,377,378],{},"Identify and remove excessive or unnecessary access",[30,380,381],{},"Document review results and remediation actions",[19,383,385],{"id":384},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[15,387,388],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[27,390,391,394,397,400,403,406,409],{},[30,392,393],{},"Excessive permissions that accumulate over time (privilege creep)",[30,395,396],{},"Shared or generic accounts that prevent individual accountability",[30,398,399],{},"Delayed deprovisioning when employees leave or change roles",[30,401,402],{},"Lack of MFA on critical systems and remote access paths",[30,404,405],{},"Inconsistent access review processes with no documented remediation",[30,407,408],{},"Service accounts with standing privileged access and no rotation schedule",[30,410,411],{},"Lack of visibility into SaaS application access outside the corporate IdP",[19,413,415],{"id":414},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[15,417,418],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[420,421,422,428,434,440,446,452,463],"ol",{},[30,423,424,427],{},[33,425,426],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[30,429,430,433],{},[33,431,432],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[30,435,436,439],{},[33,437,438],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[30,441,442,445],{},[33,443,444],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[30,447,448,451],{},[33,449,450],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[30,453,454,457,458,462],{},[33,455,456],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[117,459,461],{"href":460},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[30,464,465,468],{},[33,466,467],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[19,470,472],{"id":471},"what-are-the-access-control-requirements","What are the access control requirements?",[15,474,475],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[477,478,479,499],"table",{},[480,481,482],"thead",{},[483,484,485,489,491,493,495,497],"tr",{},[486,487,488],"th",{},"Requirement",[486,490,62],{},[486,492,68],{},[486,494,74],{},[486,496,80],{},[486,498,86],{},[500,501,502,523,542,562,579],"tbody",{},[483,503,504,508,511,514,517,520],{},[505,506,507],"td",{},"Unique user IDs",[505,509,510],{},"CC6.1",[505,512,513],{},"A.5.16",[505,515,516],{},"§164.312(a)(2)(i)",[505,518,519],{},"Req 8.2.1",[505,521,522],{},"PR.AC-1",[483,524,525,528,530,533,536,539],{},[505,526,527],{},"MFA",[505,529,510],{},[505,531,532],{},"A.8.5",[505,534,535],{},"Addressable",[505,537,538],{},"Req 8.4",[505,540,541],{},"PR.AC-7",[483,543,544,547,550,553,556,559],{},[505,545,546],{},"Access reviews",[505,548,549],{},"CC6.2",[505,551,552],{},"A.5.18",[505,554,555],{},"§164.312(a)(1)",[505,557,558],{},"Req 7.2",[505,560,561],{},"PR.AC-4",[483,563,564,566,569,572,574,577],{},[505,565,187],{},[505,567,568],{},"CC6.3",[505,570,571],{},"A.5.15",[505,573,555],{},[505,575,576],{},"Req 7.1",[505,578,561],{},[483,580,581,584,586,588,591,594],{},[505,582,583],{},"Deprovisioning",[505,585,549],{},[505,587,552],{},[505,589,590],{},"§164.312(a)(2)(ii)",[505,592,593],{},"Req 8.2.6",[505,595,522],{},[15,597,598],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[15,600,601],{},"A few notes on framework-specific nuances:",[27,603,604,609,617,624],{},[30,605,606,608],{},[33,607,74],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[30,610,611,616],{},[33,612,613,615],{},[117,614,80],{"href":351}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[30,618,619,623],{},[33,620,621],{},[117,622,62],{"href":317}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[30,625,626,630],{},[33,627,628],{},[117,629,86],{"href":359}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[19,632,634],{"id":633},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[15,636,637,638,121],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[33,639,640],{},"never trust, always verify",[15,642,643],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[27,645,646,652,658,668,674],{},[30,647,648,651],{},[33,649,650],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[30,653,654,657],{},[33,655,656],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[30,659,660,663,664,667],{},[33,661,662],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[117,665,148],{"href":666},"\u002Fglossary\u002Fencryption",") is evaluated before access is granted.",[30,669,670,673],{},[33,671,672],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[30,675,676,679],{},[33,677,678],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[15,681,682],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[15,684,685],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[15,687,688],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[19,690,692],{"id":691},"how-does-episki-help-with-access-control","How does episki help with access control?",[15,694,695,696,121],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[117,697,120],{"href":119},{"title":123,"searchDepth":124,"depth":124,"links":699},[700],{"id":170,"depth":124,"text":157,"children":701},[702,703,704,705,706,707,708,709,710,711],{"id":176,"depth":129,"text":177},{"id":209,"depth":129,"text":210},{"id":237,"depth":129,"text":238},{"id":304,"depth":129,"text":305},{"id":363,"depth":129,"text":364},{"id":384,"depth":129,"text":385},{"id":414,"depth":129,"text":415},{"id":471,"depth":129,"text":472},{"id":633,"depth":129,"text":634},{"id":691,"depth":129,"text":692},{},"\u002Fglossary\u002Faccess-control",[139,140,141,142,143,144],[716,717,148,718],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":720,"description":721},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":725,"title":726,"body":727,"description":123,"extension":133,"lastUpdated":134,"meta":960,"navigation":136,"path":961,"relatedFrameworks":962,"relatedTerms":963,"seo":966,"slug":969,"stem":970,"term":732,"__hash__":971},"glossary\u002F8.glossary\u002Fchange-management.md","Change Management",{"type":7,"value":728,"toc":949},[729,733,736,740,743,760,764,767,773,793,799,813,819,830,836,847,853,864,868,885,889,909,913,916,920,923,940,944],[10,730,732],{"id":731},"what-is-change-management","What is Change Management?",[15,734,735],{},"Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.",[19,737,739],{"id":738},"why-does-change-management-matter","Why does change management matter?",[15,741,742],{},"Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:",[27,744,745,748,751,754,757],{},[30,746,747],{},"Untested changes can introduce bugs or vulnerabilities",[30,749,750],{},"Unauthorized modifications can compromise security controls",[30,752,753],{},"Conflicting changes can cause system instability",[30,755,756],{},"Auditors cannot verify that changes were properly authorized and tested",[30,758,759],{},"Troubleshooting becomes difficult without a record of what changed",[19,761,763],{"id":762},"what-are-the-components-of-a-change-management-process","What are the components of a change management process?",[15,765,766],{},"An effective change management program includes:",[15,768,769,772],{},[33,770,771],{},"Change request"," — a formal submission describing the proposed change, including:",[27,774,775,778,781,784,787,790],{},[30,776,777],{},"Description of the change",[30,779,780],{},"Business justification",[30,782,783],{},"Risk assessment",[30,785,786],{},"Rollback plan",[30,788,789],{},"Testing plan",[30,791,792],{},"Implementation timeline",[15,794,795,798],{},[33,796,797],{},"Review and approval"," — changes are reviewed by appropriate stakeholders:",[27,800,801,804,807,810],{},[30,802,803],{},"Technical review for feasibility and impact",[30,805,806],{},"Security review for potential risks",[30,808,809],{},"Management approval based on risk and priority",[30,811,812],{},"Change Advisory Board (CAB) review for significant changes",[15,814,815,818],{},[33,816,817],{},"Testing"," — changes are tested in a non-production environment before deployment:",[27,820,821,824,827],{},[30,822,823],{},"Functional testing to verify the change works as intended",[30,825,826],{},"Regression testing to confirm existing functionality is not broken",[30,828,829],{},"Security testing when the change affects security-relevant systems",[15,831,832,835],{},[33,833,834],{},"Implementation"," — changes are deployed following the approved plan:",[27,837,838,841,844],{},[30,839,840],{},"During designated maintenance windows when appropriate",[30,842,843],{},"With monitoring for unexpected issues",[30,845,846],{},"With rollback procedures ready if problems occur",[15,848,849,852],{},[33,850,851],{},"Post-implementation review"," — after deployment, verify:",[27,854,855,858,861],{},[30,856,857],{},"The change achieved its intended outcome",[30,859,860],{},"No unintended side effects occurred",[30,862,863],{},"Documentation is updated to reflect the change",[19,865,867],{"id":866},"how-do-compliance-frameworks-address-change-management","How do compliance frameworks address change management?",[27,869,870,875,880],{},[30,871,872,874],{},[33,873,62],{}," — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented",[30,876,877,879],{},[33,878,68],{}," — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures",[30,881,882,884],{},[33,883,80],{}," — Requirement 6.5 requires change control processes for all system components in the cardholder data environment",[19,886,888],{"id":887},"what-are-the-types-of-changes-in-change-management","What are the types of changes in change management?",[27,890,891,897,903],{},[30,892,893,896],{},[33,894,895],{},"Standard changes"," — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)",[30,898,899,902],{},[33,900,901],{},"Normal changes"," — changes that require the full change management process including review and approval",[30,904,905,908],{},[33,906,907],{},"Emergency changes"," — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation",[19,910,912],{"id":911},"how-does-separation-of-duties-apply-to-change-management","How does separation of duties apply to change management?",[15,914,915],{},"A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.",[19,917,919],{"id":918},"what-change-management-evidence-do-auditors-look-for","What change management evidence do auditors look for?",[15,921,922],{},"Auditors reviewing change management look for:",[27,924,925,928,931,934,937],{},[30,926,927],{},"Change request records with documented approvals",[30,929,930],{},"Evidence of testing before production deployment",[30,932,933],{},"Separation of duties between development, approval, and deployment",[30,935,936],{},"Rollback plans for significant changes",[30,938,939],{},"Post-implementation reviews",[19,941,943],{"id":942},"how-does-episki-help-with-change-management","How does episki help with change management?",[15,945,946,947,121],{},"episki tracks change management activities, integrates with ticketing and CI\u002FCD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our ",[117,948,120],{"href":119},{"title":123,"searchDepth":124,"depth":124,"links":950},[951],{"id":731,"depth":124,"text":732,"children":952},[953,954,955,956,957,958,959],{"id":738,"depth":129,"text":739},{"id":762,"depth":129,"text":763},{"id":866,"depth":129,"text":867},{"id":887,"depth":129,"text":888},{"id":911,"depth":129,"text":912},{"id":918,"depth":129,"text":919},{"id":942,"depth":129,"text":943},{},"\u002Fglossary\u002Fchange-management",[139,140,141,143],[717,146,964,965],"evidence-collection","control-objectives",{"title":967,"description":968},"What is Change Management? Definition & Compliance Guide","Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.","change-management","8.glossary\u002Fchange-management","xeecemxPeYwPVCVxeZ0eZXpmSOlKMkCLQoUsX4dbaQA",[973,1377],{"id":974,"title":975,"body":976,"description":1361,"extension":133,"faq":1362,"frameworkSlug":139,"lastUpdated":134,"meta":1363,"navigation":136,"path":1364,"relatedTerms":1365,"relatedTopics":1368,"seo":1372,"stem":1375,"__hash__":1376},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fassessment-process.md","CMMC Assessment Process",{"type":7,"value":977,"toc":1343},[978,982,985,989,992,997,1029,1032,1036,1039,1043,1107,1111,1114,1119,1127,1131,1134,1138,1142,1145,1149,1152,1174,1189,1193,1196,1200,1203,1223,1227,1263,1267,1270,1284,1288,1291,1329,1333],[10,979,981],{"id":980},"cmmc-assessment-types","CMMC assessment types",[15,983,984],{},"CMMC 2.0 uses three assessment types that correspond to the certification levels. The assessment type for your organization is determined by the CMMC level specified in your contract.",[19,986,988],{"id":987},"self-assessment-level-1-and-level-2","Self-assessment (Level 1 and Level 2)",[15,990,991],{},"Self-assessments are conducted internally by the organization. They are required for all Level 1 certifications and for Level 2 certifications on contracts involving less sensitive CUI.",[15,993,994],{},[33,995,996],{},"How it works:",[420,998,999,1005,1011,1017,1023],{},[30,1000,1001,1004],{},[33,1002,1003],{},"Scope your environment"," — identify the systems, people, and processes that handle FCI (Level 1) or CUI (Level 2) within the assessment boundary.",[30,1006,1007,1010],{},[33,1008,1009],{},"Evaluate each practice"," — assess whether your organization meets each required practice using the DoD Assessment Methodology.",[30,1012,1013,1016],{},[33,1014,1015],{},"Calculate your score"," — Level 1 is pass\u002Ffail across 17 practices. Level 2 uses a scoring methodology based on 110 objectives, starting at 110 and subtracting points for unmet requirements.",[30,1018,1019,1022],{},[33,1020,1021],{},"Submit to SPRS"," — enter your assessment score into the Supplier Performance Risk System.",[30,1024,1025,1028],{},[33,1026,1027],{},"Affirm annually"," — a senior official must sign an annual affirmation confirming continued compliance.",[15,1030,1031],{},"Self-assessments must be conducted with the same rigor as third-party assessments. The DoD reserves the right to audit self-assessment scores, and material misrepresentation can result in False Claims Act liability.",[19,1033,1035],{"id":1034},"c3pao-assessment-level-2","C3PAO assessment (Level 2)",[15,1037,1038],{},"Third-party assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) accredited by the Cyber AB (formerly the CMMC Accreditation Body). They are required for Level 2 certifications on contracts involving more sensitive CUI or critical programs.",[15,1040,1041],{},[33,1042,996],{},[420,1044,1045,1051,1057,1063,1069,1075,1101],{},[30,1046,1047,1050],{},[33,1048,1049],{},"Select a C3PAO"," — choose from the list of accredited C3PAOs published by the Cyber AB. The C3PAO assigns certified CMMC assessors to your engagement.",[30,1052,1053,1056],{},[33,1054,1055],{},"Pre-assessment readiness review"," (optional but recommended) — many C3PAOs offer a readiness review to identify gaps before the formal assessment begins.",[30,1058,1059,1062],{},[33,1060,1061],{},"Assessment planning"," — the C3PAO works with your organization to define scope, schedule, and logistics. This includes identifying assessment boundaries, CUI data flows, and inherited controls.",[30,1064,1065,1068],{},[33,1066,1067],{},"Evidence collection and review"," — assessors review your System Security Plan (SSP), policies, procedures, and evidence artifacts. This typically takes two to four weeks depending on scope.",[30,1070,1071,1074],{},[33,1072,1073],{},"On-site or virtual assessment"," — assessors interview personnel, observe processes, and test controls. Most assessments include both documentation review and interactive sessions.",[30,1076,1077,1080,1081],{},[33,1078,1079],{},"Scoring and findings"," — the C3PAO scores each of the 110 objectives and documents any deficiencies. You receive one of three results:\n",[27,1082,1083,1089,1095],{},[30,1084,1085,1088],{},[33,1086,1087],{},"Met"," — all 110 objectives satisfied. Full certification issued.",[30,1090,1091,1094],{},[33,1092,1093],{},"Conditional"," — score of 88 or above with documented POA&M items. Conditional certification issued with a 180-day remediation window.",[30,1096,1097,1100],{},[33,1098,1099],{},"Not met"," — score below 88. No certification issued. You must remediate and re-engage the C3PAO.",[30,1102,1103,1106],{},[33,1104,1105],{},"Certification validity"," — a full or conditional certification is valid for three years with annual affirmation of continued compliance.",[19,1108,1110],{"id":1109},"dibcac-assessment-level-3","DIBCAC assessment (Level 3)",[15,1112,1113],{},"Government-led assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They are required for Level 3 certifications.",[15,1115,1116],{},[33,1117,1118],{},"Prerequisites:",[27,1120,1121,1124],{},[30,1122,1123],{},"A valid Level 2 C3PAO certification must be in place before a Level 3 assessment can begin",[30,1125,1126],{},"The organization must demonstrate compliance with all 110 NIST SP 800-171 requirements plus the 24 selected NIST SP 800-172 enhanced requirements",[15,1128,1129],{},[33,1130,996],{},[15,1132,1133],{},"DIBCAC assessments follow a similar structure to C3PAO assessments but are conducted by government assessors with additional focus on advanced threat scenarios, penetration-resistant architecture, and operational resilience. The assessment scope, timeline, and logistics are coordinated directly with DIBCAC.",[10,1135,1137],{"id":1136},"scoring-methodology","Scoring methodology",[19,1139,1141],{"id":1140},"level-1-scoring","Level 1 scoring",[15,1143,1144],{},"Level 1 uses a simple pass\u002Ffail model. All 17 practices must be met. There is no partial scoring or POA&M allowance for Level 1.",[19,1146,1148],{"id":1147},"level-2-scoring","Level 2 scoring",[15,1150,1151],{},"The DoD Assessment Methodology for Level 2 evaluates 110 objectives (one per NIST SP 800-171 requirement). Scoring starts at 110 and subtracts points for each unmet objective:",[27,1153,1154,1161,1171],{},[30,1155,1156,1157,1160],{},"Most objectives subtract ",[33,1158,1159],{},"1 point"," if not met",[30,1162,1163,1164,1167,1168],{},"Some higher-impact objectives subtract ",[33,1165,1166],{},"3 points"," or ",[33,1169,1170],{},"5 points",[30,1172,1173],{},"The specific point values are defined in the NIST SP 800-171A assessment objectives",[15,1175,1176,1177,1180,1181,1184,1185,1188],{},"A score of ",[33,1178,1179],{},"110"," means all requirements are met. A score of ",[33,1182,1183],{},"88 or above"," (with POA&M) qualifies for conditional certification. A score ",[33,1186,1187],{},"below 88"," does not qualify for any certification.",[19,1190,1192],{"id":1191},"level-3-scoring","Level 3 scoring",[15,1194,1195],{},"Level 3 scoring evaluates the 24 enhanced requirements from NIST SP 800-172 in addition to the Level 2 baseline. The scoring methodology is determined by DIBCAC and follows government assessment procedures.",[10,1197,1199],{"id":1198},"plan-of-action-and-milestones-poam","Plan of Action and Milestones (POA&M)",[15,1201,1202],{},"A POA&M documents security requirements that are not yet fully met and the organization's plan to remediate them. Under CMMC 2.0:",[27,1204,1205,1211,1217],{},[30,1206,1207,1210],{},[33,1208,1209],{},"Level 1"," does not allow POA&Ms — all 17 practices must be met",[30,1212,1213,1216],{},[33,1214,1215],{},"Level 2"," allows POA&Ms for conditional certification if the score is 88 or above",[30,1218,1219,1222],{},[33,1220,1221],{},"Level 3"," allows limited POA&Ms under DIBCAC discretion",[19,1224,1226],{"id":1225},"poam-rules-for-level-2","POA&M rules for Level 2",[27,1228,1229,1236,1243,1250,1253,1260],{},[30,1230,1231,1232,1235],{},"Maximum of ",[33,1233,1234],{},"22 unmet objectives"," (score of 88+)",[30,1237,1238,1239,1242],{},"Certain critical requirements ",[33,1240,1241],{},"cannot"," be placed on a POA&M regardless of score",[30,1244,1245,1246,1249],{},"All POA&M items must be ",[33,1247,1248],{},"closed within 180 days"," of the conditional certification date",[30,1251,1252],{},"A C3PAO must verify POA&M closure through a close-out assessment",[30,1254,1255,1256,1259],{},"Failure to close POA&M items within 180 days ",[33,1257,1258],{},"revokes"," the conditional certification",[30,1261,1262],{},"The organization must then undergo a new full assessment",[19,1264,1266],{"id":1265},"what-cannot-go-on-a-poam","What cannot go on a POA&M",[15,1268,1269],{},"The DoD has identified specific high-impact requirements that cannot be deferred via POA&M. These typically include:",[27,1271,1272,1275,1278,1281],{},[30,1273,1274],{},"Multifactor authentication requirements",[30,1276,1277],{},"FIPS-validated encryption requirements",[30,1279,1280],{},"Requirements related to incident reporting to the DoD",[30,1282,1283],{},"Other requirements designated by the DoD as non-deferrable",[10,1285,1287],{"id":1286},"preparing-for-your-assessment","Preparing for your assessment",[15,1289,1290],{},"Regardless of assessment type, preparation follows a similar pattern:",[420,1292,1293,1299,1305,1311,1317,1323],{},[30,1294,1295,1298],{},[33,1296,1297],{},"Define your CUI boundary"," — identify where CUI enters, flows through, and is stored in your environment. This defines your assessment scope.",[30,1300,1301,1304],{},[33,1302,1303],{},"Complete your SSP"," — document every NIST SP 800-171 requirement with your implementation status, responsible parties, and evidence.",[30,1306,1307,1310],{},[33,1308,1309],{},"Conduct a gap analysis"," — compare your current controls against all required practices and identify shortfalls.",[30,1312,1313,1316],{},[33,1314,1315],{},"Remediate or document"," — close gaps where possible. For remaining gaps, create POA&M items with realistic remediation timelines.",[30,1318,1319,1322],{},[33,1320,1321],{},"Organize evidence"," — collect and catalog evidence artifacts (screenshots, configs, policies, logs) mapped to each requirement.",[30,1324,1325,1328],{},[33,1326,1327],{},"Perform a mock assessment"," — walk through the assessment process internally or with a consultant to identify weaknesses.",[10,1330,1332],{"id":1331},"how-episki-helps","How episki helps",[15,1334,1335,1336,1342],{},"episki automates the heaviest parts of assessment preparation. The platform generates a pre-mapped SSP template aligned to NIST SP 800-171, tracks your SPRS score in real time as you close gaps, and organizes evidence by control family. POA&M items are tracked with 180-day countdown timers and assigned owners. When your C3PAO arrives, they get a scoped portal with everything organized by assessment objective — reducing assessment time and back-and-forth. ",[117,1337,1341],{"href":1338,"rel":1339},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[1340],"nofollow","Start a free trial"," to see your current assessment readiness.",{"title":123,"searchDepth":124,"depth":124,"links":1344},[1345,1350,1355,1359,1360],{"id":980,"depth":124,"text":981,"children":1346},[1347,1348,1349],{"id":987,"depth":129,"text":988},{"id":1034,"depth":129,"text":1035},{"id":1109,"depth":129,"text":1110},{"id":1136,"depth":124,"text":1137,"children":1351},[1352,1353,1354],{"id":1140,"depth":129,"text":1141},{"id":1147,"depth":129,"text":1148},{"id":1191,"depth":129,"text":1192},{"id":1198,"depth":124,"text":1199,"children":1356},[1357,1358],{"id":1225,"depth":129,"text":1226},{"id":1265,"depth":129,"text":1266},{"id":1286,"depth":124,"text":1287},{"id":1331,"depth":124,"text":1332},"How CMMC assessments work — self-assessments, C3PAO third-party assessments, and DIBCAC government-led assessments including scoring, POA&Ms, and conditional certification.",null,{},"\u002Fframeworks\u002Fcmmc\u002Fassessment-process",[139,1366,1367],"grc","audit",[1369,1370,1371],"levels","nist-800-171-mapping","who-needs-cmmc",{"title":1373,"description":1374},"CMMC Assessment Process — Self-Assessment, C3PAO, and DIBCAC Guide","Step-by-step guide to CMMC assessment types, scoring methodology, POA&M requirements, and what to expect during a C3PAO or DIBCAC assessment.","5.frameworks\u002Fcmmc\u002Fassessment-process","yKDypkTFwQoLdWiTOACXalnWiwTYLKu-4YYu3A5uDlU",{"id":1378,"title":1379,"body":1380,"description":1833,"extension":133,"faq":1834,"frameworkSlug":139,"lastUpdated":134,"meta":1848,"navigation":136,"path":1849,"relatedTerms":1850,"relatedTopics":1853,"seo":1855,"stem":1858,"__hash__":1859},"frameworkTopics\u002F5.frameworks\u002Fcmmc\u002Fcui-handling.md","CUI Handling Under CMMC",{"type":7,"value":1381,"toc":1814},[1382,1386,1389,1392,1396,1399,1403,1406,1411,1425,1431,1435,1443,1446,1487,1492,1496,1499,1503,1506,1541,1544,1548,1551,1583,1587,1590,1634,1637,1641,1644,1688,1692,1695,1727,1731,1738,1741,1745,1748,1751,1755,1805,1807],[10,1383,1385],{"id":1384},"cui-is-the-center-of-gravity-for-cmmc","CUI is the center of gravity for CMMC",[15,1387,1388],{},"CMMC exists because of CUI. The entire program — CMMC Level 2 requirements, CMMC Level 3 enhanced controls, DFARS 252.204-7012, NIST SP 800-171 — is built to protect Controlled Unclassified Information as it flows through the defense industrial base. Get CUI handling right and most of your CMMC obligations fall into place. Get it wrong and you fail assessments, miss contract awards, or worse, leak sensitive information that nation-state adversaries spend careers trying to collect.",[15,1390,1391],{},"This page walks through how to identify CUI, how to mark it, how to handle it, and how to scope your systems so CMMC assessors can see exactly where CUI lives in your environment.",[10,1393,1395],{"id":1394},"fci-vs-cui-the-bright-line","FCI vs CUI: the bright line",[15,1397,1398],{},"The first move in any CMMC program is distinguishing Federal Contract Information (FCI) from Controlled Unclassified Information (CUI). They are related but distinct categories with very different CMMC implications.",[19,1400,1402],{"id":1401},"federal-contract-information-fci","Federal Contract Information (FCI)",[15,1404,1405],{},"FCI is information provided by or generated for the government under a contract to develop or deliver a product or service — and that is not intended for public release. It excludes public-facing information (like contract award announcements) and simple transactional information (like invoices).",[15,1407,1408],{},[33,1409,1410],{},"Examples of FCI:",[27,1412,1413,1416,1419,1422],{},[30,1414,1415],{},"Internal correspondence about a DoD contract",[30,1417,1418],{},"Performance reports generated for the government under contract",[30,1420,1421],{},"Unclassified technical specifications shared to support a contract",[30,1423,1424],{},"Contract deliverables that have not been released publicly",[15,1426,1427,1430],{},[33,1428,1429],{},"CMMC impact:"," FCI triggers CMMC Level 1 — 17 practices, annual self-assessment.",[19,1432,1434],{"id":1433},"controlled-unclassified-information-cui","Controlled Unclassified Information (CUI)",[15,1436,1437,1438,121],{},"CUI is a narrower, more sensitive category. Under 32 CFR Part 2002, CUI is information the government creates or possesses — or that an entity creates or possesses for or on behalf of the government — that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. CUI is defined through the ",[117,1439,1442],{"href":1440,"rel":1441},"https:\u002F\u002Fwww.archives.gov\u002Fcui",[1340],"CUI Registry maintained by the National Archives",[15,1444,1445],{},"CUI categories relevant to defense contractors include:",[27,1447,1448,1454,1460,1465,1470,1475,1481],{},[30,1449,1450,1453],{},[33,1451,1452],{},"Controlled Technical Information (CTI)"," — technical data with military or space application",[30,1455,1456,1459],{},[33,1457,1458],{},"Export Controlled"," — information controlled under ITAR or EAR",[30,1461,1462],{},[33,1463,1464],{},"Naval Nuclear Propulsion Information (NNPI)",[30,1466,1467],{},[33,1468,1469],{},"Critical Infrastructure Security Information",[30,1471,1472],{},[33,1473,1474],{},"Operations Security Information",[30,1476,1477,1480],{},[33,1478,1479],{},"Procurement and Acquisition"," (specific subcategories)",[30,1482,1483,1486],{},[33,1484,1485],{},"Source Selection"," information during contract competitions",[15,1488,1489,1491],{},[33,1490,1429],{}," CUI triggers CMMC Level 2 at minimum. More sensitive CUI or critical programs trigger CMMC Level 3.",[19,1493,1495],{"id":1494},"the-relationship","The relationship",[15,1497,1498],{},"All CUI is also FCI. But not all FCI is CUI. If your contract involves CUI, you are automatically dealing with FCI too — and your CMMC level is set by the most sensitive category. That usually means CMMC Level 2, which includes the 17 Level 1 FCI practices by virtue of being built on top of them.",[10,1500,1502],{"id":1501},"cui-marking-and-identification","CUI marking and identification",[15,1504,1505],{},"Proper CUI marking is a government responsibility, but it is also the place where marking most often breaks down. The official rules under 32 CFR Part 2002 require:",[27,1507,1508,1523,1529,1535],{},[30,1509,1510,1513,1514,1518,1519,1522],{},[33,1511,1512],{},"Banner marking"," at the top of every page: ",[1515,1516,1517],"code",{},"CUI"," followed by applicable categories (e.g., ",[1515,1520,1521],{},"CUI\u002F\u002FSP-EXPT",")",[30,1524,1525,1528],{},[33,1526,1527],{},"Portion marking"," on individual paragraphs, charts, and attachments where CUI content appears",[30,1530,1531,1534],{},[33,1532,1533],{},"Source and decontrolling information"," in designated marking blocks",[30,1536,1537,1540],{},[33,1538,1539],{},"Distribution limitation statements"," where applicable",[15,1542,1543],{},"In practice, marking discipline varies widely. Many contractors receive unmarked information that meets the CUI definition. The safe posture is to treat unmarked-but-apparently-CUI information as CUI and confirm with the contracting officer. When in doubt, treat it as CUI — the cost of over-protection is far lower than the cost of an under-protected CUI spill.",[19,1545,1547],{"id":1546},"identifying-cui-you-already-have","Identifying CUI you already have",[15,1549,1550],{},"If you are not sure whether CUI lives in your environment today, start with these signals:",[27,1552,1553,1559,1565,1571,1577],{},[30,1554,1555,1558],{},[33,1556,1557],{},"DFARS 252.204-7012 in your contract."," If your contract includes 7012, the DoD has effectively told you CUI is present.",[30,1560,1561,1564],{},[33,1562,1563],{},"Drawings or technical data from government customers."," CTI is pervasive in engineering and manufacturing contracts.",[30,1566,1567,1570],{},[33,1568,1569],{},"Export-controlled markings."," ITAR or EAR controlled material is CUI.",[30,1572,1573,1576],{},[33,1574,1575],{},"Information labeled \"For Official Use Only\" (FOUO)."," FOUO is a legacy marking that in most cases has been reclassified as CUI under the current regime.",[30,1578,1579,1582],{},[33,1580,1581],{},"Source selection documents during contract competitions."," Source Selection Sensitive information is CUI while the competition is active.",[10,1584,1586],{"id":1585},"cui-access-controls-under-nist-sp-800-171","CUI access controls under NIST SP 800-171",[15,1588,1589],{},"NIST SP 800-171 — and therefore CMMC Level 2 — imposes specific access controls on CUI. The Access Control family (3.1) alone contains 22 requirements, many of which directly address how CUI is accessed. Key obligations include:",[27,1591,1592,1598,1604,1610,1616,1622,1628],{},[30,1593,1594,1597],{},[33,1595,1596],{},"Authorized users only."," Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices.",[30,1599,1600,1603],{},[33,1601,1602],{},"Least privilege."," Users should have only the access necessary to perform their duties.",[30,1605,1606,1609],{},[33,1607,1608],{},"Need-to-know enforcement."," Not every authorized user should see all CUI — access should be segmented by need.",[30,1611,1612,1615],{},[33,1613,1614],{},"Multifactor authentication."," MFA is required for local and network access to systems handling CUI.",[30,1617,1618,1621],{},[33,1619,1620],{},"Encrypted mobile devices."," CUI on laptops, phones, and tablets must be encrypted with FIPS-validated cryptography.",[30,1623,1624,1627],{},[33,1625,1626],{},"Session controls."," Sessions must lock after inactivity and terminate on logout.",[30,1629,1630,1633],{},[33,1631,1632],{},"Remote access controls."," Remote access to CUI must be controlled, monitored, and encrypted.",[15,1635,1636],{},"These requirements map to specific System and Communications Protection (3.13) controls as well, particularly FIPS-validated cryptography for CUI at rest and in transit.",[10,1638,1640],{"id":1639},"cui-handling-across-the-data-lifecycle","CUI handling across the data lifecycle",[15,1642,1643],{},"Good CUI handling covers the full lifecycle of the information:",[27,1645,1646,1652,1658,1664,1670,1676,1682],{},[30,1647,1648,1651],{},[33,1649,1650],{},"Receipt."," When CUI arrives from the government or a prime contractor, verify the marking, confirm the category, and route it to a CUI-authorized system.",[30,1653,1654,1657],{},[33,1655,1656],{},"Storage."," CUI lives only on systems inside your CMMC assessment boundary. That means encrypted storage with access controls — typically a FedRAMP Moderate-equivalent environment.",[30,1659,1660,1663],{},[33,1661,1662],{},"Processing."," Tools that process CUI (CAD software, ERP systems, email, collaboration platforms) need to be part of the CMMC boundary and configured to support the required controls.",[30,1665,1666,1669],{},[33,1667,1668],{},"Transmission."," CUI in transit requires FIPS-validated encryption. This affects email (S\u002FMIME or TLS 1.2+), file transfer (SFTP, HTTPS with appropriate cipher suites), and internal network traffic segments.",[30,1671,1672,1675],{},[33,1673,1674],{},"Sharing."," Before sharing CUI with anyone — employees, subcontractors, cloud vendors — verify they are authorized. For subcontractors, that means verifying their CMMC certification.",[30,1677,1678,1681],{},[33,1679,1680],{},"Retention."," CUI retention should follow contractual requirements. Over-retention expands risk; under-retention can breach contract terms.",[30,1683,1684,1687],{},[33,1685,1686],{},"Destruction."," CUI media must be sanitized before disposal or reuse, consistent with NIST SP 800-88 media sanitization guidelines.",[10,1689,1691],{"id":1690},"system-scoping-for-cmmc-cui-boundaries","System scoping for CMMC CUI boundaries",[15,1693,1694],{},"Scoping is where CMMC assessments most often go wrong. Your CMMC assessment boundary includes every system that processes, stores, or transmits CUI, plus every system that can affect the security of those systems. The DoD's CMMC Assessment Scope guidance categorizes assets into several buckets:",[27,1696,1697,1703,1709,1715,1721],{},[30,1698,1699,1702],{},[33,1700,1701],{},"CUI Assets."," Process, store, or transmit CUI directly. Fully in scope. All NIST SP 800-171 requirements apply.",[30,1704,1705,1708],{},[33,1706,1707],{},"Security Protection Assets."," Provide security services (firewalls, SIEM, identity providers) to CUI assets. In scope. Requirements apply based on function.",[30,1710,1711,1714],{},[33,1712,1713],{},"Contractor Risk Managed Assets."," Not required to support CUI protection but could impact it if compromised. Documented but not fully assessed.",[30,1716,1717,1720],{},[33,1718,1719],{},"Specialized Assets."," Government Furnished Equipment, IoT, OT, test equipment. Documented in the SSP with appropriate protections.",[30,1722,1723,1726],{},[33,1724,1725],{},"Out-of-Scope Assets."," Cannot process, store, or transmit CUI and cannot affect CUI confidentiality. Physically or logically isolated from CUI assets.",[19,1728,1730],{"id":1729},"the-enclave-strategy","The enclave strategy",[15,1732,1733,1734,1737],{},"Many organizations reduce their CMMC scope by creating a ",[33,1735,1736],{},"CUI enclave"," — a dedicated environment (physical, virtual, or cloud-based) where CUI is concentrated and the rest of the business sits outside the CMMC boundary. Microsoft 365 GCC High is the most common enclave choice for defense contractors, but purpose-built on-premises environments and specialized cloud services are also used.",[15,1739,1740],{},"Enclaves work when they are genuinely isolated. If CUI routinely leaves the enclave into unauthorized systems — pasted into a non-CUI email, stored on a non-CUI file share, accessed from a personal device — the enclave fails and the rest of the environment becomes in-scope.",[10,1742,1744],{"id":1743},"how-this-fits-into-your-cmmc-program","How this fits into your CMMC program",[15,1746,1747],{},"CUI handling is the thread that runs through every other CMMC topic. Your SSP describes how CUI is protected. Your assessment scope is defined by where CUI lives. Your subcontractor flow-down decisions depend on which subs see CUI. Your POA&M items are prioritized based on which gaps expose CUI. Your incident response obligations under DFARS 252.204-7012 center on CUI breach reporting.",[15,1749,1750],{},"Getting CUI handling right early — especially the scoping decisions — makes the rest of the program tractable. Getting it wrong means rework on a scale that can delay certification by months.",[10,1752,1754],{"id":1753},"common-mistakes","Common mistakes",[27,1756,1757,1763,1769,1775,1781,1787,1793,1799],{},[30,1758,1759,1762],{},[33,1760,1761],{},"Treating all FCI as CUI (or vice versa)."," Over-protection wastes resources; under-protection fails assessments. Classify accurately.",[30,1764,1765,1768],{},[33,1766,1767],{},"Accepting unmarked information without verification."," If it looks like CUI, treat it as CUI and confirm with the contracting officer.",[30,1770,1771,1774],{},[33,1772,1773],{},"Over-broad scoping."," Bringing every system into the CMMC boundary when an enclave strategy would isolate CUI to a fraction of the environment.",[30,1776,1777,1780],{},[33,1778,1779],{},"Under-broad scoping."," Declaring systems out of scope that in fact touch CUI. Assessors find this quickly and it turns into a finding.",[30,1782,1783,1786],{},[33,1784,1785],{},"Using commercial Microsoft 365 for CUI."," Commercial M365 does not meet FedRAMP Moderate equivalency for CUI. Organizations handling CUI need GCC High or an equivalent authorized environment.",[30,1788,1789,1792],{},[33,1790,1791],{},"Forgetting the CUI lifecycle."," Strong access controls on storage but weak controls on transmission, sharing, or destruction still leak CUI.",[30,1794,1795,1798],{},[33,1796,1797],{},"Ignoring paper and physical CUI."," CUI can exist on paper, on whiteboards, in physical drawings, and in conversations. Physical and procedural controls matter as much as technical ones.",[30,1800,1801,1804],{},[33,1802,1803],{},"Letting CUI leave the enclave."," The strongest enclave fails if users routinely copy CUI outside it. Technical controls plus user training plus monitoring are all required.",[10,1806,1332],{"id":1331},[15,1808,1809,1810,1813],{},"episki maps your CMMC assessment boundary as a first-class object. You declare which systems are CUI assets, security protection assets, or contractor risk managed assets, and the platform uses that scoping to focus evidence collection and control attestations where they matter. When a system moves in or out of scope, the impact on your NIST SP 800-171 score is visible immediately. For organizations using a CUI enclave strategy, episki tracks the enclave separately from the rest of the environment and supports the documentation an assessor will expect to see. ",[117,1811,1341],{"href":1338,"rel":1812},[1340]," to map your CUI boundary.",{"title":123,"searchDepth":124,"depth":124,"links":1815},[1816,1817,1822,1825,1826,1827,1830,1831,1832],{"id":1384,"depth":124,"text":1385},{"id":1394,"depth":124,"text":1395,"children":1818},[1819,1820,1821],{"id":1401,"depth":129,"text":1402},{"id":1433,"depth":129,"text":1434},{"id":1494,"depth":129,"text":1495},{"id":1501,"depth":124,"text":1502,"children":1823},[1824],{"id":1546,"depth":129,"text":1547},{"id":1585,"depth":124,"text":1586},{"id":1639,"depth":124,"text":1640},{"id":1690,"depth":124,"text":1691,"children":1828},[1829],{"id":1729,"depth":129,"text":1730},{"id":1743,"depth":124,"text":1744},{"id":1753,"depth":124,"text":1754},{"id":1331,"depth":124,"text":1332},"Controlled Unclassified Information (CUI) under CMMC — FCI vs CUI, CUI marking, handling, access controls, and defining your CMMC system scope.",{"items":1835},[1836,1839,1842,1845],{"label":1837,"content":1838},"What is the difference between FCI and CUI?","FCI (Federal Contract Information) is any information provided by or generated for the government under contract that is not intended for public release. CUI (Controlled Unclassified Information) is more sensitive — information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. All CUI is FCI, but not all FCI is CUI. FCI triggers CMMC Level 1; CUI triggers Level 2 or higher.",{"label":1840,"content":1841},"Who is responsible for marking CUI?","The originator of the information — typically the government or the prime contractor on its behalf — is responsible for marking CUI. In practice, marking is often missing or inconsistent. Contractors receiving unmarked information that appears to meet the CUI definition should treat it as CUI and contact the contracting officer for confirmation.",{"label":1843,"content":1844},"Does CUI need to be encrypted?","Yes. NIST SP 800-171 requires FIPS-validated cryptography for CUI at rest and in transit on non-federal systems. This is one of the requirements that cannot be deferred via POA&M for CMMC Level 2 conditional certification.",{"label":1846,"content":1847},"Can CUI be stored in standard Microsoft 365 or Google Workspace?","Generally no. Commercial Microsoft 365 and Google Workspace do not meet the FedRAMP Moderate equivalency required for CUI. Organizations handling CUI typically need Microsoft 365 GCC High, Google Workspace with specific FedRAMP authorizations, or a dedicated CUI enclave. Check the specific tenant's authorization before assuming coverage.",{},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling",[1851,1852,146,148],"nist","data-classification",[1369,1371,1370,1854],"assessment-process",{"title":1856,"description":1857},"CUI Handling Under CMMC: FCI vs CUI, Marking, Scoping, and Controls","How to identify, mark, handle, and scope Controlled Unclassified Information (CUI) for CMMC compliance. FCI vs CUI explained, access control requirements, and common scoping mistakes.","5.frameworks\u002Fcmmc\u002Fcui-handling","079g6EcUkr3PREZ49XZw_WBF023HlI6VeB_1h_OdPak",{"id":1861,"title":1862,"advantages":1863,"body":1885,"checklist":2293,"cta":2302,"description":123,"extension":133,"faq":2305,"hero":2323,"lastUpdated":2338,"meta":2339,"name":2340,"navigation":136,"path":2341,"resources":2342,"seo":2355,"slug":139,"stats":2358,"stem":2368,"__hash__":2369},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[1864,1871,1878],{"title":1865,"description":1866,"bullets":1867},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[1868,1869,1870],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":1872,"description":1873,"bullets":1874},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[1875,1876,1877],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":1879,"description":1880,"bullets":1881},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[1882,1883,1884],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":7,"value":1886,"toc":2276},[1887,1891,1894,1897,1901,1908,1919,1930,1934,1942,1974,1977,1981,1993,2004,2007,2010,2027,2040,2043,2047,2050,2060,2066,2070,2085,2088,2092,2100,2126,2130,2157,2161,2169,2173,2180,2184,2192,2196,2199,2237,2241,2273],[10,1888,1890],{"id":1889},"what-is-cmmc","What is CMMC?",[15,1892,1893],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[15,1895,1896],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[19,1898,1900],{"id":1899},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[15,1902,1903,1904,1907],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[33,1905,1906],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[15,1909,1910,1911,1914,1915,1918],{},"In November 2021 the DoD announced ",[33,1912,1913],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[33,1916,1917],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[15,1920,1921,1922,1925,1926,1929],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[33,1923,1924],{},"December 16, 2024",". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[33,1927,1928],{},"November 10, 2025"," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[19,1931,1933],{"id":1932},"the-three-cmmc-levels","The three CMMC levels",[15,1935,1936,1937,1941],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[117,1938,1940],{"href":1939},"\u002Fframeworks\u002Fcmmc\u002Flevels","See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[27,1943,1944,1954,1964],{},[30,1945,1946,1949,1950,1953],{},[33,1947,1948],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[33,1951,1952],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[30,1955,1956,1959,1960,1963],{},[33,1957,1958],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[33,1961,1962],{},"110 security requirements"," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[30,1965,1966,1969,1970,1973],{},[33,1967,1968],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[33,1971,1972],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[15,1975,1976],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[19,1978,1980],{"id":1979},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[15,1982,1983,1984,1987,1988,1992],{},"CMMC Level 2 is a ",[33,1985,1986],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[117,1989,1991],{"href":1990},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[15,1994,1995,1996,2000,2001,2003],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[117,1997,1999],{"href":1998},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[117,2002,86],{"href":359}," and ISO 27001.",[19,2005,2006],{"id":1371},"Who needs CMMC?",[15,2008,2009],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[27,2011,2012,2015,2018,2021,2024],{},[30,2013,2014],{},"Prime contractors holding contracts directly with the DoD",[30,2016,2017],{},"Subcontractors at every tier in the supply chain",[30,2019,2020],{},"Cloud service providers hosting DoD contractor data",[30,2022,2023],{},"Managed service providers and IT vendors with access to FCI or CUI",[30,2025,2026],{},"Foreign suppliers in the defense industrial base handling covered information",[15,2028,2029,2030,2034,2035,2039],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[117,2031,2033],{"href":2032},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc","See who needs CMMC"," for detailed scoping guidance, and our ",[117,2036,2038],{"href":2037},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[15,2041,2042],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[19,2044,2046],{"id":2045},"the-cmmc-assessment-process","The CMMC assessment process",[15,2048,2049],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[15,2051,2052,2053,2055,2056,2059],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[33,2054,1183],{}," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[33,2057,2058],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[15,2061,2062,2065],{},[117,2063,2064],{"href":1364},"See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[19,2067,2069],{"id":2068},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[15,2071,2072,2073,2076,2077,2080,2081,2084],{},"Third-party CMMC assessments are conducted by ",[33,2074,2075],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[33,2078,2079],{},"Certified CMMC Assessors (CCAs)"," and ",[33,2082,2083],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[15,2086,2087],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[19,2089,2091],{"id":2090},"cmmc-implementation-timeline","CMMC implementation timeline",[15,2093,2094,2095,2099],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[117,2096,2098],{"href":2097},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","See the full CMMC implementation timeline"," for dates and milestones.",[27,2101,2102,2108,2114,2120],{},[30,2103,2104,2107],{},[33,2105,2106],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[30,2109,2110,2113],{},[33,2111,2112],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[30,2115,2116,2119],{},[33,2117,2118],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[30,2121,2122,2125],{},[33,2123,2124],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[19,2127,2129],{"id":2128},"cmmc-and-dfars","CMMC and DFARS",[15,2131,2132,2133,2136,2137,2080,2140,2143,2144,2147,2148,2152,2153,121],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[33,2134,2135],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[33,2138,2139],{},"DFARS 252.204-7019",[33,2141,2142],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[33,2145,2146],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[117,2149,2151],{"href":2150},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship","See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[117,2154,2156],{"href":2155},"\u002Fnow\u002Fcompliance-framework-comparison","compliance framework comparison",[19,2158,2160],{"id":2159},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[15,2162,2163,2164,2168],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[117,2165,2167],{"href":2166},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party","Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[19,2170,2172],{"id":2171},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[15,2174,2175,2176,2179],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[117,2177,2178],{"href":1849},"See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[19,2181,2183],{"id":2182},"subcontractor-requirements","Subcontractor requirements",[15,2185,2186,2187,2191],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[117,2188,2190],{"href":2189},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements","See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[19,2193,2195],{"id":2194},"getting-cmmc-ready","Getting CMMC ready",[15,2197,2198],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[420,2200,2201,2207,2213,2219,2225,2231],{},[30,2202,2203,2206],{},[33,2204,2205],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[30,2208,2209,2212],{},[33,2210,2211],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[30,2214,2215,2218],{},[33,2216,2217],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[30,2220,2221,2224],{},[33,2222,2223],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[30,2226,2227,2230],{},[33,2228,2229],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[30,2232,2233,2236],{},[33,2234,2235],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[19,2238,2240],{"id":2239},"common-cmmc-challenges","Common CMMC challenges",[27,2242,2243,2249,2255,2261,2267],{},[30,2244,2245,2248],{},[33,2246,2247],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[30,2250,2251,2254],{},[33,2252,2253],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[30,2256,2257,2260],{},[33,2258,2259],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[30,2262,2263,2266],{},[33,2264,2265],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[30,2268,2269,2272],{},[33,2270,2271],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[15,2274,2275],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":123,"searchDepth":124,"depth":124,"links":2277},[2278],{"id":1889,"depth":124,"text":1890,"children":2279},[2280,2281,2282,2283,2284,2285,2286,2287,2288,2289,2290,2291,2292],{"id":1899,"depth":129,"text":1900},{"id":1932,"depth":129,"text":1933},{"id":1979,"depth":129,"text":1980},{"id":1371,"depth":129,"text":2006},{"id":2045,"depth":129,"text":2046},{"id":2068,"depth":129,"text":2069},{"id":2090,"depth":129,"text":2091},{"id":2128,"depth":129,"text":2129},{"id":2159,"depth":129,"text":2160},{"id":2171,"depth":129,"text":2172},{"id":2182,"depth":129,"text":2183},{"id":2194,"depth":129,"text":2195},{"id":2239,"depth":129,"text":2240},{"title":2294,"description":2295,"items":2296},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[2297,2298,2299,2300,2301],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":2303,"description":2304},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":2306,"items":2307},"CMMC frequently asked questions",[2308,2311,2314,2317,2320],{"label":2309,"content":2310},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":2312,"content":2313},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":2315,"content":2316},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":2318,"content":2319},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":2321,"content":2322},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":2324,"title":2325,"description":2326,"links":2327},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[2328,2331],{"label":2329,"icon":2330,"to":1338},"Start CMMC trial","i-lucide-rocket",{"label":2332,"icon":2333,"color":2334,"variant":2335,"to":2336,"target":2337},"Book a demo","i-lucide-message-circle","neutral","subtle","\u002Fdemo","_blank","2026-04-27",{},"CMMC","\u002Fframeworks\u002Fcmmc",{"headline":2343,"title":2343,"description":2344,"items":2345},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[2346,2349,2352],{"title":2347,"description":2348},"Executive scorecard","Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":2350,"description":2351},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":2353,"description":2354},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":2356,"description":2357},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.",[2359,2362,2365],{"value":2360,"description":2361},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":2363,"description":2364},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":2366,"description":2367},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","p5hUeZMYUGNFyYF4xjERSy0kHoJW_1ZFhsORUKeU3is",{"id":2371,"title":2372,"body":2373,"comparison":2464,"competitorA":2509,"competitorB":2510,"cta":2511,"description":123,"extension":133,"faq":1362,"hero":2514,"lastUpdated":2338,"meta":2522,"navigation":136,"path":2523,"seo":2524,"slug":2527,"slugA":2528,"slugB":2529,"stem":2530,"verdict":2531,"__hash__":2535},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":7,"value":2374,"toc":2454},[2375,2379,2382,2386,2389,2395,2398,2402,2405,2408,2411,2415,2418,2421,2425,2428,2431,2435,2438,2441,2445,2448,2451],[10,2376,2378],{"id":2377},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[15,2380,2381],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[19,2383,2385],{"id":2384},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[15,2387,2388],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[15,2390,2391,2394],{},[33,2392,2393],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[15,2396,2397],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[19,2399,2401],{"id":2400},"the-dashboard-question","The dashboard question",[15,2403,2404],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[15,2406,2407],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[15,2409,2410],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[19,2412,2414],{"id":2413},"integration-depth","Integration depth",[15,2416,2417],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[15,2419,2420],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[19,2422,2424],{"id":2423},"pricing-opacity","Pricing opacity",[15,2426,2427],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[15,2429,2430],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[19,2432,2434],{"id":2433},"where-both-platforms-struggle","Where both platforms struggle",[15,2436,2437],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[15,2439,2440],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[19,2442,2444],{"id":2443},"the-case-for-a-different-approach","The case for a different approach",[15,2446,2447],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[15,2449,2450],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[15,2452,2453],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":123,"searchDepth":124,"depth":124,"links":2455},[2456],{"id":2377,"depth":124,"text":2378,"children":2457},[2458,2459,2460,2461,2462,2463],{"id":2384,"depth":129,"text":2385},{"id":2400,"depth":129,"text":2401},{"id":2413,"depth":129,"text":2414},{"id":2423,"depth":129,"text":2424},{"id":2433,"depth":129,"text":2434},{"id":2443,"depth":129,"text":2444},[2465,2470,2474,2479,2484,2489,2494,2499,2504],{"feature":2466,"competitorA":2467,"competitorB":2468,"episki":2469},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":2471,"competitorA":2472,"competitorB":2472,"episki":2473},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":2475,"competitorA":2476,"competitorB":2477,"episki":2478},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":2480,"competitorA":2481,"competitorB":2482,"episki":2483},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":2485,"competitorA":2486,"competitorB":2487,"episki":2488},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":2490,"competitorA":2491,"competitorB":2492,"episki":2493},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":2495,"competitorA":2496,"competitorB":2497,"episki":2498},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":2500,"competitorA":2501,"competitorB":2502,"episki":2503},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":2505,"competitorA":2506,"competitorB":2507,"episki":2508},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":2512,"description":2513},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":2515,"title":2516,"description":2517,"links":2518},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[2519,2521],{"label":2520,"icon":2330,"to":1338},"Try episki free",{"label":2332,"icon":2333,"color":2334,"variant":2335,"to":2336,"target":2337},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":2525,"description":2526},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":2532,"chooseB":2533,"chooseEpiski":2534},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","-9bT-xU4uDSMSn9zCOtrDaYtPz87mkvNHS5pQ2bXDTw",{"id":2537,"title":2509,"advantages":2538,"body":2560,"comparison":2611,"competitor":2509,"cta":2638,"description":123,"extension":133,"hero":2641,"lastUpdated":2338,"meta":2650,"navigation":136,"path":2651,"seo":2652,"slug":2528,"stem":2655,"__hash__":2656},"compare\u002F7.compare\u002Fdrata.md",[2539,2546,2553],{"title":2540,"description":2541,"bullets":2542},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[2543,2544,2545],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":2547,"description":2548,"bullets":2549},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[2550,2551,2552],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":2554,"description":2555,"bullets":2556},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[2557,2558,2559],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":7,"value":2561,"toc":2606},[2562,2566,2569,2572,2592,2596,2599,2603],[10,2563,2565],{"id":2564},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[15,2567,2568],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[15,2570,2571],{},"Some teams look for alternatives when they need:",[27,2573,2574,2580,2586],{},[30,2575,2576,2579],{},[33,2577,2578],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[30,2581,2582,2585],{},[33,2583,2584],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[30,2587,2588,2591],{},[33,2589,2590],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[10,2593,2595],{"id":2594},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[15,2597,2598],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[10,2600,2602],{"id":2601},"when-episki-shines","When episki shines",[15,2604,2605],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":123,"searchDepth":124,"depth":124,"links":2607},[2608,2609,2610],{"id":2564,"depth":124,"text":2565},{"id":2594,"depth":124,"text":2595},{"id":2601,"depth":124,"text":2602},[2612,2614,2615,2619,2623,2626,2630,2634],{"feature":2466,"episki":2469,"competitor":2613},"Tiered pricing based on framework count and company size",{"feature":2471,"episki":2473,"competitor":2472},{"feature":2616,"episki":2617,"competitor":2618},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":2620,"episki":2621,"competitor":2622},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":2624,"episki":2493,"competitor":2625},"AI assistance","AI-powered compliance automation",{"feature":2627,"episki":2628,"competitor":2629},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":2631,"episki":2632,"competitor":2633},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":2635,"episki":2636,"competitor":2637},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":2639,"description":2640},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":2642,"title":2643,"description":2644,"links":2645},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[2646,2648],{"label":2647,"icon":2330,"to":1338},"Start free trial",{"label":2649,"icon":2333,"color":2334,"variant":2335,"to":2336,"target":2337},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":2653,"description":2654},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","cEQX4ERRc-uB7nEUxB1Uik-1ODue4boobvNZiV8Xrvk",{"id":2658,"title":2659,"api":1362,"authors":2660,"body":2666,"category":2801,"date":2802,"description":2803,"extension":133,"features":1362,"fixes":1362,"highlight":1362,"image":2804,"improvements":1362,"meta":2806,"navigation":136,"path":2807,"seo":2808,"stem":2809,"__hash__":2810},"posts\u002F3.now\u002Ftips.md","Tips for Building a Strong Security Culture",[2661],{"name":2662,"to":2663,"avatar":2664},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":2665},"\u002Fimages\u002Fjustinleapline.png",{"type":7,"value":2667,"toc":2793},[2668,2671,2674,2677,2680,2684,2687,2690,2693,2697,2700,2712,2715,2719,2722,2725,2728,2732,2735,2738,2741,2745,2748,2751,2754,2758,2761,2764,2767,2772,2781,2788],[15,2669,2670],{},"You can have the best firewall on the market, a mature vulnerability management program, and a SOC running 24\u002F7 — and still be one phishing email away from a serious incident.",[15,2672,2673],{},"Not because your tools failed. Because your people weren't part of the security equation.",[15,2675,2676],{},"Security culture is the difference between an organization where employees see security as someone else's job and one where they actively contribute to it. Building that culture is one of the hardest things a security leader can do — and one of the most valuable.",[15,2678,2679],{},"Here's what actually works.",[10,2681,2683],{"id":2682},"start-with-leadership-not-policy","Start With Leadership, Not Policy",[15,2685,2686],{},"Security culture doesn't start with a training video or an acceptable use policy. It starts at the top.",[15,2688,2689],{},"When executives treat security as a business priority — when they ask about risk posture in board meetings, when they model good security behavior, when they make it clear that security matters — that signal travels through the organization. When they treat it as an IT problem that lives in a different department, that signal travels too.",[15,2691,2692],{},"CISOs who want to build strong security cultures spend time educating and engaging their executive peers, not just their own teams. They make security visible at the leadership level — not as a compliance obligation, but as a business value. That top-down commitment creates the permission structure that everything else depends on.",[10,2694,2696],{"id":2695},"make-security-relevant-to-each-teams-work","Make Security Relevant to Each Team's Work",[15,2698,2699],{},"One of the most common mistakes in security awareness programs is treating every employee the same. A developer, a finance analyst, and a customer service rep face completely different security risks in their day-to-day work — and generic training that doesn't acknowledge those differences gets tuned out quickly.",[15,2701,2702,2703,2707,2708,2711],{},"Effective security culture programs meet people where they are. They connect security concepts to the specific tasks, tools, and risks each team encounters. They explain not just ",[2704,2705,2706],"em",{},"what"," the policy says, but ",[2704,2709,2710],{},"why"," it matters in the context of that person's actual job. When a finance employee understands why wire transfer verification procedures exist — because of the real attacks that target exactly their role — the procedure stops feeling like bureaucracy and starts feeling like protection.",[15,2713,2714],{},"Relevance drives retention. Generic awareness drives compliance theater.",[10,2716,2718],{"id":2717},"reward-the-right-behaviors","Reward the Right Behaviors",[15,2720,2721],{},"Most security programs are designed to catch and punish failures — the employee who clicked the phishing link, the team that bypassed the approval process, the contractor who shared credentials. Consequence is a necessary part of any security program, but it's a poor foundation for culture.",[15,2723,2724],{},"Organizations with strong security cultures also celebrate the behaviors they want to see more of. They recognize employees who report suspicious emails, who raise security concerns in project planning, who push back on shortcuts that introduce risk. They create safe channels for people to admit mistakes without fear of blame, because transparency about near-misses is infinitely more valuable than silence about them.",[15,2726,2727],{},"Psychological safety is a security control. When people are afraid to report problems, problems don't get reported — they get discovered later, when they're much more expensive.",[10,2729,2731],{"id":2730},"integrate-security-into-existing-workflows","Integrate Security Into Existing Workflows",[15,2733,2734],{},"Security culture erodes when security is experienced as friction — a separate process, an additional approval, a tool that slows things down. It strengthens when security is built into how work already gets done.",[15,2736,2737],{},"This means embedding security checkpoints into product development cycles, not bolting them on at the end. It means making secure defaults the easy defaults, so the path of least resistance is also the more secure path. It means involving security early in new business initiatives, not bringing them in after decisions are already made.",[15,2739,2740],{},"The goal isn't to make security invisible — it's to make it natural. When a developer automatically considers threat modeling as part of design, or when a procurement team reflexively asks about vendor security as part of due diligence, culture is working.",[10,2742,2744],{"id":2743},"measure-what-matters-and-be-honest-about-it","Measure What Matters — and Be Honest About It",[15,2746,2747],{},"Security culture is notoriously hard to measure, which leads many organizations to measure the wrong things — training completion rates, phishing simulation click rates, policy acknowledgment counts. These metrics are easy to collect and tell you almost nothing about actual cultural change.",[15,2749,2750],{},"More meaningful signals include: How quickly do employees report suspicious activity? Are security concerns being raised earlier in project lifecycles? Is the volume of policy exception requests going up or down — and why? Are teams coming to security proactively, or only when required?",[15,2752,2753],{},"These measures require more effort to collect, but they reflect something real. And being honest about what the data shows — including the parts that reveal cultural gaps — is what allows leaders to make targeted interventions rather than repeat the same awareness programs and hope for different results.",[10,2755,2757],{"id":2756},"build-for-the-long-game","Build for the Long Game",[15,2759,2760],{},"Security culture isn't built in a quarter. It's built over years of consistent messaging, visible leadership commitment, relevant education, and reinforcement of the right behaviors. It erodes just as slowly — through apathy, through leadership turnover, through programs that go stale, through a security team that becomes adversarial rather than collaborative.",[15,2762,2763],{},"The organizations with the strongest security cultures treat it as an ongoing investment, not a one-time initiative. They revisit and refresh their programs regularly. They measure progress honestly. And they understand that every interaction between the security team and the rest of the business is an opportunity to either build or undermine the culture they're trying to create.",[15,2765,2766],{},"Technology protects systems. Culture protects organizations.",[15,2768,2769],{},[33,2770,2771],{},"Ready to build a security culture that actually sticks?",[15,2773,2774,2775,2780],{},"At ",[117,2776,2779],{"href":2777,"rel":2778},"https:\u002F\u002Fepiski.com",[1340],"Episki",", we help security leaders go beyond policies and awareness programs to build the organizational habits and leadership alignment that make security a shared value. If you're ready to make culture a core part of your security strategy, we'd love to talk.",[15,2782,2783],{},[117,2784,2787],{"href":2785,"rel":2786},"https:\u002F\u002Fepiski.com\u002Fcontact",[1340],"Let's talk →",[15,2789,2790],{},[2704,2791,2792],{},"Tools protect systems. Culture protects organizations.",{"title":123,"searchDepth":124,"depth":124,"links":2794},[2795,2796,2797,2798,2799,2800],{"id":2682,"depth":124,"text":2683},{"id":2695,"depth":124,"text":2696},{"id":2717,"depth":124,"text":2718},{"id":2730,"depth":124,"text":2731},{"id":2743,"depth":124,"text":2744},{"id":2756,"depth":124,"text":2757},"craft","2026-05-11","Security tools and policies only go so far. The organizations that are truly resilient are the ones where security is part of how everyone thinks — not just what the security team does.",{"src":2805},"\u002Fimages\u002Fblog\u002FTips.jpg",{},"\u002Fnow\u002Ftips",{"title":2659,"description":2803},"3.now\u002Ftips","LtzuWX4I6GxP-GCS8QRdhlQQW0iHXTak5_7evvpUeK8",1778494676043]