The Guides Library
The library
Every guide on the site, shelved by the decision in front of you. New guides join as they publish, and each carries its verified-date stamp. Prefer a sequence over a library? Take the Start Here path. Templates, workbooks, and official sources live in Free Resources.
If you read one thing: CMMC for macOS: What Defense Contractors Need to Know - where the program stands, what Level 2 requires, and how Macs fit.
Scoping & CUI
- CUI vs. FCI: How to Tell Them Apart and Handle Each Correctly - one decides 15 requirements, the other 110 - the definitions, markings, and handling differences.
- GCC vs. GCC High vs. Commercial Microsoft 365: What CMMC Level 2 Actually Requires - why the middle tier exists, and why CUI-handling tenants end up at GCC High for full defensibility.
- Can BYOD Macs Be Used in a CMMC Environment? - the honest options when personal Macs touch the boundary, and why most shops should decline.
- Vetting an MSP or ESP for CMMC: Questions to Ask Before You Sign - the questions that separate a provider that helps your assessment from one that complicates it.
- Mac Asset Classification for CMMC: CUI Asset, SPA, CRMA, or Out of Scope? - the five scoping categories as a working decision tree, with the Mac traps at each step.
macOS Controls & Baselines
- FIPS-Validated Encryption for CUI: Why Enabled Is Not Enough - "FileVault is on" is not a FIPS claim - module validation, current Apple certificates, and the SSP language.
- MFA for CMMC: How to Actually Satisfy IA.L2-3.5.3 on macOS - what counts, what does not, and how to evidence it without hand-waving.
- mSCP vs CIS vs STIG vs CMMC: Which Mac Baseline Should You Use? - three credible hardening baselines, one decision - compared for CMMC purposes.
- Boundary Protection on a Mac Fleet - control-vs-protect thinking applied to a Mac fleet’s network boundary.
MDM & the Management Plane
- Jamf vs. Intune vs. Kandji (Now Iru) for CMMC Mac Fleets - capability, hosting model, and boundary posture - the MDM decision with compliance in mind.
- Apple Business Manager and MDM for CMMC - ABM registration, supervised enrollment, and MDM - the trio nearly every Mac control inherits from.
Documentation & Assessment
- Writing a CMMC System Security Plan (SSP) That Survives Assessment - the entry ticket: structure, level of detail, and the failure modes that halt assessments.
- What a Mac SSP Narrative Needs for CMMC - scope, baseline source, enforcement mechanism, verification - the narrative anatomy.
- CMMC Documentation Options and Real Costs: DIY vs. Bundles vs. Consultants - DIY, templates, consultants, and platforms priced against each other, with verified numbers.
- CMMC Phase 2 Is Suspended. Your 800-171 Obligations Are Not. - the operative details of the July 2026 suspension, and what a small Mac shop actually changes.
Field Notes
- Why Blocking AI Is the Wrong CMMC Strategy (And What to Do Instead) - a blanket ban is not a control - the governance that satisfies the intent.
- What I Took Away From the 2026 NCMS Seminar - field notes from the 2026 NCMS seminar.
- Free macOS CMMC Resources - the official sources worth bookmarking, collected in one place.
Reference
- CMMC Acronyms, Decoded - the ecosystem, the clauses, scoping terms, and the Mac stack in one glossary.
- CMMC Level 2 Controls List - all 110 requirements with SPRS point weights and a Mac-first note per family.
- CMMC Key Dates & Compliance Clocks - the phase calendar and the recurring deadlines, on one page.
- Who Does What in CMMC: The Ecosystem Map - who does what: Cyber AB, C3PAOs, DIBCAC, DCMA - and the only one you actually hire.
- The DFARS Clauses Behind CMMC - 7012, 7019, 7020, 7021, and what the 2026 FAR overhaul changed.
The documentation these guides keep pointing at - SSP, policies, procedures, forms, workbooks, and the Mac overlay - is what the CMMC Operator Suite provides as a one-time purchase. The research layer here stays free.