CMMC Level 2 & DLA RD004/RD005

What Defense Contractors Must Know Now

The Department of Defense (DoD) and the Defense Logistics Agency (DLA) have entered a new enforcement phase. Updated CMMC Level 2 requirements and DLA clauses RD004 and RD005 now determine whether contractors are eligible to compete for and retain contracts involving Controlled Unclassified Information (CUI).

If your organization handles CUI, qualifying Level 2 status is required when CMMC clauses appear in solicitations. Cybersecurity eligibility is also increasingly verified prior to award, not addressed solely post-award.

What Changed

1. CMMC Is Now Embedded into Contract Eligibility

This means contractors must demonstrate qualifying CMMC status at time of award.¹

For companies handling CUI, CMMC Level 2 is now the primary compliance mechanism aligned to NIST SP 800-171.²

Unlike legacy NIST “self-attestation” concepts, compliance must now be:

Documented
Assessed under defined criteria
Recorded in SPRS
Annually affirmed

2. Clause Renumbering Is Creating Confusion

Simultaneously, the government is restructuring and renumbering portions of the FAR under the Revolutionary FAR Overhaul (RFO).³ A detailed crosswalk of legacy clauses, their renumbered counterparts, and their practical compliance implications is provided in Appendix 1.

This means:

“Old” and “new” clause numbers may both appear in solicitations
For new solicitations where CMMC applies, standalone NIST self-assessment reporting has largely been incorporated into the CMMC framework.
Primes and contracting officers are translating compliance requirements differently in questionnaires.

The technical controls may look familiar, but the enforcement mechanism has fundamentally changed.

CMMC Level 2 Requirements

CMMC Level 2 applies to contractors that store, process, or transmit CUI on non-federal systems.

It aligns to the 110 security requirements in NIST SP 800-171, with additional formal assessment structure defined in federal regulation.²

Under DFARS 252.204-7021, contractors must:

Hold a qualifying Level 2 status (Self-Assessment or C3PAO Assessment)
Record status in SPRS
Perform annual affirmation of continuous compliance (not older than 1 year)¹

SPRS now reflects compliance status, not just a raw NIST score. This status can determine award eligibility.

DLA RD004 and RD005 Requirements

The Defense Logistics Agency separates CMMC enforcement into two clauses:

RD004 – non-export-controlled CUI
RD005 – Export-controlled CUI

This distinction reflects increased national security sensitivity for export-controlled information.

DLA Phase-In Timeline

Clause	Applies To	Optional Phase	Mandatory Phase
RD004	Non-export-controlled CUI	11/10/2025–11/10/2028: Level 2 self-assessment may be used	After 11/10/2028: Level 2 self-assessment required in SPRS
RD005	Export-controlled CUI	11/10/2025–11/10/2028: C3PAO certification may be used	After 11/10/2028: C3PAO certification required in SPRS

These clauses apply to DLA-administered contracts and are reflected in DLA acquisition guidance.^4, ⁵

Important: Requiring activities retain discretion. Higher-risk programs may mandate stricter validation earlier.

Practical Implications for Defense Contractors

If your organization handles CUI:

Cybersecurity questionnaires now act as go/no-go gates
CMMC status can be verified prior to proposal evaluation¹
Self-assessments must meet SPRS criteria for Conditional or Final status¹
Export-controlled CUI programs will generally trend toward C3PAO certification^{2, 4}
Annual affirmation is mandatory under current rule structure¹

Being “secure in principle” is no longer sufficient. Compliance must be provable, consistent, and current.

Secure. Comply. Excel.

How Atlantic Digital Helps

Atlantic Digital aligns cybersecurity compliance to business strategy through a three-tier model built for defense contractors.

SECURE

Secure Start — Establish the Right Foundation: For organizations beginning or recalibrating their compliance posture.

We help you:

Confirm whether CUI and/or export-controlled data is in scope
Determine the correct CMMC target level
Define the appropriate assessment pathway
Avoid costly rework caused by mis-scoping

Outcome: A clear roadmap aligned to eligibility requirements.

COMPLY

ADvantage — Operationalize Compliance: For contractors who need defensible, repeatable execution.

We support:

Evidence mapping to CMMC Level 2 controls
RD004/RD005 applicability analysis
Questionnaire response standardization
Ongoing compliance monitoring

Outcome: A stable, audit-ready posture that holds up under scrutiny.

EXCEL

Premium — Executive Governance & Competitive Positioning: For organizations that treat compliance as strategic infrastructure.

We provide:

Ongoing vCISO oversight
Continuous compliance governance
C3PAO certification readiness planning
Executive reporting aligned to board and acquisition expectations

Outcome: Sustained eligibility and competitive differentiation.

Next Steps

If you handle CUI or pursue DoD/DLA contracts:

Confirm whether CMMC Level 2 applies
Determine whether RD004 or RD005 governs your contracts
Validate your SPRS status
Standardize cybersecurity questionnaire responses
Build a roadmap toward sustained compliance

Schedule a CMMC Eligibility Review

Sources

DFARS (in https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.
Code of Federal Regulations (in https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170).
FAR Overhaul – FAR Part Deviation Guidance (in https://www.acquisition.gov/far-overhaul/far-part-deviation-guide/far-overhaul-part-52)
DLA Cybersecurity Resources for Suppliers (in https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/)
DLA Master List of Technical and Quality Requirements (in https://www.dla.mil/Portals/104/Documents/J7Acquisition/DLA_Master_List_of_TQ_Requirements_December_01_2025_Rev_41.pdf)

Appendix 1

Original clause or term	What It Maps To	What It Really Means
FAR 52.204-21	FAR 52.240-93 (class deviation under FAR overhaul)	Same 15 basic safeguarding requirements; clause number renumbered under the FAR overhaul (Acquisition 3).
DFARS 252.204-7019	No longer prescribed for new solicitations where CMMC applies; functionally superseded (may still appear on legacy contracts)	Previously required contractors to perform a NIST SP 800-171 self-assessment and upload a score to SPRS as a condition of award. This requirement has been eliminated as a standalone clause and absorbed into the CMMC framework, where self-assessments now support CMMC Level 1 or Level 2 status under DFARS 252.204-7021. (Acquisition 4; Acquisition 5).
DFARS 252.204-7020	DFARS 252.240-7997 (class deviation)	Formerly governed DoD Medium and High NIST SP 800-171 assessments and associated SPRS reporting. Under the FAR/DFARS restructuring, this clause was renumbered or replaced via class deviation, and its remaining assessment concepts are now aligned with CMMC Level 2 assessment types. Contractor-performed “basic assessments” were removed from this clause and are now addressed under DFARS 252.204-7021. (Wiley; Acquisition 4; Acquisition 5).
DFARS 252.204-7021	Unchanged	CMMC Level 2 requirement for systems handling CUI and linkage to CMMC assessments recorded in SPRS (Acquisition 4).
NIST SP 800-171 compliance	CMMC Level 2	Same 110 security requirements, plus formalized CMMC Level 2 assessment and documentation.
SPRS assessment record	CMMC Level 2 assessment status	Your posted NIST/CMMC score and whether it meets DoD criteria for “current” or “conditional” status in SPRS.

DoD Clarifies CMMC Applicability for Paper only CUI: What Contractors Need to Know

Earlier this month, the U.S. Department of Defense updated its Cybersecurity Maturity Model Certification (CMMC) Frequently Asked Questions (FAQ) to clarify the applicability of CMMC assessments when an organization handles Controlled Unclassified Information (CUI) in paper/hardcopy form only. This paper examines the substance of that clarification, its practical implications for defense contractors, and Atlantic Digital’s interpretation of the guidance in light of ongoing industry debate.

Executive Summary

The Department of Defense recently clarified that organizations handling Controlled Unclassified Information (CUI) exclusively in hardcopy form are not required to undergo a CMMC assessment, provided the CUI is never processed, stored, or transmitted on a contractor-owned information system. This clarification affects assessment applicability, not safeguarding obligations. Contractors should review contract language carefully and approach “paper-only” scenarios with caution, as routine business practices often introduce digital CUI exposure.

What the DoD CMMC FAQ Says About Hard Copy CUI

The authoritative DoD CMMC FAQ (Version 4) explicitly includes the following question and answer, which is reproduced verbatim:

"CQ10: Are CMMC assessments required for organizations that only handle hardcopy CUI?"

"CA10: No. Organizations that only handle hardcopy CUI should not be required to complete a CMMC Assessment. CMMC assessment requirements address cybersecurity related risk to CUI and apply only when the CUI is processed, stored, or transmitted on a contractor owned information technology system. Nonetheless, contractors are required to protect the hardcopy CUI. Per DoDI 5200.48, paragraph 1.1(b), any contractor or subcontractor that receives CUI is required to safeguard that information with Government training and safeguarding requirements.

Additionally, if a contractor who was only provided hardcopy CUI plans to place the hardcopy CUI on an information technology system (e.g., scanned, entered, photographed, uploaded, printed, emailed), then that information technology system is subject to the applicable CMMC assessment requirements prior to the CUI being placed on the system.

For organizations that handle paper CUI in addition to processing, storing, or transmitting CUI in a contractor owned information technology system, the necessary CMMC assessment will address both the paper CUI and the digital CUI, in accordance with the applicable NIST SP 800171 security requirements..." (Defense CIO)

While the FAQ states that CMMC assessments will address both paper and digital CUI when an information system is in scope, this does not mean that hardcopy CUI is independently assessed outside the context of a contractor-owned information system. Rather, applicable NIST SP 800-171 controls (such as Physical Protection and Media Protection) are evaluated as they relate to safeguarding CUI within the assessed system boundary, while hardcopy-only CUI safeguarding requirements continue to be governed primarily by DoDI 5200.48 and contractual obligations.

In summary, the FAQ clarifies that CMMC assessment requirements are tied to cybersecurity risk on contractor-owned IT systems. If CUI never touches such a system, a formal CMMC assessment is not required. However, this does not eliminate the safeguarding obligation: contractors handling only paper CUI remain responsible for complying with applicable physical protection and training requirements.

Business Processes Implications

For many defense contractors, particularly those that do not handle CUI at all, the FAQ has limited practical impact, because the FAQ addresses assessment applicability, not contract scoping. In such cases, DFARS clause 252.204-7012 and the associated NIST SP 800-171 requirements generally do not apply because Covered Defense Information (including CUI) is neither processed, stored, nor transmitted on the contractor’s information systems. DFARS 252.204-7012 requires contractors to provide adequate security only when covered defense information resides on or transits through a contractor-owned information system or network (DFARS).

NIST SP 800-171 establishes security requirements specifically for the protection of CUI when it is processed, stored, or transmitted by nonfederal information systems operated by organizations. While organizations may have separate obligations to safeguard CUI in physical form under other authorities, such as DoDI 5200.48, NIST SP 800-171 does not function as a comprehensive safeguarding standard for paper-only CUI absent an information system context (NIST).

Consequently, organizations that neither receive CUI nor process covered defense information on their systems may fall outside the scope of these cybersecurity requirements. Applicability ultimately depends on contract language and the scope defined by the contracting officer, not solely on operational practices (Acquisition).

For contractors that receive CUI exclusively in hardcopy form and do not process, store, or transmit that CUI on any contractor-owned information technology system, the FAQ indicates that a CMMC assessment is not required. This clarification does not create a new self-attestation pathway, nor does it negate obligations imposed DFARS clauses such as 252.204-7019 or 252.204-7020 when those clauses are included in a contract or flowdown. Whether self-assessment or certification is required remains dependent on solicitation language, contract requirements, and prime contractor flowdowns. (Defense CIO).

Risk and Practicality: Atlantic Digital’s Perspective

While the FAQ may appear to reduce assessment burden in narrowly defined scenarios, Atlantic Digital advises contractors to approach this guidance cautiously.

The DoD’s clarification should not be interpreted as a determination that paper CUI is inherently low risk. Physical compromise, including theft, loss, or unauthorized access to printed technical data, remains a documented and credible threat vector. The FAQ reflects a scoping decision about assessment applicability, not a reduction in safeguarding expectations.

At the same time, the DoD appears to be balancing mission risk against practical constraints within the Defense Industrial Base (DIB), particularly for very small or specialized organizations. By limiting third-party assessment requirements to scenarios involving contractor-owned IT systems, the DoD is attempting to reduce compliance friction where cyber risk exposure is comparatively limited.

This balance between defense-in-depth principles and practical scalability is at the heart of the current industry debate. Contractors should not assume that “paper-only” CUI handling constitutes a safe harbor, as contract terms, prime contractor requirements, and routine business practices frequently introduce digital CUI exposure.

Atlantic Digital Guidance to Contractors

Atlantic Digital recommends that organizations:

Do not rely on the FAQ as a standalone compliance determination; contract language, solicitation requirements, and prime contractor flowdowns remain controlling.

Treat paper-only CUI scenarios as fragile and easily invalidated by routine practices such as scanning, emailing, or collaboration.

Maintain awareness of applicable Physical Protection and Media Protection obligations even when a third-party CMMC assessment is not required.

Make deliberate scoping decisions to avoid unintended digitization that could trigger assessment requirements.

The DoD CMMC FAQ does not modify DFARS clauses, override solicitation requirements, redefine CMMC levels, or create new compliance pathways. It is interpretive guidance intended to clarify assessment applicability, not a binding regulatory change.

Important Note

This article is provided for informational purposes only and reflects Atlantic Digital’s interpretation of publicly available DoD guidance. It does not constitute legal advice and does not replace contract-specific requirements, solicitation language, or direction from a contracting officer.

Conclusion

The DoD’s statement that a third-party CMMC assessment is not required for organizations handling only hardcopy CUI must be read with nuance. Assessment requirements are tied to cybersecurity risk on contractor-owned information technology systems. Hardcopy CUI remains subject to safeguarding obligations under DoDI 5200.48 and any applicable DFARS or NIST requirements when contractually required. Contractors should verify contract language and prime expectations carefully, recognizing that the FAQ provides clarification, not exemption, from security responsibilities. When uncertainty exists, deliberate scoping and early validation are far less costly than remediation later.

Transitioning from Manual Compliance to GRC for Strategic Advantage

This paper explains when transitioning from spreadsheets to an integrated Governance-Risk-Compliance (GRC) platform becomes cost-effective, and how Atlantic Digital, through its partnership with IntelliGRC, delivers real-time visibility, automated evidence tracking, standardized workflows, and sustained CMMC readiness.

From Manual Strain to Strategic Enablement

For defense contractors and suppliers handling Controlled Unclassified Information (CUI), CMMC has elevated cybersecurity from a back-office discipline to a board-level priority.

The CMMC ecosystem is now in a period of sustained acceleration, with rising numbers of final Level 2 certifications, certified professionals, and more than a hundred assessments underway (Cyber AB). As this activity scales, organizations discover that ad hoc compliance methods cannot keep pace. Spreadsheets may work at early maturity stages, but as contract sizes grow and controls multiply, manual tracking introduces confusion, unclear accountability, and lengthy audit preparation cycles (DoD CIO About CMMC).

In this environment, modern GRC platforms replace manual strain with structure, automating evidence collection, clarifying ownership, and offering executive dashboards that tie compliance posture directly to business outcomes. In short, the question for C-suite leaders becomes how to use GRC to gain strategic advantage in the race for DoD contracts, instead of whether to invest in this technology or not.

IntelliGRC as the Foundation of Sustainable CMMC Compliance

Under Atlantic Digital’s guidance, IntelliGRC (our trusted GRC partner), becomes the connective tissue between security operations, policy enforcement, and executive oversight. The platform consolidates risk registers, control status, POA&M progress, and audit evidence into a single system; automates workflows; enforces accountability; and maintains traceable evidence throughout the compliance lifecycle.

The result is a sustainable compliance culture in which executives gain real-time insight into risk and readiness; compliance teams work with clarity and efficiency; and auditors can quickly verify evidence through transparent, data-driven documentation. IntelliGRC transforms cybersecurity from a cost center into a competitive differentiator.

When and Why Organizations Transition from Manual Tracking to GRC

The shift from spreadsheets to an integrated GRC platform is a pivotal step in CMMC maturity. For many organizations, the tipping point occurs when contract complexity, assessment scope, and audit frequency outpace manual coordination.

CMMC Levels 2 and 3 introduce hundreds of controls that are difficult to track in spreadsheets. In today’s accelerating readiness environment, manual methods increase the risk of delays, oversight gaps, and inconsistent evidence.

A centralized solution such as IntelliGRC streamlines documentation, automates evidence reminders, maintains continuity during staff turnover, and ensures compliance remains traceable and repeatable.

Once organizations reach moderate contract volume or enter CMMC Level 2/3 territory, staying manual becomes more expensive than transitioning to structured governance.

Atlantic Digital and IntelliGRC: A Partnership Model for Sustainable CMMC Readiness

Achieving and maintaining CMMC compliance requires the right blend of technology, governance, and expertise. Atlantic Digital delivers this through a partnership model that integrates IntelliGRC’s robust GRC capabilities with strategic advisory support tailored to each organization’s mission.

Atlantic Digital and IntelliGRC follow a clear lifecycle approach that ensures alignment and long-term sustainability:

Analyze current controls, documentation, and contract landscape to identify gaps and areas where automation yields maximum ROI.
Implement IntelliGRC pre-mapped to NIST SP 800-171 and CMMC Levels 1–3 configuring workflows, role-based access, and dashboards.
Embed the platform into daily compliance operations and train control owners, reviewers, and executives.
Update the environment as CMMC and NIST requirements evolve.

This model ensures that the technology and advisory components reinforce one another, creating an ecosystem that grows with the organization rather than constraining it. Unlike spreadsheets, IntelliGRC unifies evidence, accountability, oversight, and scalability.

Atlantic Digital’s involvement continues beyond implementation. We work alongside defense organizations to align compliance strategy with business goals, sustain readiness, and maintain a competitive advantage through evolving CMMC requirements.

Conclusion

Defense contractors must embed cybersecurity assurance into daily operations. A well-implemented GRC system, such as IntelliGRC, supported by Atlantic Digital’s expert guidance, provides automation, workflow consistency, executive visibility, and traceable oversight. By institutionalizing continuous compliance, organizations gain operational efficiency, contract readiness, and a strategic advantage in the defense supply chain.

To ensure your organization achieves these benefits and stays ahead in cybersecurity compliance, connect with Atlantic Digital and begin strengthening your defense readiness today.

About IntelliGRC

IntelliGRC is an intelligent SaaS GRC Platform purpose-built for cybersecurity compliance at scale. Leveraging our proprietary Intelligent Control Library (ICL), asset-centric automation, and proven methodologies powered by tuned AI models, IntelliGRC delivers more than traditional GRC tools.

Where other platforms over-generalize, over-simplify, or provide a blank canvas, IntelliGRC uniquely addresses the complexities and nuances of stringent cybersecurity frameworks by delivering turnkey solutions that ensure compliance precision for service providers and their customers.

Learn more at www.intelligrc.com

Is Your Cyber Safer Than the “Louvre”?

Short answer: it better be, because the Louvre just got hit (again), and the thieves’ “strategy” looked suspiciously like your average Tuesday for low-effort cybercriminals.

A ridiculous, low-budget caper (2025 edition)

Sunday morning in Paris. Four people in construction-ish gear roll up with a vehicle-mounted ladder, pop a window to the Apollo Gallery, and in roughly seven minutes smash cases, grab jewels dating back to the Napoleonic era, drop one crown on the way out (oops), and vanish on motorbikes. Total movie runtime: one coffee. Total special effects budget: a battery grinder and a lift (The Guardian, Washington Post).

Why so easy? Reports point to outdated cameras, blind spots, chronic understaffing, and long-delayed upgrades; exactly the “we’ll fix it next quarter” sins that doom security programs. French unions say staff cuts hollowed out protection while crowds surged; some rooms reportedly lacked CCTV altogether. You can almost hear the attackers whisper, “Merci” (The Guardian, Museums Association).

Bonus jaw-dropper: the jewels were uninsured (state-owned collections are “self-insured”). Translation for CISOs: if your crown jewels go missing, there may be no simple check coming (Newsweek).

“Legendary security,” back when the Louvre learned the hard way

This isn’t the first time the museum got humbled. In 1911, Vincenzo Peruggia, an ex-worker, walked out with the Mona Lisa after removing it from its frame and wrapping it up. No lasers, no Mission: Impossible harness, just a smock and some moxie. The incident (and years of embarrassment) eventually drove museum security to modernize: bulletproof glass, climate-controlled displays, and serious controls; for the marquee pieces. The problem? Controls weren’t uniform across the collection. Sound like any networks you know? (Time, KAB Gallery).

Why “legendary” turns into “lax” (and how that maps to your org)

Complacency: “No one would dare rob us” (until they do).
Patchwork controls: Mona Lisa gets a bank vault; other galleries get… vibes. (In cyber terms: the CFO’s laptop has EDR+MFA+hardening; the lab PCs are “best effort”) (WXII 12).
Budget drift & deferred upgrades: Everyone agrees security is important; somehow the CCTV still runs on yesterday’s tech (and tomorrow’s to-do list) (France 24).
Staffing gaps & alert fatigue: Fewer people, more crowds, more noise (your SOC feels seen) (France 24).

The cyber mirror: how thieves become threat actors

What happened in Paris is what happens online every day:

Simple tools, outsized impact. Battery grinders ↔ commodity malware & scripts. You don’t need a nation-state when the door’s propped open.
Seven-minute dwell time. That’s your RTO/RPO fantasy vs. reality; if your detection and response are slower than a coffee break, the jewels are gone.
Crown-jewel targeting. Attackers go where the value concentrates (privileged identities, finance systems, IP vaults), not where your dashboards look prettiest.
Insurance isn’t salvation. Cyber insurance exclusions and sublimits won’t rebuild trust or reputation; same lesson the Louvre is relearning.

Compliance isn’t glamorous, but it works

The U.S. is under sustained cyberattack across public and private sectors. The fastest way to stop being “the next Louvre story” is to do the boring but essential things consistently:

Asset & data mapping: Know where your crown jewels actually live (and shadow copies).
Uniform controls: EDR, MFA, logging, and backups for all “galleries,” not just the famous ones.
Least privilege & PAM: Lock the side doors and staff entrances (service accounts, legacy shares, stale admins).
Detect fast, respond faster: Test your MTTD/MTTR the way firefighters drill (tabletops, purple team, containment runbooks).
Compliance with teeth: Map to NIST SP 800-171/CMMC so controls survive budget weather and leadership changes.

Okay, but… is your cyber safer than the Louvre?

If your monitoring only watches the “Mona Lisa” systems while the back-office “Apollo Gallery” runs on exceptions, then… probably not. That’s where Atlantic Digital (ADI) comes in:

vCISO + Governance: Make “uniform controls” a budgeted, auditable requirement, not a wish.
CMMC-ready buildouts: Implement NIST 800-171 controls with evidence (policies, SSP, POA&M) that survive audits.
Crown-Jewel Program: Identify, segment, and monitor your most valuable data and privileges, then prove it works.
Detection & Response Drills: Shrink mean time to everything (detect, contain, recover) with runbooks and rehearsals.

If you don’t want your breach report to read like a low-budget ladder, a grinder, and a shrug, talk to ADI. We’ll help you lock the window and the gallery.

Risks and Remedies in CMMC Self-Attestation: Managing SPRS Scoring and Legal Exposure

In September 2025, the Department of Defense finalized DFARS updates implementing the Cybersecurity Maturity Model Certification (CMMC) program into the Federal Acquisition Regulation Supplement. Effective November 10, 2025, the rule makes both self- and third-party cybersecurity assessments contractually enforceable for defense contractors (Federal Register, 2025).

Under the final rule, contractors handling only Federal Contract Information (FCI) may continue to self-assess annually at CMMC Level 1, while those that handle Controlled Unclassified Information (CUI) will fall under Level 2 requirements. For Level 2, the Department of Defense differentiates between contracts that permit self-assessment versus those that require third-party certification by a CMMC Third-Party Assessment Organization (C3PAO). The DoD’s phased rollout anticipates that a substantial proportion of Level 2 contractors will require independent C3PAO validation prior to contract award (DoD).

This paper examines the operational and legal challenges posed by self-attestation and Supplier Performance Risk System (SPRS) scoring under CMMC. Public reporting through 2024 and 2025 shows persistent readiness shortfalls across the Defense Industrial Base (DIB), with low average SPRS readiness metrics and relatively few final or conditional CMMC Level 2 certifications compared to the estimated population of covered entities (Cyber AB, 2025; businesswire; National Defense, 2024). These gaps highlight the difficulty many contractors face in attaining the 110-point SPRS threshold required for final Level 2 certification and underscore the need for rigorous self-assessment practices and stronger verification mechanisms.

The following sections analyze these challenges and present evidence-informed mitigations, including structured gap analysis, cross-functional governance, automated evidence collection, and disciplined POA&M management, to help organizations attain accurate SPRS scores and preserve DoD contract eligibility. This shift from voluntary attestation to enforceable validation reshapes contractor readiness planning across the DIB.

When Self-Assessment Is Allowed, and When Third-Party Assessment Is Required

The 2025 DFARS final rule formalizes the CMMC assessment model across three levels:

• Level 1 – Self-Assessment Only: Annual self-assessment and executive affirmation in SPRS

• Level 2 – Mixed Model: Contractors handling CUI may perform self-assessments for lower-risk programs, but contracts deemed critical to national security require third-party assessment by a C3PAO.
• Level 3 – Government Assessment: Contractors supporting the most sensitive missions undergo government-led assessments against NIST SP 800-172 controls.

This tiered structure allows DoD to scale assurance based on risk while reducing unnecessary burden on small and medium contractors that handle less sensitive information (DoD; Federal Register).

Understanding SPRS and the Assessment Process

The Supplier Performance Risk System (SPRS) is the DoD’s authoritative database for supplier performance and cybersecurity assessment information. Under DFARS 252.204-7019, contractors must submit their NIST SP 800-171 assessment scores to SPRS, which DoD acquisition officials reference during source-selection and award decisions (Acquisition.GOV, 2025; SPRS).

SPRS scoring evaluates implementation of the 110 NIST SP 800-171 requirements. A fully implemented environment earns +110 points, while deductions for unmet controls can reduce scores to –203 under the DoD Assessment. Under current guidance, organizations scoring between approximately 88 and 109 points may provisionally qualify for CMMC Level 2 status if all deficiencies are documented in approved POA&Ms. Final certification requires a perfect score of 110, with all deficiencies addressed and POA&Ms closed within 180 days (CMMC Level 2 Assessment Guide v2; NIST; NIST).

In addition to scores, SPRS captures metadata, such as assessment dates and POA&M completion, which acquisition officials consider alongside numerical scores when evaluating supplier cybersecurity posture.

While SPRS provides a structured framework for tracking performance and cybersecurity compliance, accurately reporting and maintaining these records presents ongoing operational challenges for contractors.

Operational Challenges in Accurate SPRS Scoring

Defense contractors face persistent operational barriers when reporting cybersecurity posture through SPRS mechanisms. Despite expanded DoD guidance and automation efforts, accurately capturing and maintaining scores remains challenging.

While self-assessments may identify many deficiencies internally, third-party C3PAO evaluations often uncover documentation or technical gaps that internal reviews overlook, requiring objective verification and remediation. For contractors pursuing third-party certification, additional challenges include coordinating evidence reviews, maintaining consistent control implementation across business units, and responding to assessor findings during the remediation window. These implementation difficulties can lead to compliance deficiencies, contract disqualification, or potential legal liability.

Below are notable pain points:

1. Incomplete or outdated System Security Plans (SSP)

SSPs serve as foundational evidence. Common deficiencies include outdated or incomplete control descriptions, missing system boundaries, or absent evidence of implementation. Because DoD assessors validate SSP-described controls against actual practice, SSP shortcomings surface during assessments (CMMC Assessment Guide Level 2 v2.13).

2. Limited internal expertise for accurate scoring

Small and medium contractors often lack dedicated cybersecurity and DoD-assessment expertise, making accurate interpretation of NIST SP 800-171 and SPRS scoring difficult. Industry guidance and DoD small-business outreach resources confirm that limited internal capability is a major readiness barrier (DoD; Defense.GOV).

3. Failure to track POA&M remediation timelines

DoD guidance ties conditional status to documented POA&Ms and expects timely remediation of deficiencies. Contractors that fail to maintain POA&M discipline risk losing certification or contract eligibility.

Together, these operational challenges can result in inaccurate self-attestations, exposing the organization to serious legal and contractual consequences.

Legal and Operational Risks of Inaccurate SPRS Reporting

Inaccurate or exaggerated SPRS self-assessments expose organizations to both legal and operational risks, including False Claims Act (FCA) liability, contract ineligibility, potential suspension or debarment.

Both self-assessment and third-party verification data must now be entered into SPRS. Under DFARS 252.204-7020 and the 2025 final rule, each contractor’s assessment, whether internally completed or validated by a C3PAO, receives a unique identifier (UID) used by contracting officers to verify compliance before award. Misstatements tied to these UIDs may be considered material to DoD’s payment decisions.

Legal Accountability and Executive Attestation Under the False Claims Act

The Department of Justice’s Civil Cyber-Fraud Initiative has pursued multiple enforcement actions against defense contractors that misrepresented compliance or inflated SPRS scores. Under the False Claims Act (31 U.S.C. §3729 et seq.), violators may face treble damages and statutory penalties. For example:

Raytheon Technologies (RTX) paid $8.3 million following a whistleblower complaint about cybersecurity misrepresentations (OPA, 2025).
MORSE Corporation paid $4.6 million to resolve allegations of false SPRS scoring (OPA, 2025).
Higher-education contractors and others have likewise reached settlements resolving FCA allegations tied to cybersecurity non-compliance. For instance, The Pennsylvania State University agreed to pay $1.25 million in 2024 to resolve related allegations (OPA, 2024).

Each contractor must also ensure that the Affirming Official (AO), typically a senior company executive, signs off that the SPRS assessment is accurate and complete. False affirmations may trigger FCA liability (SPRS; SMITHERS).

Impact of expired or missing SPRS entries on contract eligibility

Beyond legal exposure, inaccurate or expired SPRS entries can directly affect contract eligibility and award timelines. Beginning November 10, 2025, contracting officers will be required to verify contractors’ SPRS assessment scores before award or renewal, in accordance with DFARS 252.204-7019 and associated rules. Organizations without a current and validated SPRS entry may be deemed ineligible for new contracts, and existing awards may be delayed or suspended pending compliance verification (Federal Register, 2024; Acquisition.GOV).

Best Practices to Improve CMMC Self-Assessment Accuracy

Given the heightened legal and contractual risks associated with inaccurate self-attestation, precision in CMMC self-assessments is essential. Contractors must adopt structured, repeatable processes to address the vulnerabilities identified across the Defense Industrial Base (DIB).

1. Conduct structured gap analyses to validate CMMC readiness and engage cross-functional teams

Begin with a structured gap analysis across all 110 controls and 320 assessment objectives (NIST SP 800-171A Rev. 3). Involve leadership, compliance, IT, and business units to ensure complete visibility and accountability.

2. Leverage automation for continuous evidence validation

Automated evidence collection tools help maintain compliance accuracy by continuously validating control implementation across cloud and on-premises systems. Integration with environments such as AWS GovCloud, Azure Government, and Microsoft GCC High supports generation of traceable documentation consistent with CMMC and NIST evidence requirements.
3. Maintain annual SPRS updates and executive affirmations

Contractors must conduct and affirm at least one self-assessment annually in SPRS. The Affirming Official should certify that the assessment accurately reflects the organization’s compliance status. The CMMC Level 1 Assessment Guide recommends routine internal reviews to ensure continuous readiness and prevent score degradation that can jeopardize contract eligibility (Acquisition.GOV, SPRS, CMMC Level 1 Assessment Guide).

4. Prepare for third-party assessment proactively

Contractors anticipating third-party assessments should adopt pre-assessment readiness reviews to identify documentation gaps and technical deficiencies before engaging a C3PAO. Early preparation reduces costs, minimizes findings during formal assessment, and improves the likelihood of achieving a passing score within the remediation window.

Implementing these measures is especially critical as CMMC 2.0 enters Phase 1 of its enforcement rollout in November 2025, when contracting officers may begin including CMMC requirements in solicitations and contracts, especially for self-assessments of Level 1 or 2 systems.

Conclusion

CMMC 2.0 compliance marks a pivotal shift for defense contractors operating in an increasingly regulated cybersecurity environment. Many contractors continue to report scores below full implementation. And because the Department of Justice’s Civil Cyber-Fraud Initiative actively pursues false or misleading SPRS attestations, accurate self-assessment has become both a compliance obligation and a legal imperative.

Under the False Claims Act, organizations and their Affirming Officials, may face treble damages and civil penalties for knowingly submitting inaccurate information. Addressing core challenges (misinterpretation of NIST requirements, incomplete SSPs, inflated self-assessments, limited internal expertise, and lax POA&M discipline) is essential as CMMC 2.0 requirements phase into DoD solicitations and contracts starting November 2025.

To mitigate risks and ensure readiness, organizations should institutionalize disciplined, evidence-based assessment processes, maintain verifiable SPRS records, and prepare for third-party validation. Those that adopt these practices will be in the strongest position for contract eligibility, legal defensibility, and competitive stability as CMMC enforcement unfolds throughout FY 2026.

At Atlantic Digital, we help contractors bridge the gap between self-assessment readiness and successful third-party certification. Our team provides tailored readiness assessments to identify compliance gaps; implement required security controls aligned with NIST SP 800-171; assist with policy development, System Security Plan (SSP) and POA&M creation; and conduct pre-assessment or mock-audit exercises to reduce surprises during formal C3PAO engagements. For contractors already approaching their SPRS scoring thresholds, we ensure that both self-attestations and third-party assessments are conducted with confidence, supported by verifiable evidence sufficient to meet DoD contracting and CMMC 2.0 requirements.

The SA-24 Update: Critical Implications for Defense Industrial Base Compliance

The recent update to NIST SP 800-53 (Release 5.2.0) on August 27, 2025, introduced a significant new security control, SA-24 "Design for Cyber Resiliency," that warrants immediate attention from Defense Industrial Base (DiB) organizations (NIST 2025).

Rationale for SA-24 Introduction

The inclusion of SA-24 in NIST SP 800-53 Release 5.2.0 addresses the growing need for systems to be designed with inherent cyber resiliency. This control emphasizes the importance of anticipating, withstanding, recovering from, and adapting to adverse conditions, stresses, attacks, or compromises on systems that utilize or are enabled by cyber resources. This proactive approach aims to reduce mission, business, organizational, enterprise, or sector risk associated with cyber dependencies. The decision to introduce SA-24 was influenced by stakeholder feedback highlighting the necessity for a structured framework to embed cyber resiliency into system design processes (NIST 2025).

Strategic Significance for DiB Organizations

This update establishes a critical bridge between security compliance frameworks and systems security engineering, and, for DiB contractors, this development is particularly consequential for several reasons:

Anticipatory Compliance Requirements: Although SA-24 is not currently included in NIST SP 800-171 Revision 3, it is anticipated that future revisions will incorporate this control. The alignment of SP 800-171 with SP 800-53 Revision 5, as seen in the recent updates, suggests a trend towards harmonizing security requirements across NIST publications. Organizations should proactively prepare for this integration by familiarizing themselves with the SA-24 control and considering its application in their current security practices (secureframe 2025; NIST 2024).

CMMC Implications: Organizations pursuing Cybersecurity Maturity Model Certification should recognize this update as a potential indicator of future assessment criteria, particularly for higher maturity levels where resiliency requirements are emphasized.

Competitive Differentiation: DiB contractors who proactively adopt cyber resiliency principles may secure advantageous positioning for future contract opportunities where robust security engineering is evaluated.

Technical Implementation Considerations

The SA-24 control establishes comprehensive requirements for cyber resiliency that align with strategic objectives outlined in SP 800-160 (NIST 2021):

Definition of organization-specific cyber resiliency goals and objectives
Implementation of designated cyber resiliency techniques and approaches
Integration of cyber resiliency design principles into systems engineering processes
Systematic review procedures as part of organizational risk management

To operationalize SA-24, organizations should map its elements to existing risk management frameworks and business continuity plans. For instance, the “organization-defined cyber resiliency goals” can be aligned with risk appetite statements in the risk register. Likewise, “cyber resiliency techniques” may be integrated into business continuity or disaster recovery strategies to ensure critical functions persist through and recover from adverse events. NIST SP 800-160 (Vol. 2) offers a technical foundation for selecting and applying techniques (e.g. redundancy, diversity, isolation, adaptability).

Procurement vehicles are increasingly reinforcing this convergence between compliance and resiliency. A prominent example is GSA’s OASIS+, a government-wide, multi-award IDIQ contract vehicle for acquiring complex professional services across domains (GSA. GSA). Under OASIS+, contractors responding to task orders may be required to fulfill J-3 “Cybersecurity/Supply Chain Risk Management (C-SCRM)” deliverables, which call for a documented cybersecurity program (mapped to NIST guidance), a C-SCRM plan, incident response capabilities, and business continuity/disaster recovery practices (GSA, GSA).

While OASIS+ is not itself a resiliency framework, its contractual deliverables illustrate how procurement requirements can drive adoption of resiliency-by-design principles like those in SA-24.

Implementing SA-24: Practical Examples:

Organizations can adopt various techniques to implement SA-24 effectively:

Redundancy: Implementing redundant systems and data paths to ensure availability during disruptions.
Diversity: Utilizing diverse technologies and vendors to mitigate the risk of widespread failures.
Isolation: Designing systems to contain and limit the impact of potential breaches.
Adaptability: Ensuring systems can evolve in response to emerging threats and vulnerabilities.

These techniques should be tailored to the organization's specific operational context and risk profile (GSA, NIST 2021).

Who Should Be Paying Attention

Prime Defense Contractors: Organizations directly contracted with DoD handling CUI must closely monitor how this update will influence contractual requirements.
System Security Engineering Teams: Technical specialists responsible for architecture design and security implementation need to integrate these resiliency principles into development lifecycles.
Compliance Officers: Professionals tasked with maintaining regulatory adherence should begin evaluating how SA-24 principles align with existing control implementations.
Risk Management Leadership: Executives responsible for enterprise risk governance must consider how cyber resiliency objectives will factor into broader business continuity planning.
Supply Chain Security Managers: The emphasis on cyber resiliency complements the Supply Chain Risk Management (SR) family introduced in NIST SP 800-171 Rev. 3 (NIST 2024), suggesting an integrated approach to supply chain security and operational resilience.

This development underscores the evolving regulatory landscape's increasing focus on proactive, resilience-oriented security engineering rather than merely reactive compliance measures. Organizations that recognize this shift and adapt accordingly will be better positioned for both regulatory compliance and operational security effectiveness.

Conclusion

The introduction of SA-24 signifies a pivotal shift towards embedding cyber resiliency into the fabric of system design and operation. For DiB organizations, proactively adopting these principles not only ensures compliance with evolving standards but also fortifies the organization's ability to withstand and recover from cyber adversities. By aligning with SA-24, organizations demonstrate a commitment to safeguarding critical missions and maintaining trust with federal partners.

At Atlantic Digital, our CMMC Strategy Experts help defense contractors translate evolving requirements like SA-24 into practical, actionable programs. From readiness assessments to ongoing compliance support, we partner with organizations to strengthen resiliency and secure their position in the defense supply chain.

Contact us today to learn how ADI can support your compliance and cyber resiliency journey.

Demystifying GCC and GCC High Licensing for a CMMC Level 2 Assessment

Introduction

Picture this: You're sitting across from your CFO, armed with a Microsoft licensing quote that makes their coffee cup rattle against the saucer: $1,200 per user per year for G5 licenses. Meanwhile, your current Small Business Premium setup hums along nicely at $264 per user annually, delivering virtually the same user experience your team has grown to love.

"So, where exactly can we cut corners?"

That question echoes through boardrooms across America as government contractors grapple with CMMC Level 2 requirements. This complexity affects your IT budget, and it directly influences how assessors view your readiness when you undergo a CMMC Level 2 assessment.

Assessment Success

Here's where the rubber meets the road in CMMC assessments. During your C3PAO evaluation, presenting an all-G5 licensing strategy is like showing up to a job interview in a perfectly tailored suit. You are more likely to get:

A lower assessment quote

Potential for remote assessment options

A faster assessment timeline

More assessor confidence

Why? Because you've demonstrated earnest commitment to meeting NIST SP 800-171 requirements. C3PAOs know this configuration inside and out. It's their comfort zone.

Step 1: Choose GCC vs GCC High

If your organization deals with International Traffic in Arms Regulations (ITAR) data or other export-controlled information, GCC High isn't optional. It's mandatory. But if you're working with standard Controlled Unclassified Information (CUI), the regular GCC environment might be your sweet spot.

Require GCC High: Mandatory if your contracts include Export-Control specifications (ITAR/EAR).

Prefer GCC High: Often chosen proactively because ITAR requirements can appear unpredictably, and it positions you for future contracts.

Need cost-effective solution: GCC provides better affordability with expanded licensing selections

Once you know whether GCC High is required, the next challenge is choosing the right license model.

Step 2: Pick Your License Model

Let's pull back the curtain on this licensing theater. The Microsoft 365 ecosystem for Government Community Cloud (GCC) presents three distinct paths, each with its own personality:

The Premium Player: Microsoft 365 G5 (GCC and GCC High)

GCC high and the G5 licensing is Microsoft compliance “promise” for the long-term partnership. Like Marriage, if you wanna keep it, put a ring on it, at $1,200. That premium price tag is paying for Microsoft’s special government teams to continue to develop technical controls against ever increasing threats. It provides:

Comprehensive security stack with Entra ID P2

Defender for Endpoint P2 protection

Full Purview E5 capabilities for advanced compliance

Advanced Audit and eDiscovery Premium features

This is your "set it and forget it" solution, if budget constraints don't make you wince.

The Strategic Alternative: Microsoft 365 E5 (no Teams) + Teams Enterprise (GCC Only)

Here's where things get interesting. This configuration delivers identical security and compliance capabilities as G5 but often at a more palatable price point. It's like getting the same gourmet meal but choosing the lunch special over the dinner menu. This option does TODAY provide identical compliance, but it is not guaranteed like the G5 is, meaning organizations would require close monitoring of licensing updates.

The Budget-Conscious Choice: Microsoft 365 Business Premium (GCC only)

At a fraction of the cost, Business Premium provides essential desktop applications and basic security features. However, and this is crucial, it lacks the full compliance artillery needed for CUI handling.

These licensing choices directly impact how assessors view your compliance readiness.

Cost Scenarios

GCC High cost scenarios (20 users), MSRP (Aug 2025)

Scenario	Composition	Annual total
All G5 (GCC High)	20 × $1,120.80	$22,416.00
3 G5 + 17 F3 + F5 Security (nonCUI)	(3 × $1,120.80) + (17 × ($116.40 + $116.40))	$7,320.00

Notes (GCC High): The F3 + F5 Security identities must not handle CUI. Enforce isolation with Conditional Access, Purview labels/DLP, and site/label scoping. F3 has no desktop apps, 2 GB OneDrive, and Kiosk/OWA mailbox unless you add Exchange Online Plan 1.

GCC cost scenarios (20 users), MSRP (Aug 2025)

Scenario	Composition	Annual total
All G5	20 × $855.60	$17,112.00
All E5 (no Teams) + Teams	20 × ($657 + $63)	$14,400.00
Hybrid (5 G5 + 15 BP)	5 × $855.60 + 15 × $264	$8,238.00
Hybrid (5 E5 (no Teams) + Teams + 15 BP)	5 × $720 + 15 × $264	$7,560.00
All BP + E5 Security (Need CMMC L2; currently no CUI)	20 × ($264 + $144)	$8,160.00

While these scenarios show clear cost differences, organizations must balance affordability against the compliance risks created when mixing license types.

The Risk of Mixing Licenses

The moment you introduce a hybrid approach (some users on G5 licenses, others on "risk-managed" alternatives), your compliance complexity has elevated from arithmetic to calculus. Still very solvable, but with elevated acceptance of risks and sustainment processes.

The assessor's scrutiny increases, since proving separation of environments becomes harder and often requires stronger documentation and compensating controls. This is due to:

In-scope email boxes sitting alongside risk-managed email boxes

Policy-based separation without ironclad technical controls

No eDiscovery proof that CUI hasn't migrated to risk-managed environments

Imagine trying to prove a negative; that's essentially what you're asking your assessor to validate.

Step 3: Build a Role-Based Licensing Strategy

Smart organizations develop a role-to-license matrix that serves as their North Star:

CUI Handlers & Compliance-Critical Roles → G5 or E5 (no Teams) + Teams Enterprise

Support Staff & Non-CUI Roles → Business Premium (GCC)

Hybrid Roles → Case-by-case evaluation with clear documentation

The golden rule: Isolate CUI to your premium-licensed users. This creates clear boundaries that assessors can validate, and auditors can trace.

Think of it as creating digital neighborhoods: your CUI community lives in the gated area with all the premium security features, while your general business operations happen in the standard residential zone.

Here's the million-dollar question: Can you have your cake and eat it too?

The pragmatic approach:

Start with role analysis rather than license analysis

Map CUI touchpoints across your organization

Right-size your premium licensing to actual CUI handlers

Document everything for assessment transparency

Once the role-to-license matrix is established, the next challenge is ensuring this model can withstand assessor review and adapt to Microsoft’s evolving licensing changes.

Implementation and Future-Proofing

Licensing isn’t a one-time purchase; it’s a living compliance program. To stay ahead of evolving CMMC expectations and Microsoft changes, organizations should implement clear governance and a forward-looking review process.

Documentation That Demonstrates Control

Assessors rely heavily on documentation, not just tools, to determine whether your controls are effective and sustainable. They will want to see:

Clear licensing rationale tied to job functions

CUI flow diagrams showing data boundaries

Change management procedures for role transitions

Regular access reviews and cleanup processes

Remember, assessments aren't just about technical compliance, they're about demonstrating control maturity. An organization that can clearly articulate its licensing strategy, backed by solid documentation and consistent implementation, inspires assessor confidence.

Future-Proofing Your Strategy

The licensing landscape continues evolving. Microsoft regularly adjusts add-on eligibility and feature bundling.

Build flexibility into your approach:

Maintain licensing inventory with regular reviews

Monitor Microsoft roadmap announcements

Establish change management protocols

Budget for compliance evolution

Action Summary

G5 = Safest, fastest assessments

GCC High = Mandatory if ITAR/EAR data

Hybrid = Lower cost, higher risk, requires strong controls

Document licensing decisions tied to roles

Conclusion

If you pursue CMMC Level 2 as a list of checkboxes and attempt to “save money” on licensing, you could end up with much higher costs down the road.

CMMC Level 2 compliance should be part of your long-term business strategy. It's about building a sustainable security posture that protects your organization and your customers' sensitive information.

Yes, G5 licensing represents a significant investment. But does the savings in licensing today justify the limitations you might face with ITAR, the extra sustainment costs in a complicated Hybrid licensing model, and the extra costs in the assessments?

My advice:
Different organizations will weigh these trade-offs differently. For example, as your compliance consultant, I will only recommend G5’s for all users within the information system because the elevated risks of a Hybrid approach require a full-time on-staff person to assume that liability.

And as an IT director of a SMB with zero actual CUI in my information system, I am willing to protect by policy only and accept the liability of going with Small Business Premium licensing with the Security add-on.

Remember: The goal isn't to find the cheapest option, but to find the most cost-effective path to compliance that protects your business, satisfies your contracts, and positions you for future growth.

Because at the end of the day, the most expensive license is the one that doesn't protect you when it matters most.

Ready to demystify your GCC licensing strategy? Atlantic Digital’s compliance experts have guided multiple contractors through this exact challenge. Contact us today for a personalized assessment that balances your budget constraints with your compliance requirements.

Don't let licensing confusion derail your CMMC Level 2 journey. Get clarity, get compliant, get competitive.

Disclaimer
This paper reflects the professional perspective of a CMMC compliance consultant and is intended for general guidance only. Licensing details, costs, and strategies are based on industry experience and illustrative examples as of August 2025 and should not be taken as definitive or exhaustive. For authoritative and up-to-date information, readers should consult Microsoft’s official licensing documentation, their licensing solution provider, and the Department of Defense’s published CMMC resources. Organizations should validate all decisions against these primary sources and their contractual requirements.

DOM-based Extension Clickjacking: The Silent Threat to Your Password Manager

In the world of cybersecurity, sometimes the most dangerous threats are the ones hiding in plain sight, or rather, the ones hiding behind what you can’t see.

Introduction

Password managers have become the digital equivalent of Fort Knox for many of us (trusted guardians of our most sensitive information in an increasingly complex online world). We’ve been told repeatedly by security experts: use unique, complex passwords for every account and store them in a password manager. But what happens when the very tools designed to protect us become vectors for attack?

Czech security researcher Marek Tóth recently uncovered a sophisticated vulnerability affecting popular password manager browser extensions that could make your digital fortress about as secure as a sandcastle at high tide. This newly identified attack vector, dubbed “DOM-based extension clickjacking,” has sent shockwaves through the cybersecurity community, affecting extensions with a combined user base exceeding 40 million installations (Tóth).

The Art of Digital Sleight of Hand

Imagine you’re browsing a website and encounter a seemingly innocent cookie consent banner. You click “Accept” to dismiss it and continue browsing. Simple, right? Not quite. Through DOM-based extension clickjacking, that single click might have just handed over your credit card details, including security codes, to an attacker without you noticing a thing.

But how exactly does this digital sleight of hand work? DOM-based extension clickjacking represents an evolution of traditional clickjacking attacks, specifically targeting browser extensions that inject interactive elements into a webpage’s Document Object Model (DOM).

The attack exploits a fundamental aspect of how password manager extensions interact with web pages:

Password managers inject user interface elements (like autofill prompts) into the webpage DOM
An attacker’s malicious JavaScript can manipulate these elements, making them invisible while maintaining their functionality
Deceptive content is overlaid, tricking users into interacting with the hidden password manager interface
When users click what appears to be legitimate page elements, they unknowingly trigger the hidden password manager functionality

What makes this attack particularly concerning is its minimal interaction requirements. In many demonstrated scenarios, a single user click is sufficient to extract sensitive information.

Technical Mechanics

The DOM-based extension clickjacking vulnerability exploits several technical approaches:

Direct Element Manipulation: Applying CSS properties like opacity: 0 directly to the extension’s UI components, making them invisible while maintaining functionality
Parent Element Modification: Altering container elements that hold the password manager’s interface
Strategic Overlay Positioning: Placing deceptive content over the password manager’s interface while using CSS properties like pointer-events: none to ensure clicks pass through to hidden elements underneath

As Tóth explains, “The principle is that a browser extension injects elements into the DOM, which an attacker can then make invisible using JavaScript” (Tóth).

The Damage Potential

The severity of this vulnerability varies depending on context, but several concerning attack scenarios have been demonstrated:

On Malicious Websites

Extraction of stored credit card information, including card numbers, expiration dates, and security codes
Theft of personal data like names, addresses, and phone numbers
Credential harvesting

On Legitimate but Compromised Websites

If an attacker exploits cross-site scripting (XSS) vulnerabilities or subdomain takeovers on trusted domains, they can potentially extract login credentials and two factor authentication codes
Even manipulation of passkey authentication flows is possible in some scenarios

Particularly concerning is how the attack can exploit the subdomain autofill behavior of password managers. If a user has credentials stored for a domain like accounts.google.com, an attacker only needs to find an XSS vulnerability on any subdomain (e.g., test.dev.sandbox.cloud.google.com) to potentially steal those credentials.

Affected Password Managers

Tóth’s research presented at DEF CON 33 identified vulnerabilities in several password managers at the time of disclosure. The versions tested are listed below, though patch status has since varied. Users should consult vendor advisories for the latest updates:

1Password (version 8.11.4.27)
Bitwarden (version 2025.7.0)
LastPass (version 4.146.3)
LogMeOnce (version 7.12.4)
Enpass (version 6.11.6)
Apple’s iCloud Passwords (version 3.1.25)
NordPass (now fixed in version 5.13.24 or later)
ProtonPass (now fixed in version 1.31.6 or later)
RoboForm (now fixed in version 9.7.6 or later)
Keeper (now fixed in version 17.2.0 or later)
Dashlane (now fixed in version 6.2531.1 or later)
KeePassXC-Browser (version 1.9.9.2)

The response from vendors has varied significantly. Some have quickly addressed the issue with comprehensive fixes, while others have taken a more measured approach or initially classified the issue as “informative” rather than a direct vulnerability in their products.

Jacob DePriest, CISO at 1Password, has noted that “the underlying issue lies in the way browsers render webpages” and that there’s “no comprehensive technical fix that browser extensions can deliver on their own” (Security Week). This stance highlights the fundamental tension between usability and security in password manager design.

Mitigation Strategies for Users

While awaiting comprehensive fixes from vendors, users can take several proactive steps to protect themselves:

Update Browser Extensions: Ensure you’re running the latest version of your password manager’s browser extension, as several vendors have released patches or partial mitigations.
Consider Alternative Access Methods: Use desktop or mobile applications, when possible, as these are not vulnerable to web-based clickjacking attacks.
Disable Autofill Functionality: Configure your password manager to require explicit action before filling credentials.
Exercise Caution with Web Interactions: Be suspicious of websites that display intrusive popups or request unusual interactions.
Implement Browser-Level Protections: For Chromium-based browser users, configure extension permissions to “on click” rather than allowing automatic access to all websites.

The Balancing Act

The discovery of DOM-based extension clickjacking vulnerabilities highlights a fundamental challenge in security design: the balance between usability and protection. While separate popup windows for autofill would provide stronger security against clickjacking, they would also introduce significant friction to the user experience, potentially driving users toward less secure practices out of convenience.

As Alex Cox, Director of Threat Intelligence at LastPass, notes, this research “highlights a broader challenge facing all password managers: striking the right balance between user experience and convenience, while also addressing evolving threat models” (Daily Security Review).

Conclusion

The DOM-based extension clickjacking vulnerability serves as a stark reminder that even security tools require vigilant oversight and continuous improvement. As password managers have become increasingly central to cybersecurity strategies, they have also become more attractive targets for sophisticated attacks.

Users should remain alert to potential risks while maintaining perspective; password managers still provide significant security benefits compared to alternative approaches like password reuse or weak memorized credentials. The appropriate response is not abandonment of these tools, but rather informed usage combined with additional security layers.

For the password management industry, this discovery highlights the need for continued innovation in secure design patterns for browser extensions. Future approaches may include greater isolation between extension interfaces and webpage content, improved verification of user intent before sensitive operations, and more robust detection of potential manipulation attempts.

As vendors continue to release updates addressing these vulnerabilities, users should prioritize keeping their software current and implementing available security options. By combining technical protections with informed usage practices, the risks associated with DOM-based extension clickjacking can be significantly reduced while preserving the substantial security benefits that password managers provide.

At ADI, we help organizations build sustainable cybersecurity frameworks that adapt as threats evolve. Whether you need guidance on compliance, strategy, or hands-on defense, our team is here to support your mission with tailored solutions. Explore ADI’s CMMC and cybersecurity services here.

Secure.Comply.Excel.

Navigating the Latest DoD Memo on CMMC Certification Requirements with Atlantic Digital

Introduction

The Department of Defense (DoD) continually updates its cybersecurity protocols to safeguard sensitive information within the Defense Industrial Base (DIB). The latest memorandum, "Implementing the Cybersecurity Maturity Model Certification (CMMC) Program" (DoD), introduces significant changes to the Cybersecurity Maturity Model Certification (CMMC) requirements, directly impacting contractors and service providers. This paper examines these updates, addresses critical compliance challenges, and outlines how Atlantic Digital (ADI) helps clients achieve compliance.

Understanding the Latest DoD Memo on CMMC

The recent DoD memorandum formalizes the CMMC framework by confirming a phased implementation and clarifying the conditions under which different levels of certification are required. It also provides new guidance on waivers and subcontractor compliance.

Key updates include:

CMMC certification requirements will be introduced incrementally upon publication of the final DFARS rule, 2019-D041. Contractors must prepare for increasing compliance obligations over the next two years as Level 1, Level 2, and Level 3 requirements take effect.

The memo reiterates that CMMC Level 3 requirements should not be unnecessarily imposed on subcontractors unless they handle mission-critical CUI. Program Managers are advised to take a risk-based approach when determining subcontractor obligations.

Service and Component Acquisition Executives (SAE/CAE) may waive CMMC certification requirements under certain conditions but must still ensure compliance with cybersecurity safeguards.

Phased Implementation Process

The DoD memo confirms that CMMC implementation will begin once the final Title 48 CFR rule is published. Implementation will proceed as follows:

Upon publication of the final DFARS rule, 2019-D041, CMMC Level 1 requirements will take effect for applicable contracts.

One year after DFARS publication, CMMC Level 2 assessments will be introduced as part of the phased implementation process.

Two years after DFARS publication, CMMC Level 3 certification assessments will be mandatory, when appropriate.

The DoD will update Instruction 8582.01 and provide additional guidance regarding the application of NIST SP 800-172 protections for Level 3 contractors.

CMMC Level Assessments

CMMC builds upon NIST SP 800-171 self-assessments already obligatory under DFARS 252.204-7019, and organizations must continue conducting these assessments as required. Additionally, the CMMC Program requires pre-award assessments of covered contractor information systems against prescribed cybersecurity standards for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Assessment Breakdown:

CMMC Level 1 requires an annual self-assessment against 17 basic cybersecurity practices, based on the Federal Acquisition Regulation (FAR) 52.204-21.

CMMC Level 2 requires adherence to NIST SP 800-171 requirements. Depending on the sensitivity of the Controlled Unclassified Information (CUI) handled, assessments may be either self-assessments or conducted by a Certified Third-Party Assessment Organization (C3PAO).

CMMC Level 3 requires a DoD-led assessment, incorporating NIST SP 800-172 enhanced security requirements.

Flow-Down Requirements for Subcontractors 

The memo warns that CMMC Level 3 requirements should not be unnecessarily flowed down to all subcontractors, as this could impose undue financial and administrative burdens. Program Managers must ensure only essential subcontractors handling mission-critical CUI are subject to Level 3 requirements. 

New CMMC Waiver Process

The memo establishes a waiver process, allowing SAE/CAE officials to waive CMMC certification under specific conditions. Waivers do not remove cybersecurity compliance obligations but offer flexibility in cases where certification requirements could limit competition.

Waiver Guidelines:

CMMC waivers may be granted on a case-by-case basis by SAE/CAE officials

All cybersecurity requirements remain in effect, regardless of whether a waiver is granted.

According to the memo, “There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements.”

The memo confirms that some “…CMMC Level 2 third-party assessment requirements may be waived under certain conditions,” but “there are no circumstances likely to warrant approval of requests to waive CMMC Level 2 self-assessment requirements.”

Waivers for Level 3 contractors will be highly limited due to their handling of mission-critical CUI.

Identified Compliance Challenges

While the DoD memo provides clarity on CMMC requirements, additional challenges arise when managing information such as Export-Controlled Information (EXPT), which is regulated under separate frameworks like the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Unlike Controlled Technical Information (CTI), which directly triggers CMMC Level 2 requirements under DoD contracts, EXPT is a broader category of Controlled Unclassified Information (CUI) that applies across multiple federal agencies, including the Departments of Commerce and State. As a result, contractors handling EXPT may face cybersecurity requirements that extend beyond DoD mandates and into multi-agency oversight (DoD, Export Solutions).

Key Challenges

Export Controlled (EXPT) information is classified as Controlled Unclassified Information (CUI) under the National Archives' CUI Registry. This classification encompasses unclassified technical data, software, or other items subject to export restrictions under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) (National Archives, DoD)

While EXPT itself is not categorized as Controlled Technical Information (CTI), there are instances where the same dataset may be classified as both EXPT and CTI (National Archives, National Archives). In such cases, contractors may be required to comply with multiple regulatory frameworks, including DFARS 252.204-7012 and export control laws.

The presence of EXPT in a Department of Defense (DoD) contract does not automatically trigger CMMC certification requirements. However, if a contract involves both EXPT and CTI, the contractor may be required to undergo a full CMMC Level 2 assessment due to the handling of CTI. Additionally, in cases where a non-DoD agency is involved, equivalent cybersecurity measures may be required even if the DoD does not impose them directly.

Since ITAR and EAR compliance imposes security requirements beyond those outlined in NIST SP 800-171, organizations must implement a dual compliance strategy. Contractors should assess regulatory obligations across all awarding agencies to ensure alignment with both DoD and export control cybersecurity requirements.

In this sense, understanding the interplay between CMMC, DFARS, and export control regulations is critical for organizations handling sensitive government data. The presence of EXPT can introduce additional layers of compliance, even when CMMC is not explicitly required by DoD. Contractors must evaluate regulatory obligations beyond DoD contracts, ensuring that cybersecurity measures align with both defense and non-defense federal agency requirements.

Atlantic Digital’s (ADI’s) Strategy and Compliance Solutions

Atlantic Digital offers a strategic approach to navigating CMMC compliance, ensuring organizations meet the necessary standards while addressing challenges posed by complex regulatory frameworks. ADI’s team helps contractors determine their certification requirements, implement necessary safeguards, and provide solutions to comply with both DoD mandates and broader federal regulations. Through comprehensive risk assessments, ongoing education, and specialized support, ADI ensures that clients can confidently meet their compliance obligations, optimize their security measures, and remain competitive in the defense sector.

How ADI Helps Clients Achieve Compliance:

ADI assists clients in aligning multiple frameworks, offering contract-based certification guidance, and determining whether CMMC certification is required based on contract requirements from DoD and other federal agencies.

ADI advises clients on separating CUI from other sensitive data to avoid excessive security obligations on subcontractors, in accordance with DoD recommendations.

ADI works with clients to educate subcontractors on their cybersecurity responsibilities to enhance compliance and reduce risks.

ADI stays updated on changes to DFARS, CMMC methodologies, and regulatory guidance, ensuring clients remain compliant with strict cybersecurity requirements.

Conclusion

The evolving cybersecurity landscape demands that contractors remain agile and informed. The latest DoD CMMC implementation memo provides clarity on assessment levels, waivers, and subcontractor requirements. However, challenges remain for organizations handling information regulated under separate frameworks, requiring a strategic approach to compliance. Atlantic Digital empowers clients to meet these challenges by offering expert guidance on aligning multiple cybersecurity frameworks, minimizing unnecessary security obligations, and ensuring compliance with both DoD and other regulations.

ADI's comprehensive solutions ensure that clients can navigate the complexities of CMMC compliance, mitigate risks, and achieve robust cybersecurity resilience. For expert CMMC strategy and compliance solutions, contact ADI today to ensure your business remains secure and competitive in the evolving defense sector.

The Limits and Realities of Cyber Insurance

Cyber attacks now cost organizations $4.88 millions per breach on average (IBM). This stark reality underscores the importance of cyber insurance as a critical tool for financial and operational risk mitigation. However, the complexities and limitations inherent in these policies create significant challenges for businesses. To navigate these drawbacks effectively, organizations must understand the evolving threat landscape, policy limitations, claims management hurdles, and cost considerations.

Evolving Threat Landscape

The sophistication and scale of cyber threats have reshaped the insurance industry, leading to increasingly restrictive coverage and higher barriers to policy access. These developments demand that businesses critically evaluate emerging risks and align their risk management strategies accordingly.

Ransomware Attack Patterns
Ransomware remains one of the most pressing threats in 2024, evolving from basic encryption tactics to advanced strategies that cause significant financial and operational disruption. For instance, the average ransomware demand reached $5.2 million per incident in the first half of 2024 (Infosecurity Magazine), and LockBit, one of the most notorious ransomware groups, claimed at least 428 victims alone (Flashpoint). High-profile targets include critical sectors such as political systems, healthcare, manufacturing, financial services, and infrastructure (ADI). The mounting frequency and severity of these attacks underscore the importance of cyber insurance while simultaneously making comprehensive coverage increasingly elusive.

At the same time, nation-state-sponsored cyber activities present unique risks. Nation-state actors accounted for 45% of all cyberattacks targeting government institutions in 2024 (Cyble). These actors often infiltrate critical infrastructure systems undetected, launching attacks at strategically chosen moments (State Scoop). Marked by persistent threats and AI-driven disinformation campaigns, these operations are frequently excluded from standard cyber insurance policies, leaving affected organizations vulnerable to substantial financial and operational risks.

Other Attack Vectors
The risk landscape continues to shift beyond ransomware and nation-state threats. IoT malware attacks, for example, have surged by 400% (Infosecurity Magazine). Abuse of valid credentials remain a critical vulnerability, accounting for 44.7% of data breaches in 2023 (Deloitte), while infostealer attacks compromised over 53 million credentials in the first half of 2024 (Flashpoint). AI-powered cyber attacks further exacerbate these issues by enabling automated hacking and sophisticated phishing campaigns at scale (Crowdstrike, CSO) Notably, manufacturing has emerged as the most targeted industry in this evolving threat landscape (WEF). Together, these trends highlight the importance of adopting holistic security practices alongside cyber insurance.

Policy Coverage Limitations and exclusions

As cyber risks evolve, insurance providers have responded by tightening policy terms, which significantly impacts businesses' ability to transfer risk effectively. Stricter qualification requirements, such as multi-factor authentication, patch management, employee security trainings, among others (ADI, Netwrix, Trend), in addition to exclusions for critical infrastructure, business interruption gaps, and limitations on third-party liability coverage create challenges that organizations must carefully navigate.

Critical Infrastructure Exclusions
One significant limitation involves exclusions related to failures in critical infrastructure. Policies increasingly exclude losses stemming from disruptions to essential services, such as electricity, water, gas, satellite, and telecommunications. This exclusion reflects insurers' concerns about the systemic nature of these failures, which can cause widespread, catastrophic losses beyond the financial capacity of individual insurers to absorb. This shift reflects insurers' limited capacity to manage systemic catastrophic losses, leaving critical industries particularly exposed (ABI, Munich RE, Gallagher).

Business Interruption Gaps
Business interruption coverage presents another significant limitation. Policies can include waiting periods before activation, narrowly define covered events, and may require complete business shutdowns to trigger coverage. Contingent business interruption, which protects against service provider failures, is not universally included in cyber insurance policies, leaving businesses vulnerable to operational disruptions. (SCS Agency, Corvus, Insurance Advisor).

Third-Party Liability Issues
Third-party liability coverage also features notable restrictions. Policies may exclude claims from employees, contractors, or partially owned subsidiaries and often cap coverage for regulatory investigations, lawsuits, and settlements. These exclusions require careful evaluation (Intelice, SCS Agency, ABI, Gallagher).

Claims Management Challenges

Even when coverage is in place, navigating the claims process presents its own set of obstacles. Businesses must adhere to strict reporting timelines, documentation standards, and recovery requirements to avoid delays or denials.

Response Time Requirements
Timely reporting is critical to avoid claim denial. Most insurers require notification of incidents within 60 days of an event (Lawyers Mutual, NACHC)). Quick coordination with approved vendors and stakeholders is also essential to meet policy deadlines.

Documentation Demands
Insurers now require rigorous documentation for claims, including detailed incident response logs, system restoration costs, business interruption calculations, third-party vendor expenses, and evidence of pre-incident security measures. Formal proof of loss submissions are typically required within 90 days (WTW), Failure to meet these demanding standards can result in denied claims or delayed payouts.

Recovery Process Complexities
The recovery process itself is not without challenges. Insurers frequently mandate the use of pre-approved vendors, limiting flexibility. Moreover, policies generally only cover system restoration to pre-incident states, leaving businesses responsible for any improvements. This meticulous cost-tracking adds to the administrative burden during post-incident recovery (Marsh).

Cost-Benefit Considerations

As the U.S. cyber insurance market dominates 59% of the $16.66 billion in global premiums (NAIC), businesses must weigh the costs and benefits of coverage carefully.

Premium vs Coverage Analysis
U.S. insurers reported $7.25 billion in direct written premiums in 2024 (NAIC). Premiums vary based on company size, industry risk, security measures, and claims history. Small businesses, for example, pay an average of $145 per month (Insureon), while larger organizations face significantly higher premiums.

Deductible Structure Impact
Deductibles also play a crucial role in shaping the cost-benefit analysis of cyber insurance. With average deductibles around $2,500 (Insureon), companies may adjust their self-insured retentions (SIRs) to manage premium expenses (Johnson and Bell, Lowenstein Sandler).

Return on Insurance Investment
When evaluating the return on investment (ROI) for cyber insurance, businesses must consider factors such as reputation protection, regulatory compliance support, crisis management assistance, and legal liability coverage Improved loss ratios reported by insurers—dropping from 66.4% in 2021 to 44.6% in 2022—reflect better risk management and policy terms (NAIC).

Future Market Predictions
The global cyber insurance market is projected to grow from $14 billion in 2023 to $23 billion by 2026 (Insurance Business Magazine). This growth underscores the increasing costs of premiums and evolving coverage requirements discussed earlier, as insurers adapt to the rising frequency and severity of cyber incidents. This growth will be driven by technological advancements, emerging threats, and enhanced risk assessment tools. AI, in particular, is reshaping risk modeling, claims processing, and incident monitoring. However, human expertise remains critical to bridging existing coverage gaps and ensuring comprehensive protection (Insurance Thought Leadership, ABA, Munich RE).

Conclusion

While cyber insurance provides a vital safety net for businesses facing financial and operational risks, its limitations—from restrictive policies to complex claims processes—pose significant challenges. As the market continues to grow, organizations must adopt proactive risk management strategies, meet stringent insurer requirements, and address coverage gaps. Ultimately, cyber insurance should complement, not replace, robust cybersecurity practices. By aligning insurance coverage with comprehensive security measures, businesses can enhance resilience in an increasingly hostile digital landscape.

What Defense Contractors Must Know Now

What Changed

CMMC Level 2 Requirements

DLA RD004 and RD005 Requirements

Practical Implications for Defense Contractors

Secure. Comply. Excel.

Next Steps

Sources

Appendix 1

Executive Summary

What the DoD CMMC FAQ Says About Hard Copy CUI

Business Processes Implications

Risk and Practicality: Atlantic Digital’s Perspective

Atlantic Digital Guidance to Contractors

Important Note

Conclusion

From Manual Strain to Strategic Enablement

IntelliGRC as the Foundation of Sustainable CMMC Compliance

When and Why Organizations Transition from Manual Tracking to GRC

Atlantic Digital and IntelliGRC: A Partnership Model for Sustainable CMMC Readiness

Conclusion

About IntelliGRC

A ridiculous, low-budget caper (2025 edition)

“Legendary security,” back when the Louvre learned the hard way

Why “legendary” turns into “lax” (and how that maps to your org)

The cyber mirror: how thieves become threat actors

Compliance isn’t glamorous, but it works

Okay, but… is your cyber safer than the Louvre?

When Self-Assessment Is Allowed, and When Third-Party Assessment Is Required

Understanding SPRS and the Assessment Process

Operational Challenges in Accurate SPRS Scoring

Legal and Operational Risks of Inaccurate SPRS Reporting

Impact of expired or missing SPRS entries on contract eligibility

Best Practices to Improve CMMC Self-Assessment Accuracy

Conclusion

Rationale for SA-24 Introduction

Strategic Significance for DiB Organizations

Technical Implementation Considerations

Who Should Be Paying Attention

Conclusion

Introduction

Assessment Success

Step 1: Choose GCC vs GCC High

Step 2: Pick Your License Model

Cost Scenarios

The Risk of Mixing Licenses

Step 3: Build a Role-Based Licensing Strategy

Implementation and Future-Proofing

Conclusion

Introduction

The Art of Digital Sleight of Hand

Technical Mechanics

The Damage Potential

On Malicious Websites

On Legitimate but Compromised Websites

Affected Password Managers

Mitigation Strategies for Users

The Balancing Act

Conclusion

Introduction

Understanding the Latest DoD Memo on CMMC

Identified Compliance Challenges

Atlantic Digital’s (ADI’s) Strategy and Compliance Solutions

Conclusion

Evolving Threat Landscape

Policy Coverage Limitations and exclusions

Claims Management Challenges

Cost-Benefit Considerations

Conclusion

Step 1: Choose GCC vs GCC High