Reference guides built the way we build risk intelligence: concrete numbers, sourced claims, and honest ranges. No gated PDFs.
It’s the start of Phase 2 — not a universal cliff. How the phased rollout actually works, what applies to your contracts, and why the C3PAO queue is the deadline nobody budgets for.
Six to twelve months is the honest baseline — built from seven stages with very different dynamics. Stage-by-stage durations, what drives them, and where the timeline compresses.
First cycles run $75K–$300K, and the assessment fee is only 20–30% of it. The full line-item stack with 2026 market ranges, why budgets miss, and the three decisions that move the total.
Level 2 is 800-171 Rev 2’s 110 requirements, verbatim — the family-level map, why Rev 3 is NOT the CMMC baseline yet, and the case for evidence that maps itself across 34 frameworks.
How a sub-50-person federal technology company finished the documentation workstream that takes most contractors weeks to months — with a human approving every evidence-to-control link.
The most-cited deficiency in OCR enforcement — what “accurate and thorough” means, the 2026 expansion into risk management, and the documentation chain that survives an investigation.
One is a law with no certificate; the other is the certificate health systems demand. How they relate, the e1/i1/r2 tiers, and how to stop collecting the same evidence twice.
An attestation report versus a certificate, a US default versus an international one — and an 80% overlap that makes either/or the wrong frame.
SIG, CAIQ, or the customer’s own 400-row spreadsheet. The response strategies ranked — from artisanal suffering to evidence that maps itself.
Dual-signature certification, Class A audits, the 24-hour ransom payment notice — what 23 NYCRR 500 demands now that the phased deadlines are done.
You won’t hear from an EU regulator — you’ll get a redlined contract. How DORA reaches US providers and what it asks for, recurringly.
Zones, conduits, Security Levels 1–4, and seven foundational requirements — the industrial security standard decoded into the four ideas that do the work.
The seven control gates, the attestation gap that voids claims, and the limits question almost nobody quantifies before signing.
Every enterprise has a minimum viable security posture. The essay that defines how much security is enough — and how to find your line.
These guides give you the industry ranges. PRISM and Foundations give you YOUR numbers—risk in dollars, compliance status by control, investment optimized to your reality.