You have pressing compliance questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.

Official compliance resources

• CMMC Resources & Documentation (website) from U.S. Department of Defense. The DoD’s official CMMC hub, with Level 1–3 scoping and assessment guides. If you’re new, start with the CMMC 101 Brief.

• DoD Cloud Computing Impact Levels (IL) from the DoD Cyber Exchange. Check out the Cloud Computing Security Requirements Guide (SRG).

  • Handling DoD data in the cloud? Start here for an overview to become familiar with IL (“impact levels) 2, 4, 5, and 6.

• FedRAMP (website). The official GSA site for the federal cloud security program. Check out the FedRAMP 20x pilot program, which aims to speed up authorization.

• NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations from the National Institute of Standards & Technology. The catalog of security and privacy controls for federal systems. NIST 800-171 is a subset of these controls. Bonus: helpful Excel spreadsheets!

• NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations from the National Institute of Standards & Technology. Security requirements to protect CUI. Note: CMMC currently references Rev. 2 (and will eventually align with Rev. 3). See also SP 800-171A.

• NIST SP 800-171A Rev. 2, Assessing Security Requirements for Controlled Unclassified Information from the National Institute of Standards & Technology. Assessment guide for CUI security requirements from NIST SP 800-171 Rev. 2.

• NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 from the National Institute of Standards & Technology. CMMC Level 3 has enhanced requirements (in addition to those in NIST SP 800-171).

• NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information from the National Institute of Standards & Technology. Assessment guide for enhanced security requirements from NIST 800-172.

Data-centric security

• Why Implement Zero Trust (video) from IBM Technology. A crisp, analogy-filled explainer of core zero trust principles.

• A look at the DoD's Zero Trust Strategy (article) from Resilient Cyber. Brand new to the DoD’s Zero Trust approach? Read this overview first. Published when DoD’s Zero Trust Strategy was first announced, but largely still relevant.

Resilient Cyber

A look at the DoD's Zero Trust Strategy

The Department of Defense (DoD) recently published their Zero Trust strategy. This comes on the heels of the Cybersecurity Executive Order (EO) which placed a large emphasis on the need for the Federal government to adopt Zero Trust, as well as subsequent publications such as the overarching…

Read more

3 years ago · 6 likes · Chris Hughes

• Exclusive: U.S. Navy Cyber Warfare Engineer interviews VIA’s CEO to dive into blockchain’s role in advancing cybersecurity (article) from VIA. A breakdown of Web3’s role in DoD cybersecurity (hint: decentralization and minimizing the data shared are key).

• Zero knowledge proofs: Computer Scientist Explains One Concept in 5 Levels of Difficulty (video) from WIRED. Zero-knowledge proofs are like saying you know or did something and everyone actually believes you—no extra details revealed. This video explains them with simple, fun examples.

• Next Generation Internet: Data Centric Access Control (article) from VIA. Real-world example of data-centric security put into action.

• Implementing a Zero Trust Architecture: High-Level Document (PDF) from National Institute of Standards & Technology. Guidelines for implementing zero trust architecture (ZTA), but the best part are the use cases.

• DoD Zero Trust Strategy (PDF) from U.S. Department of Defense. Read this overview for vision, pillars, and objectives; for specifics, go straight to the “DoD Zero Trust Capabilities & Activities Matrix.”

• DoD Zero Trust Capabilities & Activities Matrix (PDF) from U.S. Department of Defense. Long, but the helpful spreadsheet format connects zero-trust concepts to controls and desired outcomes.

• NIST Cybersecurity Framework Reference Tool (website) from National Institute of Standards & Technology. User-friendly NIST CSF 2.0: expand/collapse functions with implementation examples.

Metrics that matter to the DoD

• PEO Digital: World Class Alignment Metrics (PDF) from U.S. Department of the Navy. Partnering with the U.S. Navy is outcome-driven—prioritize these metrics.

Secure Emerging Tech

• It’s finally time to talk about vibe coding and security (video) from Latio Tech. Start here (for now) to grasp MCP and vibe-coding security in this fast-moving field. The best part: the video shows, not just tells.

• OWASP GenAI Security Project (website) from OWASP. Every engineer needs this bookmarked: ever-updating cheat sheets on GenAI security risks—and how to address them.

Balance security & speed

• Navigating Defense Innovation: Collaborative Piloting w/ US Navy & Startups (video) from Hatchpad. Spotlights opportunities to work with the Department of the Navy (from pilots to scale) and how the best partnerships accelerate mission outcomes.