The rules changed in February 2026, and most small defense contractors are still catching up. On February 1st, the self-attestation pathway that let contractors check a box and move on was eliminated. What replaced it is a compliance environment that is more exacting, more legally exposed, and more consequential than anything the defense industrial base has faced in a generation.
The book coming out this Memorial Day is the one that didn’t exist when it was needed most. Not an academic treatment of the standards — those exist, and they’re thorough, and almost no one in the field reads them cover to cover. This is a practitioner’s guide: the kind of book that answers the questions a 150-person defense manufacturer’s IT director is actually asking at 10 PM the week before their C3PAO shows up.
Three regulatory events compressed into a 90-day window in late 2025 and early 2026 reset the compliance clock for everyone in the defense supply chain. The CMMC Final Rule took effect in December 2024. The acquisition rule followed in September 2025, with Phase 1 enforcement beginning November 10th. Then February 1st eliminated DFARS 252.204-7019 — the self-attestation provision that had given contractors a soft landing for years. What replaced it is a framework where a senior official in your organization is making a personal legal attestation of compliance under the False Claims Act. As of FY2025, the Department of Justice had recovered $52 million in cybersecurity-related FCA settlements, a figure that more than tripled in consecutive years. That is not a regulatory nuisance. That is personal liability.
Phase 2 enforcement begins November 10, 2026, which leaves the defense industrial base fewer than twelve months to close the gap. For companies still operating on the assumption that their cloud provider’s FedRAMP authorization covers their obligations — it doesn’t — that gap is wider than they think.
Controlled Unclassified Information: How to Ensure Regulatory Compliance — A Practitioner’s Guide for CMMC, NIST 800-171 and the New Federal Cybersecurity Requirements runs seventeen chapters and roughly 60,000 words, organized the way an actual compliance engagement unfolds. The evidence chapters alone — covering what “adequate and sufficient” actually means, how to build a defensible evidence repository, and how to write SSP implementation statements that survive C3PAO scrutiny — are built around the patterns that succeed and fail in real assessments, with side-by-side examples practitioners can use immediately.
The most persistent problem small contractors face is sticker shock followed by the wrong decision. The single most effective cost-reduction strategy available isn’t a grant or a financing arrangement — it’s scoping the CUI environment down to a minimal, auditable enclave before building anything. A properly scoped enclave can reduce a ridiculously expensive compliance project to under $1000 per month by enrolling in RF1’s managed services offerings. Federal and state funding programs can offset costs further: APEX Accelerators provide free counseling at 95 centers nationally, and several states including Connecticut, Michigan, and Maryland have active grant programs specifically for defense contractors pursuing CMMC certification. The full directory is at responseforce1.com.
If you’re the IT director, CISO, compliance officer, or owner of a small to medium sized defense contractor, this book was written for you. Every recommendation passes the Monday morning test: can someone act on this with the resources they actually have, starting Monday?
The book will be available through Amazon KDP in print and digital formats at or before Memorial Day 2026. Phase 2 enforcement arrives in November. The organizations that treat the next six months as a runway rather than a deadline are the ones that will arrive at certification with time to spare.
Edward E. Minyard is Chief Compliance Officer of ResponseForce1 LLC (CMMC Level 2 Certified MSSP)