On February 1, 2026, the rules changed. Self-attestation for CMMC compliance is more strict. DFARS 252.204-7019 is gone. CMMC Phase 1 enforcement has begun, the GSA framework is live, and the proposed FAR CUI Rule will extend cybersecurity requirements to every federal agency. If you hold a federal contract — or want one — the cost of getting compliance wrong is no longer a finding on a report. It is the contract itself. This is the practitioner's field manual for navigating that new reality. Edward Minyard has spent over four decades guiding organizations through crisis and compliance, from Fortune 10 boardrooms to post-Katrina New Orleans to the defense contractors he advises today. As Chief Compliance Officer of a CMMC Level 2 certified MSSP, he sits across the table from C3PAO assessors and watches what passes and what fails. He wrote this book for the CISOs, IT directors, and contractor executives who do not have a roadmap — and cannot afford to guess. Inside, you will find: The three regulatory shifts that redefined federal compliance in 90 days, explained without legal jargon - A walkthrough of CMMC Levels 1, 2, and 3 — including the 88-point conditional threshold, the 47 POA&M-eligible controls, and the 180-day closure rule - How to scope your environment and build a defensible authorization boundary that does not balloon your compliance burden - The evidence standards C3PAO assessors actually apply — and the seven evidence failures that sink most assessments - Sample SSP implementation statements showing exactly what passes and what gets flagged - An evidence crosswalk methodology with a working template you can adapt - Cloud reality: GCC High shared responsibility, FedRAMP equivalency, and the gap between marketing claims and assessment evidence - Incident response when CUI is in scope — including the one-hour and 72-hour reporting clocks and what each requires - A complete glossary of CMMC, NIST 800-171, and federal cybersecurity terminology Who this book is for: Owners and executives at small and mid-size defense contractors. CISOs and IT directors who inherited CMMC and need to make sense of it. Compliance officers preparing for Phase 2 enforcement in November 2026. Consultants and Registered Practitioners building advisory practices in this space. Anyone whose business depends on continuing to do work for the Department of War. This is not a restatement of NIST publications or the CMMC rule. The publications are free; you can read them yourself. This book is what the publications do not tell you — written by someone who has walked the floor, prepared the evidence, sat through the assessments, and helped contractors win and keep federal contracts. The clock is running. Phase 2 begins November 2026. About the author: Edward Minyard, CBCP, CISM, CCP(pending), CMMC-RP, CHTI, is Chief Information Security and Compliance Officer of ResponseForce1 LLC, a CMMC Level 2 certified MSSP, and former Partner at Accenture and Unisys, he has led organizations through crises ranging from Hurricane Katrina to COVID. He volunteers as Emergency Management Director for the Town of Bartlett, NH, and is the author of six previous books, including the cybersecurity thriller Gridfall: The Long Dark . Foreword by Robert J. Teague , Lead CCA, Vice President of Federal Consulting at Redspin