If you lead a company that does business with the Pentagon, there’s a good chance someone on your IT team has mentioned CMMC to you. You may not know exactly what the acronym stands for, but you need to, because under the Cybersecurity Maturity Model Certification program, your name is now attached to your company’s cybersecurity compliance. Personally accountable.
CMMC has been years in the making, but the program is now entering active implementation after Phase 1 began Nov. 10, 2025. Solicitations are already including CMMC requirements as conditions of contract award. Phase 2 begins Nov. 10, 2026, expanding the scope further. If your company handles, or will in the foreseeable future, controlled unclassified information (CUI) for the Pentagon — and the vast majority of defense contractors and subcontractors do — this applies to you.
Here’s what you need to know.
Your signature, your responsibility
Under the CMMC final rule, a senior executive — the “affirming official” — must personally certify that the organization has implemented and will maintain all applicable cybersecurity requirements. That affirmation is entered into a federal database and is tied to your name, your title, and your contact information.
This is a significant departure from prior practice. For years, defense contractors could submit compliance scores into federal systems with no individual accountability. An IT director or compliance analyst could handle the paperwork, and leadership could plausibly claim ignorance of any gaps. That era is over. CMMC requires a senior leader to sign off, and that signature carries legal weight.
The government wants a named individual standing behind the compliance status of every organization in the defense supply chain. If you’re a CEO, CIO, or CISO, this is likely going to be you.
Compliance doesn’t end at certification
Many executives assume that once a company achieves CMMC certification, the work is done. That assumption is wrong.
CMMC requires the affirming official to reaffirm compliance on an ongoing basis, including annual affirmations for Level 2. Third-party certification assessments happen every three years, but your organization must maintain all required security controls continuously between those assessments. If controls lapse, your affirmation is no longer accurate — and you’re the one who signed it.
This means cybersecurity must operate as an ongoing business function, with dedicated resources, regular internal reviews, and executive oversight. It’s the cost of doing business with the Pentagon, and it demands the same level of attention as financial reporting or regulatory compliance in any other domain — because national security and contract eligibility are on the line.
Get it right before you sign
The CMMC-affirming official is confirming that security controls are operational — not that a plan exists to implement them someday. Plans of action and milestones (POAMs) alone do not satisfy the requirement. Controls must be in place, documented, and functioning before an executive puts their name on an affirmation reflecting a 110/110 Level 2 assessment outcome, subject to any permitted POAMs.
Many contractors have historically self-reported compliance scores that didn’t reflect reality. According to Merrill Research, only 1% of the defense industrial base believes it is completely ready for CMMC. Some companies entered perfect scores into federal databases, knowing there was no mechanism to verify them. Under CMMC independent validation is increasingly becoming the norm.
The legal consequences are real
Signing a CMMC affirmation that doesn’t reflect your organization’s actual security posture exposes you to liability under the False Claims Act. The Department of Justice’s Civil Cyber-Fraud Initiative has made this a priority enforcement area, and the results speak for themselves: DOJ recovered more than $52 million across nine cybersecurity-related FCA settlements in fiscal year 2025 alone, more than tripling recoveries from the prior year.
The cases are getting bigger and more varied. In 2025, Raytheon and related companies paid $8.4 million for failing to implement a required system security plan. MORSECORP Inc. paid $4.6 million after the government discovered it had reported a positive cybersecurity score when its actual score was negative 142. In December 2025, the DOJ brought its first enforcement action against a subcontractor in the defense supply chain, as a machining company in Illinois paid more than $421,000.
This pattern started years ago. In 2022, Aerojet Rocketdyne agreed to pay $9 million to settle False Claims Act allegations that it misrepresented its cybersecurity compliance in federal contracts. The case was filed by Brian Markus, the company’s former CISO, under the whistleblower provisions of the FCA.
“It’s everyone’s role as a defense contractor to protect the information that the government is entrusting you with,” Markus said at CyberSheath’s virtual event CMMC CON in 2021. “If you’re a small (contractor), it actually in some cases is more important and more critical because the smalls tend to have less security, and the threat actors have been picking them off one by one. The nation-state attackers are able to see what the government is ordering, how many, when they’re ordering them, so they can get an understanding of what we’re doing as a nation and how we’re doing it.”
If you know your company has gaps and you sign anyway, you’re exposed. If you sign without verifying and gaps exist, you may be exposed for reckless disregard.
Where to start
CyberSheath works with defense contractors across the supply chain to assess their current cybersecurity posture, implement the controls required for CMMC certification, and maintain compliance through ongoing managed services. If CMMC is new to you, or if you’re unsure where your organization stands, reach out to our team to understand your obligations and close gaps before your name goes on an affirmation.