Every prime contractor tells us the same thing: “We’re ready for CMMC. Our suppliers, not so much.” 

We hear it in readiness reviews, right before solicitations drop, and when programs are already at risk. 

That statement is where CMMC reveals its real purpose. Not as a compliance framework or an assessment event, but as a stress test of supply chain leadership, risk visibility, and accountability across the defense industrial base (DIB). 

CMMC does not pass or fail at the prime. It passes or fails at the weakest supplier that touches Controlled Unclassified Information (CUI). 

When a small supplier becomes a big problem 

The most common misconception we encounter is that supplier size equals supplier risk. Under CMMC, that assumption breaks quickly. 

Today, CMMC requirements are embedded directly in the Department of Defense (DoD) acquisition lifecycle before contract award, option exercise, or extension. When a subcontractor handling CUI cannot demonstrate the required certification level, the consequence is immediate and operational: 

• A task order cannot be released 
• An option year cannot be exercised 
• A delivery milestone slips 
• A mid‑program supplier replacement becomes unavoidable 

We routinely see single unready suppliers delay or disrupt multibillion dollar programs. Not because they represent large spend, but because they represent an irreplaceable flow of data, engineering, or sustainment capacity. 

Under CMMC, supplier readiness is no longer a downstream compliance concern. 
It is program execution risk. 

Why the DoD is uncompromising: Cyber gaps become adversarial advantage 

CMMC exists because adversaries adapted faster than the defense supply chain did. They learned they did not need to breach primes. They only needed access to the supply chain layers where defenses were weaker and visibility was limited. 

In assessments and investigations, the pattern is consistent: poorly scoped environments, undefined CUI boundaries, and inherited controls assumed but never validated. 

These gaps expose capability development timelines, production constraints, sustainment vulnerabilities, and sensitive technical context years before deployment. 

That’s why the DoD tied CMMC directly to eligibility and not remediation promises. Cyber readiness, contract performance, and mission readiness are now inseparable. 

The readiness gap is real, even as certifications increase 

Certification momentum is building, but the scale of what remains is where the real challenge comes into focus. With an estimated 80,000 organizations ultimately requiring Level 2, and roughly 1,100–1,200 certified as of early 2026, tens of thousands of suppliers still have a long road ahead. 

What we see consistently as a C3PAO is that the central challenge is not willingness. Most organizations understand the stakes and are making genuine efforts. The challenge is assessment readiness. Suppliers arrive at formal assessments with gaps they did not know they had: CUI boundaries that were never fully defined, controls that were assumed inherited rather than validated, and remediation plans built around theoretical best practices rather than how their environment actually operates. 

The result is predictable. There is misalignment between how a supplier believes they are running their program and what an assessor finds when they look closely. That gap between operating reality and the chosen path to certification is what stalls organizations, not lack of intent. 

What assessment reality has taught us 

Having worked across hundreds of readiness efforts and formal assessments, we can state several truths clearly. 

There is no single path to CMMC Level 2. Suppliers differ materially in how and where CUI is handled, how their architecture and boundaries are designed, how cloud usage and shared responsibility are structured, and how mature their governance and leadership are. 

Attempts to apply generic, one-size-fits-all remediation plans consistently lead to over-engineering, missed scope, inflated POA&Ms, and delayed or failed assessments.  

The good news is that there are multiple proven pathways to certification. We know because we have seen it firsthand as a leading CMMC C3PAO. The organizations that progress faster choose pathways grounded in assessment‑validated patterns, not theoretical best practices. 

Why the Affirming Official is the most underutilized control in CMMC 

CMMC intentionally introduced a leadership accountability mechanism that did not exist before: the Affirming Official. This role is not symbolic. It is structural. 

In successful assessments, the Affirming Official is clearly designated early, actively engaged throughout readiness, empowered to make scope, funding, and risk decisions, and accountable for accuracy, not optimism. 

When this role is weak or undefined, we consistently see delayed readiness, unresolved scope disputes, documentation that does not reflect reality, and last-minute surprises during assessment. 

The Affirming Official is the control that aligns cybersecurity, operations, legal, and leadership into a single accountable outcome. 

CMMC was designed this way for a reason. When that role functions as intended, readiness accelerates not because controls are easier, but because decisions are clearer. 

How suppliers get unstuck  

Suppliers that move from stalled to assessment-ready do three things consistently: 

1. They stop pursuing “perfect” and commit to “defensible.” 
   Assessments reward clarity, evidence, and repeatability. Not idealized architectures. 
2. They align to a proven pathway matched to their environment. 
   Control inheritance, boundary decisions, and evidence strategies are selected intentionally. They are not assumed. 
3. They engage primes and advisors as partners in risk, not enforcers of checklists. 
   Transparency improves, remediation focuses, and timelines compress. 

Readiness improves when suppliers are enabled to follow the right path for them, not forced down the wrong one. 

The leadership question CMMC forces forward 

CMMC ultimately asks leadership across primes, suppliers, and program offices one defining question: 

Will weak supplier readiness be allowed to delay programs and erode advantage, or will accountability be applied early enough to prevent it? 

The organizations succeeding are decisive. They empower Affirming Officials, segment supplier risk intelligently, and guide readiness using pathways proven through real assessments. 

They understand a hard truth: under CMMC, you don’t rise to the level of your policy, you fall to the level of your weakest supplier. 

Final word 

CMMC is not where cybersecurity becomes bureaucratic. It is where it becomes real: where trust becomes operationalized, supplier readiness determines program readiness, accountability replaces self-attestation, and leadership — not documentation — decides outcomes. 

The pathways to certification exist. We know them because we assess them, and we openly share what works because strengthening the defense supply chain cannot be done in isolation. CMMC’s real stress test is not the assessment. It’s whether leaders act before the chain breaks.  

Most organizations don’t fail on intent. They fail on preparation. Reach out today to find out where you stand.  

Selecting an audit firm has traditionally come down to cost, reputation, industry experience, and a track record with the relevant frameworks. Those criteria still matter, but buyer research shows that compliance teams are now weighing a new factor more heavily than before.  

According to A-LIGN’s market survey of 500 senior compliance, security, and governance leaders, audit technology is now the top factor among organizations evaluating audit firms, ranking above cost, brand, and auditor experience. 88% of organizations say technology improves audit quality, and 63% expect greater efficiency and speed from a tech-enabled audit. 

Understanding what’s driving that shift, and what technology-enabled actually means, gives compliance teams a more complete framework for evaluating their current or prospective audit partners. 

Why technology has moved to the top of the list 

Compliance programs have grown significantly in scope. Most organizations are no longer managing a single framework. Running SOC 2, ISO 27001, HITRUST, and FedRAMP simultaneously has become common, often with the same internal team responsible for all of them. Two-thirds of organizations now spend more than three months preparing for a single audit. 

The result is that the audit process itself has become a substantial operational burden. Teams resubmit the same evidence year after year for frameworks that share significant control overlap. Context and decisions from prior audit cycles don’t carry forward, so each new cycle starts from scratch. Gaps in evidence aren’t identified until fieldwork is already underway, creating delays and rework at the worst possible time. 

These inefficiencies aren’t inevitable. They’re largely a function of how audit firms are set up to operate, and buyers have started factoring that into their selection process. 

What technology-enabled actually means 

For buyers, the relevant question isn’t whether a firm uses technology. It’s whether that technology addresses the specific problems that make audits slow and resource-intensive. 

There are four areas where audit technology makes the most measurable difference: 

Evidence reuse across cycles and frameworks. 

Audit technology that preserves prior-year evidence and maps it forward means teams aren’t rebuilding the same submissions from scratch every year. The same logic applies across frameworks — SOC 2 and ISO 27001 share a substantial number of controls, and technology that can recognize that overlap and harmonize frameworks eliminates the duplicate work that would otherwise fall entirely on the client. 

Gap identification before fieldwork begins. 

When evidence gaps surface after fieldwork has started, the options for addressing them without disrupting the timeline are limited. Audit technology that evaluates evidence completeness before the engagement formally begins gives teams time to close those gaps while it’s still straightforward to do so. 

Real-time engagement visibility. 

Tracking audit progress through email threads and status meetings is a coordination tax that adds up quickly. A well-built platform should handle that automatically, giving both the client and auditor a live view of where every request stands without anyone having to ask.  

Auditor judgment stays in the process. 

Technology reduces manual burden on repetitive, rule-based work. It doesn’t replace the judgment required to scope an audit accurately, interpret ambiguous evidence, or identify issues that don’t surface through automated checks. The firms applying technology effectively are using it to reduce the manual burden on both sides, not to substitute for the auditors responsible for the quality of the final report.  

That distinction matters more than it might seem. 53% of compliance professionals have concerns about AI in audits, with accountability and transparency ranking highest. A firm that can clearly explain what its AI does, what auditors review before anything is acted on, and how clients retain control over the process is operating at a different standard than one that simply claims to use AI. 

Four questions to ask when evaluating an audit firm’s technology 

These questions uncover whether a firm’s technology actually solves the problems compliance teams often deal with. 

Does evidence carry forward between audit cycles? 

If your team re-uploads the same documentation every year, the platform isn’t addressing one of the most common sources of audit inefficiency. Ask directly: does prior-year evidence roll forward automatically, or does your team rebuild from scratch each cycle? 

Can the firm assess evidence readiness before fieldwork starts? 

A firm with mature audit technology should be able to evaluate how well your current evidence maps to audit requirements before the engagement formally begins. If they can’t surface gaps proactively, there’s no intelligence in the process — just a request list sent after kickoff. 

How does the platform handle multiple frameworks? 

For organizations running more than one framework, ask specifically how shared controls are managed. Evidence submitted for one framework should apply to another without manual mapping on the client’s side. If it doesn’t, the overlap savings that should flow to the client end up as manual work instead. 

How is AI used, and what oversight exists? 

Ask the firm to explain specifically what its AI does, what auditors review before anything is acted on, and whether clients can adjust or disable AI features. A clear, detailed answer indicates the firm has thought carefully about responsible implementation. A vague one suggests they haven’t. 

Applying a sharper evaluation criteria 

The data from A-LIGN’s survey reflects a shift that’s already underway among the most sophisticated compliance buyers. Technology has moved up the list in large part because buyers have experienced firsthand what a manual, fragmented audit process costs them in time and resources. 

Cost and experience remain relevant. But an audit firm that can’t demonstrate how its technology reduces the burden on your team, year over year, is leaving a meaningful gap in what it offers. 

A-LIGN built A-SCEND to address each of these areas directly. To see how it works, visit our A-SCEND page. 

Most organizations deploying AI agents have thought carefully about what those agents are supposed to do. Fewer have thought carefully about what those agents are capable of doing. That gap is where governance risk lives. 

A working paper released in April 2026 by researchers affiliated with CEN/CENELEC JTC 21 put a specific conclusion on record: your regulatory obligations are determined not by what is inside an agent, but by what it does in deployment. An AI agent that summarizes internal meeting notes triggers a narrow set of transparency obligations. The same agent, given access to a hiring system, activates a completely different tier of EU AI Act requirements. The difference is not the agent’s architecture. It is the agent’s footprint. 

ISO 42001, the international standard for AI management systems, provides the right organizational framework for governing that footprint. The six disciplines below are where that framework meets practical business operation. 

Six governance disciplines for agentic AI 

These six disciplines are not aspirational. They are the minimum operational posture for an organization that is deploying AI agents and intends to govern them responsibly. ISO 42001 provides the management system framework that holds them together in an auditable, certifiable structure. 

Discipline 1: Know your agent’s footprint, not just its function 

Every AI agent has two profiles. The first is what it was designed to do. The second is what it can actually do: every system it can access, every action it can take, every person affected by those actions. Governing an agent means knowing both profiles and confirming they match. 

This is not a technical exercise. It is an accountability exercise. The same discipline you apply to documenting a vendor relationship or a new employee’s system access rights applies here. Before an agent is deployed, your organization should be able to produce a clear inventory: what external systems does it connect to, what can it read, what can it write, what can it send, and who does that affect? 

Business analogy: You would not onboard a new employee and give them a master key to every system in the building because their job description did not explicitly forbid it. An AI agent’s access should be documented with the same deliberateness you apply to employee onboarding. 

Governance question: Can your organization produce a complete access inventory for every deployed agent today? If not, that is your starting point. 

Discipline 2: Build fences, not rules 

There is a critical difference between telling an AI agent not to do something and technically preventing it from doing that thing. Instructions can be overridden, misinterpreted, or circumvented by an unusual input. Technical constraints cannot. 

For any action your agent is not authorized to take, it should lack the technical ability to take it, not merely the instruction. A customer service agent that is not authorized to issue refunds above a certain threshold should have that limit enforced by the system it connects to. A recruiting agent that is not authorized to reject applications should not have access to the rejection function at all. 

Business analogy: A rule telling an employee not to access the payroll system means very little if their computer has the login credentials. Removing the credentials is a different category of control entirely. 

Governance question: For every action your agents are not authorized to take, is that enforced by a technical constraint or an instruction? The answer determines your actual risk exposure. 

Discipline 3: Treat agent updates like product launches, not software patches 

AI agents change, new tools get added, new data sources get connected, and the underlying model gets updated. Each of these changes can alter the agent’s regulatory profile, its risk tier, and the controls required to manage it responsibly. Without a deliberate process for classifying those changes, capability growth accumulates without oversight. 

The governance discipline here is a pre-agreed classification system. Some changes are minor, like a wording update that does not affect what the agent can do. Some changes are material, like adding a new external system the agent can act on, or connecting to a new data source it did not previously access. Material changes require fresh review before deployment. The business value is the ability to demonstrate, at any audit or enforcement inquiry, that governance kept pace with deployment. 

Business analogy: When a software team updates a customer-facing application, it goes through testing and sign-off before it is released. An agent update that expands what that agent can do deserves the same discipline as any other change that affects customers or business processes. 

Governance question: Who in your organization decides whether an agent update requires a governance review? If there is no clear answer, that is a gap. 

Discipline 4: Give your agents a performance review 

Every employee is measured against expected performance. An AI agent should be no different. The question is not whether to monitor agents. It is whether your organization has defined what normal looks like, so departures from it are visible. 

This starts with a baseline. How often does the agent act? What kinds of actions does it typically take? What proportions involve external communications, data reads, or consequential outputs? When does a pattern shift enough that a human should review it? Organizations that operate agents without baselines have no mechanism for detecting behavioral drift, which is the condition the EU AI Act’s essential requirements are designed to prevent. You do not need sophisticated tooling to start. You need a decision about what you are going to measure and what threshold warrants human attention. 

Business analogy: A financial controller reviewing monthly expenditures is not looking for fraud on every line. They are looking for patterns that deviate from the expected range. Agent monitoring works on the same principle. Normal must be defined before abnormal can be recognized. 

Governance question: If one of your agents started behaving differently today, who would notice, and how quickly? 

Discipline 5: Have a response plan before you need one 

When an agent’s behavior crosses a defined threshold, what happens? Who has authority to suspend it? Who reviews what it did? What is the process for determining whether the behavior was a one-time event or a systemic change? What does re-approval look like before the agent returns to operation? 

Organizations that work through these questions in advance are applying the same operational discipline that exists for every other business continuity scenario. The response plan exists for the same reason a financial escalation policy exists. Not because the scenario is expected, but because the moment you need it is not the moment you want to be designing it. The EU AI Act requires corrective action procedures for high-risk AI systems. The more important outcome, though, is organizational readiness. 

Business analogy: A fire evacuation plan is not evidence of pessimism about fire risk. It is evidence of operational maturity. An AI agent response plan sits in the same category of governance infrastructure. 

Governance question: If an agent produced an output tomorrow that caused customer harm, could your organization reconstruct what it did and why? If not, your response capability is not yet ready. 

Discipline 6: Know what version of your agent is running 

At any given moment, can your organization say with confidence what capabilities your deployed agents have, what data they can access, and what guardrails are in place? Most organizations can answer this for their core software systems. Fewer can answer it for their agents, particularly as those agents evolve through updates and capability additions. 

The governance discipline here is version accountability. When the agent changes, the change is recorded and the current version is traceable. This is not a technical formality. It is the foundation of any audit response. If a regulator, a customer, or a board member asks what a specific agent was capable of doing on a specific date, the answer needs to be retrievable. Organizations that cannot produce that answer are carrying exposure that documentation would close at low cost. 

Business analogy: A manufacturing company can tell you exactly what specifications any product on the floor was built to. A financial firm can tell you what trading rules were active on any given date. AI governance requires the same baseline accountability for your agents. 

Governance question: Can your organization demonstrate, for any deployed agent, what it was capable of at any point in the past six months? 

What good looks like at each stage 

Governance maturity in this area develops in stages. Few organizations arrive at all six disciplines simultaneously. The practical question is where you are starting from and what the next step looks like. 

Stage 1: Aware. You can name your deployed agents and describe their general function. The next step is to document the footprint inventory for each agent: external systems, data access, and affected persons. 

Stage 2: Documented. Access inventories and a change classification policy are in place. The next step is to define behavioral baselines and thresholds that trigger human review when crossed. 

Stage 3: Monitored. Baselines are active and threshold breaches are routed to a human reviewer. The next step is to build and test the response plan and establish version accountability for every deployed agent. 

Stage 4: Certifiable. All six disciplines are operating and documented within an ISO 42001 AIMS. The organization can demonstrate governance posture to a regulator, auditor, or customer at any point. 

The case against waiting 

The most common reason organizations delay agentic AI governance work is that the formal standards are not yet finalized. The EU AI Act harmonized standards are still in development. That fact is accurate, but the conclusion drawn from it is wrong. 

The EU AI Act’s requirements for high-risk AI systems will be enforceable by December 2027. Standards provide a path to demonstrating compliance. They do not create obligations. Every month of delay is a month of compliance debt accumulating on a timeline that has already started. 

The governance disciplines described here do not require finalized standards. They require decisions, documentation, and organizational commitment. All three are available today. 

The ISO 42001 connection 

Each of the six disciplines above maps to a specific clause in ISO 42001. The footprint inventory lives in the scope statement under Clause 4. Change classification lives in the operational controls under Clause 8. Behavioral monitoring lives in performance evaluation under Clause 9. Your balancing feedback lives in corrective action under Clause 10. 

ISO 42001 is not a constraint on agentic AI deployment. It is the management system that makes deployment defensible. Organizations already certified against ISO 42001 have the structural foundation in place. What most need is a deliberate extension of that foundation to cover the specific characteristics of agentic systems: their runtime behavior, their dynamic capability footprints, and their multi-system action chains. 

Organizations that have not yet begun ISO 42001 implementation have an opportunity to build that foundation with agentic AI governance built in from the start, rather than retrofitted after the fact. 

Where does your organization stand? 

Agentic AI governance is not a future problem. It is a current one. The organizations building that foundation now will be the ones that can demonstrate it when asked by a regulator, an auditor, or a customer. A-LIGN works with organizations at every governance maturity stage, from initial readiness to full ISO 42001 certification assessment. Reach out today to find out where your organization stands.

For most compliance managers and IT security leaders, audit season follows a familiar pattern: repeated evidence requests, gathering documentation from scratch, and losing critical context with each new cycle. Most teams spend a disproportionate amount of time managing audit logistics, taking them away from other critical components of compliance. In fact, two-thirds of organizations spend more than three months preparing for audits — putting a heavy strain on both teams and productivity. These challenges aren’t a sign of a poorly run program. They’re a reflection of how most audit processes were designed before modern compliance demands existed. 

After completing over 36,000 audits, A-LIGN has identified the recurring patterns that cause even the strongest compliance programs to stall. One of the biggest sources of audit pain isn’t gaps in security controls — it’s a broken process. Inefficient tools, scattered communication, and time-consuming manual work slow progress for both auditors and clients. 

Below we break down the key reasons compliance programs routinely falter and how to address them.  

The most common ways compliance programs break down 

Even the most mature organizations struggle with the operational side of compliance. These are five common patterns that frequently contribute to audit inefficiency. 

The evidence management trap 

Evidence management often starts with a well-organized folder or master spreadsheet. But as the audit progresses, these tools quickly become cluttered with colored cells, conflicting versions, and broken links. Without a centralized, integrated system, evidence becomes scattered and difficult to manage. This leads to submitting the same files multiple times when auditors can’t locate them, or wasting hours manually matching documents to requirements. These manual processes not only increase the risk of errors but also force skilled security professionals to spend audit season chasing files and formatting spreadsheets instead of identifying and closing actual security gaps. 

The “starting from scratch” cycle 

The annual audit cycle often brings a loss of important context from previous reviews. Months are spent providing information and guiding auditors through complex environments. Once the report is delivered, attention shifts to new priorities, and the background that informed key decisions is often forgotten. 

A year later, the entire process begins again. Notes explaining decisions around specific controls are lost, the same questions are asked, and identical baseline evidence is gathered. Without the ability to reuse past data, every audit cycle feels like starting from scratch. 

Multi-framework redundancy 

As organizations grow, so do their compliance obligations. Many start with SOC 2, then add ISO 27001, and later take on frameworks like HITRUST or HIPAA. Despite significant overlap between these frameworks, audits are often treated as completely separate projects and on different cycles. The same policy documents are collected and presented multiple times for different auditors or standards. Without tools to map and reuse evidence across requirements, teams duplicate work, strain subject matter experts, and drive up the overall cost and complexity of compliance. 

Late gap discovery 

Few things stall an audit faster than a critical gap discovered right before or during fieldwork. Often, materials appear complete until auditors review evidence and find missing details or documentation that doesn’t fully meet requirements. This triggers a last-minute scramble, pulling resources away from planned work and interrupting timelines when accuracy matters most. Identifying these gaps only after fieldwork begins not only delays the process but also increases stress and operational risk. 

Stakeholder coordination breakdown 

Compliance doesn’t happen in isolation. Engineering, HR, legal, and operations teams all play critical roles in providing required data and documentation. 

Audits managed through scattered email threads and chat messages often suffer from a breakdown in stakeholder coordination. Internal teams experience audit fatigue from repeatedly supplying the same data. Missed messages and forgotten follow-ups slow project progress. Without a centralized platform to track requests and communications, achieving consistent alignment among all parties becomes extremely difficult. 

A smarter approach to audit management 

Thorough inspection and validation are critical to ensuring audit quality. The real challenge lies in eliminating the avoidable friction that slows teams down. 

Expecting compliance professionals to manage complex, multi-framework audits with spreadsheets only adds to their frustrations. Software alone cannot resolve process issues, and expertise alone cannot scale without the right tools. Audit expertise and technology must work together within a unified system. 

This realization shaped the development of A-SCEND, A-LIGN’s proprietary audit management platform built from the ground up. A-SCEND centralizes evidence, connects stakeholders, and enables historical data to be reused year after year. By unifying people, processes, and technology in one platform, it reduces redundant requests and maintains alignment from preparation through to the final report.  

Audit season no longer needs to be a taxing cycle of starting over. By addressing these recurring challenges and adopting a more integrated, tech-enabled approach, organizations can streamline the process and focus on strengthening their compliance programs. 

On January 5, 2026, the U.S. General Services Administration (GSA) released Revision 1 of its IT Security Procedural Guide. The update outlines how Controlled Unclassified Information (CUI) must be protected when it resides in nonfederal systems operated by contractors. 

While the document is framed as procedural guidance, it introduces a more defined process for how contractors demonstrate compliance and how GSA evaluates that posture. It also marks a shift away from self-attestation of compliance to NIST 800-171 and into a model involving third party assessment. 

A more structured approach to CUI protection 

The updated guide establishes a formal process for protecting CUI in contractor-owned systems. This includes expectations around documentation, assessment, and review before a system is approved to handle CUI in support of GSA work. 

Contractors may be required to: 

• Develop and maintain formal documentation, including a System Security and Privacy Plan (SSPP) and Plan of Action and Milestones (POA&M) 
• Undergo third-party assessment of their security controls 
• Obtain GSA approval prior to performing work involving CUI 

This represents a shift toward a more standardized and reviewable approach to compliance, rather than relying solely on internal attestation. 

The five phases of GSA’s CUI approval process

The guide organizes the process into five phases that contractors should understand before handling CUI in nonfederal systems: 

1. Prepare – Identify whether CUI will be stored, processed, or transmitted in contractor systems, and begin defining the system boundary. 
2. Document – Develop required materials such as the SSPP and POA&M, and related security documentation. 
3. Assess – Complete a third-party assessment to evaluate whether applicable security requirements have been implemented. 
4. Authorize – Submit required materials for GSA review and obtain approval before the system is used to handle CUI. 
5. Monitor – Maintain the approved security posture over time through ongoing monitoring, updates, and annual reviews. 

This structure is important because it shows that GSA is not only asking contractors to implement controls. It is also defining a process for how those controls are documented, reviewed, approved, and maintained.

Alignment to NIST SP 800-171 Revision 3

One notable element of the update is GSA’s alignment to NIST SP 800-171 Revision 3. 

Many organizations are still aligned to Revision 2, which remains the current baseline for programs like CMMC. As a result, contractors may need to evaluate how their existing controls and documentation map to the newer revision when working with GSA. 

Requirements that cannot be deferred

The guide also identifies certain requirements that must be fully implemented before approval is granted. 

These are sometimes referred to as “showstoppers,” meaning they cannot be addressed through a POA&M and must be in place as part of the initial review. This reinforces the importance of understanding which controls require full implementation upfront versus those that can be remediated over time. 

Relationship to other frameworks 

Although there is overlap with other federal security frameworks, such as FedRAMP and CMMC, the GSA process is distinct. 

Organizations that have already invested in these frameworks may have a strong foundation, but they should not assume full alignment without validating against GSA’s specific expectations and approval process.Even contractors with mature compliance programs may find gaps when mapping their posture against NIST SP 800-171 Revision 3, navigating the five-phase approval process, or identifying controls that must be fully implemented upfront rather than remediated over time.  

Contractors that aren’t prepared risk losing bids or facing delays on work involving CUI. 

Key takeaways for contractors 

For contractors supporting GSA or pursuing opportunities that involve CUI, the updated guide introduces a more formalized path to demonstrating compliance. 

At a practical level, this includes: 

• Understanding where CUI exists within your systems 
• Evaluating alignment to NIST SP 800-171 Revision 3 
• Preparing documentation that reflects your current security posture 
• Planning for third-party assessment and GSA review 

Taken together, these updates reflect a more structured approach to how CUI protections are implemented and validated within the GSA ecosystem. 

How A-LIGN can help 

As both a CMMC C3PAO and FedRAMP 3PAO, A-LIGN has the assessor capabilities to help contractors navigate overlapping and evolving federal requirements. We help clients understand where their existing investments apply, where gaps exist, and what a realistic path to GSA approval looks like. 

Reach out today to evaluate your readiness for GSA’s updated CUI requirements. 

Compliance can be costly – and not just financially. It’s about building trust with your customers and demonstrating the strength of your security posture, which are vital to your business. Cutting corners on the building blocks of your compliance program could cost you more than the price of a new report; it could cost you your reputation. 

Read on to learn about the real cost of a rejected report and why the budget option might cost you in the long run. 

Report rejection is a reality 

Low-cost audit providers look attractive, until a customer rejects your report. 

According to the 2026 Compliance Benchmark Report, more than half of respondents have had a vendor or prospect reject a report.  

According to a market survey of more than 500 information security, governance, and compliance leaders in the U.S. and Europe, 24% of enterprises (1,000-5,000 full-time employees) have rejected a report and 48% of strategic organizations (more than 5,000 full-time employees) have rejected a report. The stakes are high and organizations must maintain lofty expectations to protect their compliance strategy. 

Why do reports get rejected? 

Report rejection is more common than you’d think as organizations look to protect their reputation and remain competitive. Common reasons for rejected reports include: 

• Incomplete or missing documentation 
• Insufficient testing of controls 
• Lack of additional findings 
• Report was too templated and lacked relevant and appropriate insights 
• Lack of trust in auditor reputation 

The cost of a rejected report 

It’s not just bruised egos; there are real financial and time costs to a rejected report. Each report rejection burns a significant amount of rework, delays, and reputational damage. 

Financial costs 

According to our market survey, the typical cost of a report rejection totals more than $70,000 plus over 90 days of remediation and rework required to meet expectations. 

Let’s break this cost down even more: 

• Cost of a rejected report: $70,000 
• Typical time spent remediating: 3 months 
• Remediation labor cost ($120,000 salary x 4 employees): $30,000 

This brings the average hidden cost of a bad report to $100,000. An avoidable loss for a report that costs $20,000. 

All of this points to one thing: quality matters. When quality slips, buyers pay twice. Once for the initial audit and again for the do-over and associated costs. The business lesson here is that saving $5,000-$10,000 on audit fees risks a six-figure hit down the line. 

Reputational costs 

Beyond the financial toll, a rejected report could cause your organization to lose business and lose trust from your customers. 

While you may be able to spend the time and money to repeat your audit with another provider, your reputation is priceless. Repairing damage to the relationship with your customers and prospects is difficult, if not impossible. 

Defining quality 

Now that we understand the real cost of a rejected report and why a quality audit is worth it, let’s explore the definition of quality so your organization is backed by a high-quality final report. 

The definition for quality has evolved as compliance professionals become more discerning about what makes up a quality audit report and experience. A quality audit isn’t just about the final report, but also the depth of experience and efficiency of the experience that gets you there. 

According to the 2026 Compliance Benchmark Report, a high-quality audit experience is defined by: 

• Auditor experience: Your auditor should have extensive experience in the audits you’re enlisting their services for. Plus, they should have plenty of happy customers who can speak to their knowledgeability. 
• Use of technology: A high-quality auditor is tech-enabled, either through their own audit management software or partnerships with GRC and readiness tools. Technology ensures your audit is backed by experience and run efficiently. 
• Experience with similar companies: Understanding the context of your industry and the environments your organization works in is key. An auditor’s experience with similar companies ensures your audit is up to the standards of your peers and customers. 

It’s not just about how polished an auditor is, it’s about the work that goes into the report. As far as your final report goes, we recommend you evaluate final reports based on: 

• Depth and specificity of each control: Thoroughly testing controls is a crucial part of the audit process. Sharing the depth and specificity of these elements demonstrates a rigorous, credible audit that will hold up. 
• Relevance and customization of the report: A high-quality report will share results and recommendations that are specific to your organization, not just a cookie-cutter report. 
• Demonstration of risk mitigation: Recommendations that strengthen your organization’s security posture where necessary.  

Case study: Jitterbit 

Jitterbit, a global leader in empowering business transformation through automation, offers a single, unified platform to integrate systems, automate workflows and build applications. 

The Jitterbit team needed to demonstrate due diligence, ensure compliance, and protect sensitive data. Their previous audit provider delivered low-quality work that they couldn’t explain, forcing Jitterbit to redo work. 

Their goal was a thorough SOC 2 audit, not a surface-level review. 

The solution to this goal was partnering with A-LIGN to achieve SOC 1, SOC 2, ISO/IEC 27001, 42001, and other compliance initiatives. They chose A-LIGN for its auditors’ deep expertise in SOC 2 processes and controls. The A-LIGN team could clearly explain the rationale behind required controls, creating a collaborative partnership that strengthened Jitterbit’s compliance strategy. 

“A-LIGN stands out as an exceptional security auditor. Their proactive approach and excellent customer service made complex compliance processes straightforward and educational. They are highly recommended for their expertise and supportive nature. A-LIGN’s deep understanding of new controls and regulations, combined with customized, clear guidance, significantly enhanced our security posture.” 

– Will Au, VP of Engineering Services and Security, Jitterbit   

Why A-LIGN 

A-LIGN is your trusted compliance partner. We are the market leader in efficient, quality compliance. 

A-LIGN provides comprehensive, industry-leading compliance expertise and is the only global provider to offer tech-enabled services that allow you to drastically reduce control overlap. 

The A-LIGN difference is  

• 4k+ ISO assessments  
• #1 SOC 2 auditor in the world  
• 6.4+ customers globally  
• 96% customer satisfaction  
• 400+ auditors globally  
• 31k+ audits completed 

Reach out today to learn how A-LIGN can help you achieve a high-quality, efficient final report. 

Rick Orloff is a Fortune 1000 CISO and Strategic Advisor at A-LIGN, with over 20 years of experience at companies including Apple and eBay. 

In the compliance world, we talk a lot about audit harmonization, the practice of consolidating multiple frameworks under one roof to reduce redundancy, save time, and drive efficiency. It’s a concept A-LIGN has championed for good reason: the operational and financial benefits are significant. 

But when I talk about this with security leaders, the framing that actually moves people is rationalization. We’re rationalizing our audit portfolio, aligning our compliance programs, and driving a measurable ROI. Same outcome — sharper language for a technical audience. 

So, let’s talk about what that looks like in practice. 

The real cost of unsynchronized audits 

If your organization is juggling SOC 2, ISO 27001, PCI DSS, and other frameworks individually, each with its own evidence requests, interview schedules, and internal stakeholders getting pulled in different directions, you already know the hidden tax this places on your business, but have you actually quantified it? 

At my previous company, when we consolidated and rationalized our audit portfolio with A-LIGN, we saved approximately $180,000 per year in hard costs. That alone got attention. But the number that got a lot of appreciation from engineering? We saved 12 weeks of evidence gathering. 

Think about that for a moment. Twelve weeks of your engineers’ time not spent answering the same questions, pulling the same screenshots, attending the same interviews — just for a different auditor on a different framework. When I quantified that for the engineering organization and communicated what we were doing and why, the response was a genuine, heartfelt thank you. That kind of goodwill with your internal stakeholders doesn’t show up in a spreadsheet, but it’s real. 

The trade-off you have to be honest about 

Here’s what I told engineering when we made this change, and I want to be direct about it because it matters: there is a trade-off. 

When we consolidate, we are compressing our audit window. That’s the point. But a compressed window means less runway to reschedule meetings, push back on requests, or let things slide. I was explicit with stakeholders that if we were going to do this — if I was going to go to bat and give them 12 weeks of their lives back — the ask was they must be responsive, and executives had to be accountable at the VP level. 

If subject matter experts or directors went dark or started rescheduling, I didn’t chase them. I went straight to their VP. That’s not about being difficult. That’s about protecting the window we all agreed to. 

The phrase “audit season” always strikes me as borrowed from the accounting world, and it doesn’t quite fit how tech organizations operate. The concept that resonates in my experience is the audit window: it opens, it runs for a certain number of weeks, and then it closes. That framing drives urgency and accountability in a way that a vague “season” simply doesn’t.  

Making the case to the business 

When I’ve taken audit harmonization, or rationalization, to executive teams or boards, I haven’t asked for permission. I’ve explained the decision, quantified the value, and gotten written alignment from stakeholders on their end of the bargain. Money and time savings close the conversation at the leadership level. What takes more effort is getting the organizational commitments in place before the window opens — not after. 

One thing I’d encourage every security leader to consider: don’t think about compliance certifications in isolation. The right conversation to have with your Chief Revenue Officer is: “If we got that certification, would it help you close more deals? Can you put a number on it?” If sales tells you a new certification is worth $10M in ARR, the budget conversation with your CFO becomes straightforward. And if you’ve already consolidated your audit portfolio, there’s a good chance you’ve freed up the budget to pursue it without a new budget ask at all. In the past, that’s exactly what we did — we self-funded new certifications through consolidation savings. 

The piece nobody tells you about 

The most common questions I get when people are planning to consolidate are: “Where does this go wrong? What risks am I exposing the organization to?” 

My answer, which might surprise you, is that it usually doesn’t go badly if you set the ground rules up front. The deals that go sideways are the ones where expectations weren’t set clearly before the window opened, and suddenly you’re chasing people for two weeks to get a piece of evidence. I don’t allow my team to operate that way, and I’d recommend other security leaders adopt the same posture. 

What I would focus on instead is looking for opportunities to automate evidence collection. Most organizations are still gathering evidence manually. If you have a SIEM in your environment, there’s likely a configuration discussion to be had about generating audit-ready evidence artifacts automatically. That moves you from manual collection to a proactive, pre-audit posture — and it’s a conversation worth having with your audit partner before the window opens. 

How to choose what comes next 

Once you’ve rationalized your existing portfolio, the natural next question is: “Should we add additional certifications?” My recommendation is to use a common controls framework to run a gap analysis across certifications you don’t yet have. You may discover you’re already 80% of the way to a new certification based on controls you’re operating today. That changes the calculus entirely. 

The best audit partners will surface that analysis for you proactively, and that gets at something more fundamental about what to look for in an auditor. When I’m evaluating a firm, the question I’m really asking is: “Are they a transaction company or a relationship company?” 

A transactional auditor will take your existing scope, execute the work, and look for the next contract. A true partner is thinking about your business outcomes, not their revenue. That means telling you when you’re already close to a valuable certification. It means flagging inefficiencies in your current portfolio even when fixing them might reduce billable hours. It means being invested in your program’s success in a way that extends well beyond the audit window. That kind of relationship is harder to find and worth a lot more than a lower invoice. 

The bottom line 

If you’re running multiple frameworks with multiple auditors and haven’t looked seriously at consolidation, here’s the honest summary: worst case, this is an 18-month journey to get everything coterminous. In practice, it’s largely pain-free — and on the other side of it, you’ve got hard dollar savings, happier engineers, a tighter audit window, and capacity to pursue additional certifications that actually move the business forward. 

That’s not harmonization. That’s rationalization. And it’s worth doing. 

Ready to rationalize your compliance program? 

Talk to A-LIGN about how multi-framework consolidation can drive real ROI for your organization. 

There is more disinformation circulating about CMMC right now than at any other point in the program’s history. Fear-based narratives about impossible deadlines, excessive costs, and assessor shortages are pushing some Defense Industrial Base (DIB) companies toward panic and others toward paralysis.  

Over 1,000 organizations have now achieved CMMC Level 2 certification according to the CyberAB, the CMMC governing body, and thousands more have successfully self-assessed at Level 1 and Level 2 in the Supplier Performance Risk System (SPRS).  

The companies succeeding are the ones grounded in facts, not noise. Here are four myths we are actively correcting from the assessor perspective: 

Myth 1: November 2026 is a hard deadline, and you must be certified by then

This is the most pervasive and damaging misconception in the market right now — and it is accelerating. 

November 10, 2026 is real, but what it represents is not what is being propagated. Phase 1 of the CMMC phased rollout began November 10, 2025. Phase 2, starting November 10, 2026, marks the next step in a deliberate phased rollout, where the Department of Defense (DoD) intends to include more Level 2 C3PAO certifications in applicable new DoD contracts and solicitations.  

Here is the confirmed CMMC phase timeline per 32 CFR § 170.3(e): 

• Phase 1: November 10, 2025: Level 1 and Level 2 self-assessments in applicable contracts. C3PAO assessments at DoD discretion. 
• Phase 2: November 10, 2026: DoD intends to include Level 2 C3PAO certification requirements for applicable new contracts.  
• Phase 3: November 10, 2027: Level 3 DIBCAC assessments introduced. 
• Phase 4: November 10, 2028: Full implementation across all applicable DoD contracts. 

Certification requirements are driven by what your specific contract solicitations require, not a universal calendar mandate.  

What is real and what is already here: prime contractors are not waiting for any phase. Major primes are already requiring CMMC Level 2 third party certification as a supplier qualification condition right now, ahead of regulatory requirements. That is the actual forcing function for most of the DIB — not November 2026. The prime contractors are driving the timeline as a risk reduction and supplier eligibility measure.  

Know what your contracts require and what your primes require. Those two answers define your real timeline, and for many organizations, that timeline is already here. 

Myth 2: CMMC certification will cost you over $200,000 

This number circulates as though it is a settled fact, but it is not — and the context behind it matters greatly. 

According to DoD’s own cost projections cited across multiple industry sources, a Level 2 third-party certification, including the triennial C3PAO assessment and annual affirmations, is estimated in the range of $105,000 to $118,000 for most organizations, not $200,000. That figure carries a critical footnote that most vendors and articles omit entirely. The security controls CMMC validates are not a new cost of doing business with the DoD. They are the cost of being trusted with sensitive defense information in the first place.  

DFARS clause 252.204-7012 required implementation of NIST SP 800-171 by December 31, 2017. If your organization handles Controlled Unclassified Information (CUI) under a DoD contract, those controls have been table stakes for nearly a decade. The DoD is not asking you to do something new. It is asking you to prove you are doing what you already agreed to do.  

That is what CMMC is — validation. It’s not a new burden, but rather accountability for an existing one. The DoD is explicit on this point in the final rule. Implementation costs are excluded from CMMC cost estimates precisely because they should already have been incurred. Organizations conflating implementation costs with CMMC certification costs are either confused about the program or have a financial interest in that confusion.  

Organizations that did the work — implemented the controls, maintained the System Security Plan (SSP), kept documentation current — are finding the certification cost manageable and consistent with DoD and industry estimates. Those treating CMMC as a starting point rather than a validation point are the ones experiencing shock and delay.   

The investment is real. The $200,000 headline is not the baseline — it is what happens when preparation is treated as optional. Scope smart and come prepared. The cost follows the readiness. 

Myth 3: Once you achieve CMMC certification, you are done 

This may be the most dangerous myth of all, as it surfaces after the hard work is finished and exposes leadership and organizational liability. 

CMMC Level 2 certification is valid for three years, but the certification is not the finish line — it is the baseline. The Affirming Official plays a critical and often underestimated role in maintaining that certification. Annual affirmations are required and binding. A senior official must formally attest that the organization continues to meet all CMMC security requirements regardless of required level. That affirmation carries legal weight. It is not a checkbox — it is accountability. 

Cybersecurity posture naturally degrades. Personnel change, systems change, vendors change, and companies grow. An organization that was fully compliant on assessment day can drift significantly over 36 monthswithout active governance and continuous monitoring. There is also a False Claims Act dimension that every Affirming Official should understand. Knowingly affirming compliance when controls have lapsed is not a paperwork issue. Federal enforcement activity in this space is increasing. The affirmation is a legal attestation, and it should be treated accordingly. 

The organizations that will recertify smoothly in three years are the ones treating CMMC as a continuous compliance program, not a one-time event. Build the governance now and maintain it. Annual affirmation should reflect reality, not hope or assumption. 

Myth 4: There is a nationwide assessor backlog, and you cannot get scheduled 

This narrative deserves a direct response from the assessor community. 

A-LIGN is a large C3PAO with assessment bandwidth right now. As an authorized CMMC training partner, we can train and certify assessors internally to meet surge demand and we have been building toward that capacity for years. We are actively monitoring demand, and what we are seeing in the market is not an assessor backlog — it is a readiness gap. 

Nearly every organization we engage with is not ready for assessment. Not because they haven’t tried, but because the foundational work that must precede a Level 2 C3PAO certification assessment is harder and more precise than most organizations realize. Common issues include incomplete SSPs, asset inventories that don’t match the network diagram, scoping that hasn’t been done in accordance with the DoD Scoping Guide, and evidence packages that aren’t “assessment ready.” 

The pipeline of organizations that are prepared to undergo a Level 2 certification assessment is significantly smaller than the overall demand narrative suggests. Organizations that arrive prepared move efficiently through the process. Delays that get attributed to assessor capacity are more often the result of organizations that simply are not ready to be assessed. 

Assessment bandwidth exists, but readiness is the limiting factor right now. The most valuable thing a DIB company can do right now is not chase an assessment slot, but to focus on getting ready for one. 

The ground truth 

More than 1,000 organizations have achieved CMMC Level 2 certification. The program is working. Assessment capacity exists, and affordable paths exist for organizations that come prepared and scope correctly. The DIB does not have a CMMC certification problem — it has a CMMC readiness and disinformation problem. 

Readiness is the limiting factor. If your SSP is incomplete or your scope hasn’t been verified against the DoD’s Scoping Guide, now is the time to act. A-LIGN’s CMMC readiness assessment identifies gaps and ensures that when it’s time for a C3PAO assessment, it’s a validation of your work — not a discovery of new issues. 

That is what getting certified in 2026 looks like. Reach out today to learn how A-LIGN’s CMMC readiness assessment can set you up for success. 

Operational technology (OT) systems are designed for longevity and redundancy. They power defense manufacturing and critical infrastructure, sometimes running unchanged for decades. But while your OT systems stay the same, the cyber threats aimed at them are always evolving and becoming more sophisticated. This creates a dangerous contradiction: the systems you trust for their stability are facing modern threats they were never built to withstand. 

Many manufacturers stick to the “if it isn’t broken, don’t fix it” mentality, avoiding upgrades because they disrupt production or risk valuable equipment. But as your production environment remains static, attackers continually innovate, searching out new vulnerabilities and weak spots. In fact, manufacturing was one of the most targeted sectors, with CrowdStrike reporting a staggering 300% surge in cyberattacks in 2025. 

This post explores the growing vulnerability of static OT environments. We will break down why traditional airgaps fail, how threats move laterally through your network, and why combining CMMC compliance with proactive penetration testing is the ultimate defense strategy for manufacturers. 

The hidden risk in industrial security 

The gap between long equipment lifecycles and fast-changing cyber threats is a major risk in industrial security. When you buy industrial machinery, you expect it to last for decades. But cyber threats change every few days or weeks. 

Many industrial environments run legacy, unpatched, or entirely unsupported systems. You cannot easily upgrade these machines without halting production lines or causing operational disruptions. Sometimes, the update path hits a brick wall because modern operating systems lack driver support for your legacy equipment.  

Consequently, defense manufacturers find themselves trapped. You must keep production moving to meet strict contract deadlines, but you are relying on systems that cannot defend against modern nation-state adversaries. Attackers from China, Russia, and Iran actively target these unpatched vulnerabilities to halt production or steal controlled unclassified information (CUI). 

Why the airgap myth is failing 

Historically, manufacturers relied on the “airgap” to protect their factory floors. The theory was simple: if the OT network does not connect to the internet, hackers cannot reach it.  

Unfortunately, these physical separations erode over time. Remote access tools, vendor maintenance connections, and IT/OT integrations slowly bridge the gap between your corporate network and your factory floor. A technician might plug in a USB drive to run a diagnostic, or a vendor might request remote access to troubleshoot a malfunctioning sensor. Every new connection creates unseen exposure that attackers actively scan for and exploit. 

Once an attacker breaches the IT network through a phishing email or compromised credential, the threat of lateral movement becomes very real. Flat networks allow adversaries to jump from a standard corporate laptop straight into the production systems. Because legacy OT systems lack modern security controls, the attacker faces almost no resistance once they cross that boundary and can often remain undetected.  

Why CMMC compliance demands penetration testing 

Defense manufacturers already invest serious time and money into compliance frameworks like the Cybersecurity Maturity Model Certification (CMMC). CMMC provides a vital foundation. It defines exactly where your sensitive data lives, how your systems connect, and which controls keep your environment safe. 

However, compliance alone does not guarantee security. CMMC certification shows your controls are in place, but it doesn’t guarantee they’ll hold up against real-world attacks. This is where penetration testing becomes essential. Think of it as a stress test for your entire operation. A penetration test cuts through the theory and validates whether the controls you just spent months certifying can actually stop a real-world adversary in their tracks. It reveals how an attacker might chain together small misconfigurations to access your most critical manufacturing equipment. 

Bridging the gap: CMMC and penetration testing 

Too often, defense manufacturers treat compliance and security as totally separate projects. They use different vendors, different timelines, and different scoping exercises. This results in duplicated effort, fragmented reporting, and remediation advice that ignores your compliance framework. 

When your CMMC assessor and your penetration tester understand your business context, everything becomes more efficient. CMMC already does the heavy lifting of defining your system boundaries and control implementations. When you build your penetration test on that exact same foundation, the findings transition from theoretical vulnerabilities to operational reality. 

For organizations pursuing CMMC Level 2, penetration testing serves as the most rigorous way to validate your certified controls. It gives your Affirming Official real, objective evidence to stand behind during annual attestations. For those pursuing CMMC Level 3, annual penetration testing is an explicit mandate. 

Building a cohesive defense strategy

When you bring penetration testing and CMMC compliance together, you get a holistic approach to securing your OT environment. CMMC sets the standard for how sensitive systems and data must be managed, while penetration testing proves that your controls actually work against real threats.  

This powerful combination ensures you are not just checking boxes for certification — you’re identifying and fixing the gaps before adversaries can exploit them. For defense manufacturers, integrating these two practices means stronger, more reliable protection for core operations, compliance-ready evidence for assessors, and confidence that both cyber and regulatory risks are being addressed proactively. 

Secure your OT environment  

Your OT systems may need to stay static, but your security strategy must remain dynamic. Relying on eroded airgaps and outdated operating systems leaves your production floor exposed to devastating supply chain disruptions and contract penalties. 

Do not wait for an adversary to test your defenses. By combining CMMC compliance with targeted, manufacturing-specific penetration testing, you can secure your environment and protect your most critical assets. 

Take control of your industrial security posture. Reach out to the A-LIGN team today to schedule a penetration test that maps directly to your CMMC controls, and give your organization the confidence it needs to withstand modern cyber threats.