In military doctrine, seizing the initiative means more than moving first, it means dictating the tempo, creating pressure, and forcing your adversary to respond to you. Victory is often found not in reaction, but in decisive action.  

The same principle applies to cybersecurity in the Defense Industrial Base (DIB) and supply chain risk management. In 2026, as the Cybersecurity Maturity Model Certification (CMMC) Phase I matures across the ecosystem, the initiative will belong to contractors who can prove trust not just once, but continuously. Getting certified in CMMC is not the end — it’s the beginning of a three-year cycle that demands sustained readiness.  

In an environment shaped by persistent adversaries and systems that support the world’s most capable military, the ability to demonstrate trust can’t be episodic. It must be repeatable, risk-informed, and actively sustained every day.  

That’s the shift underway in the CMMC ecosystem and what the mission requires. Not a change in regulation, a change in mindset. From point-in-time certification to continuous assurance. From checklist compliance to readiness as a business function. 

Certification is a critical milestone, not the end goal

For many defense contractors who are laser-focused on achieving CMMC certification, the path has been all-consuming: stand up controls, collect evidence, document processes, then pass the assessment.This laser focus is understandable. CMMC certification is the foundational milestone that signals eligibility to support Department of Defense (DoD) programs and establish trust.  

But as more organizations achieve certification in 2026, a realization is setting in: what many thought was the goal was just the starting point. Once certified, they discover the affirmation requirements they may not have fully appreciated during the intensity of preparation. The CMMC Program and Final Rule makes this explicit: certification establishes a point-in-time posture, but maintaining contract eligibility requires ongoing accountability. 

That’s where annual affirmation comes in — the newly codified requirement for senior leaders to attest that their organization remains compliant long after the assessment ends. This is not a formality, but a leadership obligation with legal weight. 

Affirmation: The new trust accountability layer 

Under 32 CFR § 170.22, every certified organization, prime or subcontractor must designate an Affirming Official to enter an annual affirmation in the DoD’s Supplier Risk System (SPRS). That individual, a senior leader within the Organization Seeking Assessment (OSA), must legally attest that the CMMC security requirements are not only implemented, but maintained continuously. The annual affirmation in SPRS puts that accountability on record. And in doing so, it introduces a new layer of trust validation, one that is not periodic but persistent. 

When we conduct CMMC assessments at A-LIGN, we engage the OSA and Affirming Official early in the process. We want them to understand not just what’s required to achieve certification, but what’s requiredto maintain it across Years Two and Three.  

The key point here is that while a CMMC assessment validates at a moment in time, it’s the affirmation that validates the program over time. 

The window between assessments is the new risk surface 

CMMC Level 2 assessments remain the benchmark for certification across the DIB, and the progress made by hundreds of organizations to date is significant and commendable. But as every defense contractor knows, posture doesn’t preserve itself.  

As a Lead CMMC Assessor, I’ve returned to organizations months after certification, and what I see is a pattern. Programs were designed to survive an assessment, not operate as a sustained business function. Evidence was collected because it was required, not because it was generated continuously. Controls were statically implemented but not really embedded into daily operations. The systems change, staff turns over, controls degrade, and requirements evolve.  

Across a three-year cycle, the distance between “we passed” and “we’re mission ready” can grow dangerously wide and introduce significant risk to the supply chain and mission. That’s why Year 2 and Year 3 of the certification cycle aren’t downtime — they’re critical and where assurance is sustained, posture is defended, and trust is continually validated beyond the formal assessment.  

Continuous assurance: Implementation and validation 

This is the practical definition of continuous assurance: The ability to verify cybersecurity readiness between assessments, not through constant reinspection, but through repeatable evidence, periodic validation, defensible reporting, and intentional governance aligned to mission and business risk. 

Continuous assurance has two components: 

• Implementation: the ongoing execution of security controls, embedded into daily operations, not episodic compliance activities. 
• Validation: the periodic confirmation that those controls remain effective across the lifecycle, through internal reviews, testing, and governance aligned to risk. 

Together, these components provide the evidence and confidence the Affirming Official needs to attest that posture holds not because someone told them it does, but because they can verify and validate it. 

The DoD is already operating this way

This evolution isn’t theoretical — it’s operational. In 2024, the DoD introduced the Cybersecurity Risk Management Construct (CSRMC), a next-generation risk model for lifecycle-aligned cybersecurity that goes far beyond compliance checklists. It integrates five phases, from architecture and engineering to monitoring and operations, all centered on continuous validation, not one-time approvals. This mirrors what’s being asked of contractors under CMMC.  

The DoD’s own adoption of continuous Authorization to Operate models confirms an operational reality: point-in-time validation is no longer enough. Assurance must be ongoing, and posture must match the speed of mission need. The DoD sees the defense base as an extension of itself and has the same expectation for contractors that it has for its own systems.  

What comes after certification? 

This is the question leading contractors are starting to ask. They’ve completed assessments and stood up governance, but now they’re facing a new challenge: How do we sustain trust — operationally, defensibly, and continuously — between certification milestones?  

That’s the new frontier for serious defense vendors across the supply chain. It’s not just about passing an assessment — it’s about showing up to the next proposal, the next contract renewal, or the next security review with clear, confident evidence that posture still holds. It’s no longer just a security conversation; it’s a business imperative.