What happens when a cyber-attack doesn’t just compromise data, but disrupts real-world operations or critical infrastructure? This is the high-stakes reality of Operational Technology (OT). Unlike traditional IT environments where the primary focus may be data confidentiality, OT systems interact directly with physical processes and hardware. 

Let’s explore what makes OT environments unique, why traditional IT security controls often fall short, and how specialized penetration testing can help protect critical operations. 

What is Operational Technology? 

Operational Technology (OT) refers to systems that monitor, control, or directly affect physical hardware in the real world. These are environments where digital commands translate into physical actions — starting or stopping motors, opening valves, tripping breakers, or adjusting temperature and pressure. Because these actions affect real equipment and people, OT systems have historically been designed around safety, availability, and deterministic behavior — often lacking basic security protections. 

Where you’ll find OT 

Common OT systems make up a range of Industrial Control Systems: Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Distributed Control Systems (DCS), and Safety Instrumented Systems (SIS). OT shows up across manufacturing, energy, water and wastewater, oil and gas, transportation, building automation, and even healthcare facilities. 

The basics of OT penetration testing

OT penetration testing is the practice of assessing whether an attacker could manipulate physical processes, disrupt operations, or bypass safety controls that keep everything in check. Unlike traditional IT penetration testing, OT testing must account for the fact that aggressive scanning, exploitation, or system instability can cause real-world safety incidents or production outages. As a result, OT assessments prioritize safety and uptime, rely heavily on passive techniques, and focus more on understanding how systems can be misused and less on exploiting vulnerabilities. 

Many OT attacks do not depend on zero-day exploits. Instead, they exploit protocols and commands that the systems were designed to accept under normal operations in trusted environments. In these cases, malicious activity can look indistinguishable from legitimate control traffic, making detection particularly challenging.  

How OT pen testing works in practice 

A mature OT pen test examines how an adversary could: 

• Move from IT networks into OT environments 
• Abuse engineering software or operator access 
• Send valid commands with malicious intent 
• Alter hardware values to degrade operations 
• Interfere or ultimately disable safety systems 

The goal is not simply to find vulnerabilities, but to understand how real attackers could leverage normal system behavior to create physical, operational, or safety impacts. This is where experience and deep knowledge of OT environments become critical — because in OT, the most dangerous attacks often use the system exactly as it was designed to be used. 

The CMMC impact on OT 

As CMMC pushes defense contractors and suppliers to demonstrate stronger asset visibility, risk management, monitoring, and incident response, OT environments can no longer sit outside the scope of cybersecurity programs. Many organizations supporting the defense industrial base operate manufacturing lines, test equipment, building automation, or other control systems that directly or indirectly impact Controlled Unclassified Information (CUI). The problem is that these systems are often implicitly trusted, poorly segmented, and sparsely monitored — creating blind spots that conflict with CMMC expectations around access control, system security plans, and continuous monitoring. 

Final thoughts 

The challenge is that traditional IT security controls and testing methods do not translate cleanly into OT environments. While CMMC emphasizes demonstrable risk reduction, OT systems often cannot be patched, aggressively scanned, or equipped with standard endpoint tools.  

This is why OT penetration testing needs specific expertise — to validate trust boundaries, identify unsafe exposure paths, and assess how legitimate control functionality could be abused. 

Preparing for a CMMC assessment can feel like a high-stakes race. But in the rush to the finish line, many organizations stumble over preventable hurdles. These missteps not only delay certification but also introduce significant operational and financial risk. Understanding the most common mistakes is the first step toward building a successful and sustainable compliance strategy. 

Read on to learn about the critical errors companies make during their CMMC journey and how the right team of partners can set you up for success. 

Mistake 1: Internal teams working in silos 

One of the most frequent yet damaging mistakes happens before an external partner is ever engaged. When IT, compliance, and business leadership teams don’t communicate, they create significant internal friction. This lack of alignment often leads to assessments being scheduled before the organization is truly prepared. 

The risk is substantial. Imposing an assessment with an unrealistic timeline leaves no room to discover and fix unexpected issues. In large, complex environments, this almost guarantees that critical, show-stopping problems will surface too late in the process, leading to a failed assessment and wasted resources. 

Mistake 2: Choosing the wrong C3PAO 

In an attempt to manage costs, some organizations opt for the cheapest or most readily available C3PAO. This decision can backfire spectacularly. An inexperienced or unproven C3PAO introduces, “interpretive risk,” which is the danger that an assessor will assess controls incorrectly or inconsistently due to a lack of relevant experience. 

This risk is amplified when the C3PAO isn’t familiar with your specific industry. For example, applying controls in a manufacturing setting is very different from an office environment; it depends heavily on context, operational processes, and unique documentation. If you have to spend your assessment time educating your assessor on the basics of your business, you’re already behind. 

Mistake 3: Neglecting your technology and service providers 

Your compliance posture is only as strong as its weakest link, and that includes your partners. Many organizations fail to properly evaluate their technology stack and service providers. Do you know if your tools are FedRAMP authorized or CMMC compliant? Is your Managed Service Provider itself CMMC Level 2 certified? 

Relying on an MSP that hasn’t achieved certification creates unnecessary friction and can be a roadblock to your own success. Similarly, if business owners can’t clearly explain technical workflows without leaning entirely on IT, it signals a gap in organizational readiness. You must have full visibility into how Controlled Unclassified Information (CUI) flows through your environment and a team that can articulate it. 

The solution: Building a “battle-tested” partner team 

Mitigating these risks comes down to one core strategy: choosing the right partners. Your CMMC journey should be a team sport, and your roster should include experienced, “battle-tested” providers who understand your business. 

A strong partner ecosystem, combining knowledgeable MSPs, Registered Provider Organizations, and C3PAOs like CyberSheath and A-LIGN, sets you up for success. These experts bring proven, real-world knowledge, which saves time and reduces risk. They have seen the challenges of your industry before and won’t be learning on your dime. 

An experienced C3PAO will identify readiness gaps early and advise you to pause if you aren’t prepared, prioritizing your long-term success over a quick assessment. A CMMC-certified MSP has already done the hard work and can implement compliant solutions efficiently. 

By assembling a team that understands your industry and aligns with your business goals, you can avoid common pitfalls and turn the CMMC gauntlet into a clear path toward certification and long-term security. 

Most of the conversation around CMMC has been about getting certified: 

• “What are the requirements?” 
• “How do I meet the controls?” 
• “Why do I have to do this?”

That focus makes total sense. CMMC is new, can be confusing, and is directly tied to whether you get to keep doing business in the DoD supply chain. So naturally, everyone has been obsessed with clearing that first hurdle and getting the golden piece of paper known as a Level 2 CMMC Certification. 

But did you know there are other requirements as part of the three-year certification? That’s right — CMMC certification is not a one-time event. Instead, it’s a three-year cycle. Now that moreorganizations are getting certified, Years 2 and 3 are where they’re starting to quietly take on risk. But what are the requirements? 

What are the Year 2 and Year 3 requirements?

Once you pass a Level 2 C3PAO assessment and receive a Final Status Date, your three-year certification clock begins.  

Congrats! You did it! You can now retire and run off into the sunset! Right?!?… right? 

While Year 1 brings the third-party assessment, Years 2 and 3 look different. There is no required third-party assessment in those years. Instead, the organization must submit an annual affirmation, signed by a senior official, that states that the organization has implemented and continues to maintain all applicable CMMC requirements for the environment in scope. This affirmation is submittedinto SPRS and is used to determine whether your CMMC status remains current and eligible for contract use. 

I know what you’re saying out loud to yourself right now:  

“This sounds familiar. You’re talking about annual affirmations like the ones we used to do as part of DFARS 7012/7019? The ones that the DoD proved didn’t work, thus forcing their hand in creating the exact program we’re discussing today, CMMC?” 

Yeah, let’s talk about that.  

The uncomfortable context everyone avoids 

Let’s say this more plainly:  

The entire reason CMMC exists is because the DoD determined that self-attestation does not work. 

For years, contractors self-attested to NIST 800-171 compliance as part of DFARS 7012/7019/7020 clauses. The government reviewed scores, ran spot checks, and investigated incidents as they popped up. What they found was not great — most self-attestations were anywhere from inaccurate to flat out wrong. 

And even worse, it was reported again and again that sensitive DoD information was getting into the hands of our adversaries. That’s right — the entire reason we care about protecting this information in the first place was happening with the self-attestation model.   

So independent verification became necessary. That is the justification for CMMC.  

So, you have to ask yourself: 

If self-attestation failed at scale before, why aren’t more people freaking out about the risks of self-attestation in Years 2 and 3 of their CMMC Certification? 

Outlining the risks involved

In a three-year span, a lot changes: 

• People leave and join your organization 
• Systems evolve and technology changes 
• Vendors change and supply chains shift 
• Threats evolve and new vulnerabilities emerge  
• Policies update and regulations tighten  

Compliance doesn’t usually fail loudly. It erodes slowly. By the time the annual affirmation is due, your people, processes, and technology have absolutely changed. The question becomes whether your compliance and documentation have changed with it. 

That is where risk compounds. But what really is the risk? 

Introducing: The False Claims Act 

On top of the fact that you risk drifting out of compliance (let’s not forget how wrong self-attested SPRS scores have proven to be), there is a much larger risk at play: an inaccurate affirmation can create exposure under the False Claims Act. 

The Department of Justice has already demonstrated a willingness to pursue cybersecurity-related misrepresentations tied to federal contracts. Yes, the Department of Justice has time (Raytheon $8.4M) and time (MorseCorp $4.6M) and time (Penn State $1.25M) again come after organizations who have incorrectly claimed compliance under the self-attestation model. 

Contractors have paid real money for overstating compliance with NIST 800-171.CMMC does not replace that risk, it reduces the risk by having a vetted third party (C3PAO) perform a review of your compliance to the controls you will sign off on meeting. And if you are the affirming official whose name is signed off on that attestation? There is the possibility of personal liability in these cases. 

“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent in Charge William Richards of the Air Force Office of Special Investigations Procurement Fraud Office, Andrew AFB, Md. “AFOSI, alongside our investigative partners and the Department of Justice, will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.” 

How to buy down the risk in Years 2 and 3

The CMMC rule does not require a mid-cycle third-party assessment. But organizations that take cybersecurity, legal exposure, and executive accountability seriously don’t rely on memory and optimism for two years. They validate. 

The most effective way to do that is through an interim C3PAO assessment. Having a CMMC third-party assessment organization come and validate your controls as MET/NOT MET before you attest to meeting them can: 

• Identify compliance drift while it is still manageable  
• Give the affirming official something concrete to rely on when signing an annual legal statement 
• Create a defensible narrative if an audit, investigation, or inquiry ever occurs 

Being able to say, “we hired an independent assessor to validate our posture before signing,” is very different from, “we assumed we were fine.” 

It’s not about perfection — it’s about due diligence.  

Key takeaway 

CMMC is not a one-time trophy. It is a commitment. The program exists because self-attestation alone did not work, yet Years 2 and 3 still rely on it.  

That means you should be wary of treating those years casually. You should be intentional and avoid the risks that existed with the previous self-attestation model because those annual affirmations are legal representations tied to contracts, money, and accountability. With your name on the line, you should know exactly what you are signing and feel confident in what you’re attesting to. 

In a world where cybersecurity representations are being scrutinized harder than ever, that matters. 

Enterprise compliance teams are increasingly focused on raising the bar for their compliance strategy. Between a desire to pursue additional frameworks and grow their business, compliance professionals are piecing together the puzzle of a successful comprehensive compliance strategy. Audit quality is emerging as a key piece of this puzzle. 

Quality is key to a well-run compliance program. It’s intrinsically connected to an organization’s business deals, financial investment, and most importantly, its reputation. Enterprise organizations are uniquely challenged to maintain a high level of quality throughout their often complex compliance strategies. 

A-LIGN’s 2026 Compliance Benchmark Report found that 83% of respondents can spot the difference between low- and high-quality variations in auditors, suggesting that compliance professionals are attuned to what makes up a quality audit report and experience. The importance of quality isn’t fading. In fact, according to the report, 80% of respondents say the quality of a compliance report is extremely important, up from 70% in 2025.  

Why is maintaining quality important? And why should enterprise organizations take it seriously? Read on to learn: 

• Why quality is important to a successful compliance strategy 
• What is (and isn’t) quality during the audit experience and final report 
• How to pick a high-quality audit partner 

Why is audit quality important? 

More than half of all respondents to the 2026 Compliance Benchmark Report have had a vendor or prospect reject a report. There are many paths organizations might’ve taken to find themselves in this situation, but it’s most often due to selecting a budget auditor. 

The most common reasons vendors or prospects reject reports include: 

• Incomplete or missing documentation 
• Insufficient testing of controls 
• Lack of additional findings 
• Report was too templated and lacked relevant and appropriate insights 
• Lack of trust in auditor reputation 

It might seem like no big deal at first glance, but rejected reports have real consequences. The actual cost of a cheap audit can include lost business, costly remediation, or even worse, a weakened reputation if you experience a breach. 

Particularly for enterprise businesses, your reputation is everything. While you may be able to afford the loss of a customer, the damage a cybersecurity incident will cause is almost irreparable. 

Defining audit quality 

How do you distinguish between high- and low-quality audits? The definition of quality will vary depending on who you talk to, but there are a few factors that make up a high-quality audit experience and final report: 

Audit experience  

Auditor experience  
A trustworthy auditor has plenty of experience working in your chosen framework and its related regulations/guidance. Certifications and accreditations from reputable bodies also demonstrate an auditor’s experience. 

Technology  
Technology helps your auditor do their job better and opens lines of communication between the two of you. Whether it’s a partnership with a GRC/readiness tool or an in-house solution, technology is foundational to a high-quality audit experience. 

Experience with similar companies  
Particularly for enterprise organizations, experience with similar companies is key. Enterprise compliance strategies are complex and require high attention to detail and the ability to assess business priorities and streamline accordingly.  

Final report  

Depth and specificity of each control  
Thorough testing of controls is a crucial part of the audit process and demonstrates a rigorous, credible audit that holds up to customer requests to demonstrate compliance.  

Relevance and customization of report  
Cookie-cutter reports won’t suffice, especially at a high-performing enterprise organization. A high-quality report will provide custom recommendations and results. 

Demonstration of risk mitigation  
Compliance is an ongoing mission, and your final report should include recommendations for your organization to work through to strengthen your security posture. 

Discerning low-quality audits 

Though the definition of a high-quality audit may fluctuate depending on who you talk to, spotting a low-quality audit is straightforward. The traits that make up a low-quality audit include: 

Poor response time  
An experienced auditor will have defined check-ins and quick responses to questions. Poor response time indicates a low level of audit expertise and an inability to form relationships, two key elements of a successful audit. 

Outdated processes  
Technology drives efficiency and empowers auditors to conduct the best possible audit. A refusal to adopt methods that streamline the audit process demonstrates a lack of care for your bottom line. Technology empowers auditors to work quicker and reduce costs and time for your business. 

Insufficient references  
Auditors that have successful, quality audit cycles will always have customers who will advocate for them. If an auditor can supply happy customers or case studies, it’s a red flag. This potential partner might now be providing their customers with a quality experience or final report. 

Limited experience  
It’s tempting to go with an auditor that has lower rates and less experience. But this could lead to a report from an unaccredited certification body or vulnerabilities left exposed by an inexperienced audit team. 

Templatized reports 
Your final report should be personalized to your organization with actionable recommendations. Surface-level, templatized reports could belong to anyone and won’t help your organization improve its security posture. 

How to pick a high-quality audit partner 

It can be tough to cut through the noise and select an audit partner that will provide your organization with the best possible report and audit experience. But there are some questions you can ask to separate the pack. For a complete list of questions to ask, check out our Quality Checklist. 

Questions to ask a potential audit partner: 

• Which accreditations and certifications does your organization hold? 

• Do you have experience with customers my size? In my industry? 
• How many auditors do you have? 
• Can you provide references and case studies from satisfied customers? 
• How often are your reports rejected by external vendors? 
• How do you help clients streamline the process? 
• What kinds of technology do you have experience working with? 
• How involved will our team be in the process? 
• Will we have regular check-ins? How frequently? 

Why A-LIGN 

A-LIGN is the leading cybersecurity compliance partner, trusted by more than 6,400 organizations worldwide. Our organization is accredited by top certification bodies and has industry-leading auditor retention, allowing our auditors to hold a deep understanding of frameworks and your business. The A-LIGN difference is: 

• 36k+ audits completed  
• 96% customer satisfaction rating  
• 6.4k+ global clients  
• 400+ auditors globally 

With A-LIGN, you can achieve your compliance goals with confidence and earn a report that your buyers can trust, with support from technology that streamlines the process. Ready to get started? Contact us today. 

We get asked a version of the same question almost weekly: “When did AI governance actually become real?” Our answer is consistent — it was not a single law, a single enforcement action, or even one headline moment. It was 2025.  

What changed in 2025 was not the presence of AI. AI had already been embedded across products, services, and operations. What changed was the risk model surrounding it. Signals that had been building quietly for years converged at the same time. And when that happens, governance stops being conceptual and starts being operational. 

In the remainder of this article you will find a reflection on what we saw unfold during 2025 and how those signals shape the three priorities leaders should be focused on as they move into 2026. 

What shifted in 2025

For several years, most organizations approached AI governance through intent — responsible AI principles, ethical commitments, high level policy statements, and committees charged with oversight. Those efforts were not wrong, but in 2025, they reached their natural limit. Here is what changed: 

Regulators moved from guidance to enforcement signaling. Not everywhere and not all at once, but enough to make leadership teams take notice. The conversation shifted from “what should we do?” to “what will we have to defend?” 

Insurers began tightening AI-related exclusions and underwriting language. That was a critical signal. Insurance markets do not move on philosophy —  they move on loss data and exposure models. 

Enterprise buyers changed their questions. Instead of asking what organizations believed about responsible AI, they began asking what organizations could prove. What assessments existed, what controls were in place, and who was accountable? 

Shortly after, boards shifted their focus. Their questions were no longer about ethical frameworks — they were about defensibility.  

“Can we explain how this system behaves if something goes wrong?” 

For many organizations, that question exposed an uncomfortable truth: their AI governance posture looked reasonable on paper, but fragile in practice. That realization defined 2025. 

Why this moment feels familiar 

We have seen this pattern before. Information security went through it, privacy went through it, and financial controls went through it. Early stages are principle driven, then frameworks emerge, and eventually, evidence and assurance become unavoidable. 

AI governance crossed that threshold in 2025, which is why management system thinking matters. Standards like ISO 42001, ISO 42005, and ISO 23894 did not appear by accident. They reflect where governance expectations are heading, not where they have been. 

Priority 1 for 2026: Move from AI policy to AI proof

The priority for 2026 is straightforward, even if it is not easy. AI governance must move from policy to proof.  The say-do ratio has to be measured and communicated. 

Written principles still matter, but they no longer carry decision weight on their own. Regulators, insurers, customers, and auditors are asking for evidence of how decisions are made, how risks are assessed, and how tradeoffs are handled over time. 

This includes: 

• Impact assessments tied to real use cases 
• Risk registers that evolve as models and data change 
• Clear records of who approved what and why 
• Evidence that governance is active, not ceremonial 

This is not about creating paperwork — it is about making governance traceable. If you cannot reconstruct a decision six or twelve months later, that gap becomes a liability the moment scrutiny increases. 

What you, as a leader, should do now 

• Identify where AI decisions are being made without durable records 
• Make impact and risk assessments part of normal operations, not special events 
• Design governance as if it will be reviewed by a third party, because eventually it will 

Proof is becoming the currency of trust. 

Priority 2 for 2026: Treat AI assurance as inevitable 

One of the quieter but more important developments in 2025 was the rise of AI assurance expectations. It did not arrive as a mandate but as a question.  

Procurement teams began asking vendors to show evidence of AI governance, boards requested independent views on AI risk exposure, and insurers looked for objective signals of governance maturity. This mirrors exactly how assurance matured in cybersecurity. 

Once assurance enters the ecosystem, it does not disappear — it becomes normalized. AI risk is not confined to a single team or model. It spans internal development, third party services, data pipelines, and downstream use. Over time, self-attestation stops being credible. 

Management systems make this survivable. ISO 27001 showed how assurance can scale without overwhelming organizations, and AI governance is now following a similar path. 

What you, as a leader, should do now 

• Decide where AI assurance belongs within your organization 
• Align AI governance with existing audit and assurance functions 
• Establish expectations for vendor AI oversight before customers force the issue 

By 2026, assurance will be one of the primary ways trust is evaluated.  

Priority 3 for 2026: Use standards to navigate regulatory fragmentation 

If 2025 demonstrated anything clearly, it is that AI regulation will not converge neatly. Different jurisdictions are moving at different speeds. Definitions vary, enforcement models differ— and this fragmentation is not temporary. Waiting for clarity may feel prudent, but it leaves organizations exposed.  

Standards exist precisely for this environment. They provide a stable operating backbone when laws shift. Courts, regulators, and insurers increasingly rely on standards as evidence of due care because they are structured, auditable, and internationally recognized. ISO 42001 does not replace regulation but operationalizes compliance across jurisdictions without requiring organizations to rebuild their programs every time a new rule appears. 

What you, as a leader, should do now 

• Stop designing AI governance around a single regulation 
• Anchor your program in standards and map regulatory obligations on top 
• Be explicit internally that adaptability is the goal, not perfect prediction 

In a fragmented regulatory landscape, standards become more valuable, not less. 

Where this leaves us 

2025 was not the year AI regulation suddenly arrived. It was the year leaders realized that existing governance approaches would not scale. 

2026 will reward organizations that: 

• Build evidence instead of narratives 
• Normalize assurance instead of treating it as exceptional 
• Use standards to absorb change rather than chase headlines 

This is not intended to be a narrative about fear, instead it is about leadership. The organizations that invest now will not be scrambling later. They will move forward with confidence while others are still trying to understand why the earth shifted beneath them. 

At A-LIGN, this is the work we see coming. Not because the market demands it rhetorically, but because the underlying systems are already changing. 

Data finds a revolving door of regulations and requirements demand a new approach to audit cycles to better manage risk

TAMPA, Fla. – (January 28, 2026) – A-LIGN, a leading provider in cybersecurity compliance, today announced findings from its annual 2026 Compliance Benchmark Report. Now in its sixth year, A-LIGN’s annual data report has become a trusted resource for compliance teams navigating an increasingly complex regulatory landscape, offering insight into evolving requirements, emerging challenges, and proven strategies for managing risk.

While compliance teams may have relied on fragmented strategies in the past, a spike in mandated certifications have made the intricate task of managing audits a labyrinth. According to the report, which surveyed over 1,000 global leaders, nearly all organizations (97%) now conduct at least two audits annually, with 74% of large enterprises managing four or more. At the same time, 72% of organizations recognize that compliance programs must evolve to keep pace with increasingly complex requirements. By adopting a more strategic, technology-enabled, and proactive approach, teams can modernize audit cycles and more effectively manage risk.

“Compliance can no longer be treated as a once-a-year checkbox,” said Scott Price, CEO of A-LIGN. “In an era of relentless ransomware attacks, data breaches, and AI-powered threats, cybersecurity hygiene and compliance is paramount. By combining our team of experts with our AI-powered A-SCEND platform, we’re helping organizations improve their posture and streamline the audit process, turning compliance into a proactive, year-round strategy that achieves cyber resilience.”

Federal compliance is evolving:

Shifting federal requirements are also rapidly reshaping how organizations approach compliance, yet this continues to create confusion. 60% of respondents work with the U.S. government, and nearly all (94%) are already pursuing compliance with frameworks such as CMMC, FISMA, FedRAMP, or GovRAMP. Yet, organizations cite new certifications like CMMC, actions from the current administration, and the cost of compliance as their most pressing concerns inhibiting a fully developed strategy.

Overcoming barriers to audit harmonization:

An influx of new regulations and growing pressure to better manage risk is forcing leaders to take a more deliberate approach to compliance. In fact, 80% of respondents say the quality of a compliance report is extremely important – up from 70% in 2025. At the same time, the report underscores the operational complexity of meeting those rising standards: one in four organizations cite the need to manage multiple audits throughout the year as their greatest compliance challenge, while 20% point to limited staffing as a key barrier to maintaining consistent, high-quality audit cycles.

Defining high-quality audits:

Audit quality is increasingly viewed as a strategic differentiator. 60% of surveyed organizations indicate they would change auditors to improve the quality of their final report, and 83% say they have observed clear differences in quality between audit providers, up from 72% in 2025. The findings also show that technology now plays a central role in audit quality, with 95% of respondents incorporating technology into their audit and assessment processes.

Strategic AI risk management:

As AI adoption accelerates, customer concerns around data governance are intensifying, placing greater pressure on organizations to establish comprehensive and transparent compliance strategies. While organizations are aware of this reality, 33% don’t have an AI compliance strategy in place at all. With the rise in compliance risks stemming from AI, the C-Suite can’t afford to ignore it any longer. Case in point: 80% of companies that use AI are already getting questions from customers about risk management practices.

Tech-enabled compliance is the new baseline:

Tech-enabled audits are no longer optional. What was once considered cutting-edge is now the baseline for doing business: 95% of respondents report using technology during their audits and assessments. Organizations are seeking greater efficiency and simplicity, turning to solutions like audit management or GRC tools to streamline the process. Technology is now a deciding factor, as respondents cite the availability of audit and GRC tools as the top reason they would switch auditors. And the impact is clear: 96% of respondents believe that audit and GRC technology lead to higher-quality audits.

To learn more, download the full Compliance Benchmark Report here.

Methodology

A-LIGN conducted the Compliance Benchmark Report between August and September 2025. It reflects the opinions of 1,043 global respondents. Of these, 85% of companies represented are headquartered in the United States and 15% are headquartered outside of the United States. This survey was conducted by an independent, third-party market research company that is not affiliated with A-LIGN to ensure unbiased, transparent responses.

About A-LIGN

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, CMMC and penetration testing. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. To learn more, visit a-lign.com.

Media Contact
Lindsay Mahaney
[email protected]

The ability to prove your security posture sets the stage for expansion and long-term success. That’s where SOC 2 comes in. SOC 2 compliance not only demonstrates your commitment to safeguarding customer data but also positions your business for growth. By meeting this industry standard, organizations can confidently expand into new markets, secure larger deals, and build a foundation for long-term success. 

What is SOC 2? 

SOC 2 is an independent attestation meant to confirm the presence and effectiveness of controls related to the security and privacy of customer data. It is designed to be flexible and relevant to a variety of businesses, from startups to global enterprises. What sets SOC 2 apart isn’t just its focus on controls; it instills confidence in your stakeholders, providing concrete evidence that your systems and policies are operating as intended. 

What are the benefits of SOC 2?

Treating SOC 2 as a value driver rather than a hurdle shifts the growth equation. These are the main benefits:   

Accelerate sales cycles 

With SOC 2, many prospects will accept your report in place of lengthy security questionnaires, allowing you to close contracts faster. 

Unlock larger deals 

For many enterprise buyers, especially in regulated industries, SOC 2 is non-negotiable. Without it, you may not even be allowed to compete. 

Build customer trust 

A SOC 2 report provides third-party validation that your company safeguards sensitive data, which is crucial in winning over new clients and partners. 

Mitigate security risks 

The process of preparing for a SOC 2 audit helps organizations formalize security policies, identify gaps, and build operational maturity — reducing the risk of costly breaches. 

Strengthen brand and market position 

Promoting SOC 2 compliance demonstrates diligence and transparency, boosting your credibility and allowing you to compete with larger, established players. 

Expanding into the U.S. market

SOC 2 is the most popular cybersecurity audit in the U.S. This attestation has become a baseline expectation, especially for software, SaaS, and service providers. U.S. enterprises look for SOC 2 as proof you take their data and compliance requirements seriously, often making it a prerequisite before you can onboard or even bid. 

Your readiness for the U.S. market is ultimately tested by your ability to answer tough security questions, and nothing answers them faster than a clean SOC 2 report. That’s why global companies treat SOC 2 as a gateway to the U.S., knowing it will accelerate onboarding, reduce vendor scrutiny, and establish instant credibility. 

Entering new industries

As you look to expand beyond your core market — whether it’s into finance, healthcare, government, or other highly regulated spaces — demonstrating that you can be trusted with sensitive and regulated data is imperative. These industries are governed by strict standards and oversight, making security and risk management a non-negotiable entry point.  

SOC 2 equips you to meet these standards, not just with documentation but with third-party assurance that your control environment meets industry expectations. Financial partners value the maturity that comes with being audited to SOC 2 standards. Healthcare organizations look for your alignment with HITRUST and HIPAA through SOC 2’s confidentiality and privacy criteria. Even in emerging sectors, SOC 2 increasingly distinguishes reliable vendors from the rest.  

Accelerate SOC 2 compliance with ISO 27001 

If you’ve already achieved ISO 27001, you have a solid foundation to take on SOC 2. Both operate as strong frameworks for information security, and with nearly half of the control evidence overlapping, you can harmonize your audits to save time and reduce redundancy. Leveraging similarities between the two frameworks using a tool like A-SCEND will help streamline documentation and preparation, fast-tracking your path to dual compliance. Together, SOC 2 and ISO 27001 enables organizations to expand their reach, serving clients around the globe without being geographically restricted. 

Driving growth through SOC 2  

SOC 2 has become a powerful business enabler, opening doors to enterprise clients, shortening sales cycles, and reducing long-term risk. As the #1 SOC 2 issuer in the world, A-LIGN’s highly experienced auditors can provide your organization with guidance, tools, and a premium quality audit for your SOC 2 attestation. 

Ready to get started on your path to SOC 2 certification? Reach out today to learn more. 

In military doctrine, seizing the initiative means more than moving first, it means dictating the tempo, creating pressure, and forcing your adversary to respond to you. Victory is often found not in reaction, but in decisive action.  

The same principle applies to cybersecurity in the Defense Industrial Base (DIB) and supply chain risk management. In 2026, as the Cybersecurity Maturity Model Certification (CMMC) Phase I matures across the ecosystem, the initiative will belong to contractors who can prove trust not just once, but continuously. Getting certified in CMMC is not the end — it’s the beginning of a three-year cycle that demands sustained readiness.  

In an environment shaped by persistent adversaries and systems that support the world’s most capable military, the ability to demonstrate trust can’t be episodic. It must be repeatable, risk-informed, and actively sustained every day.  

That’s the shift underway in the CMMC ecosystem and what the mission requires. Not a change in regulation, a change in mindset. From point-in-time certification to continuous assurance. From checklist compliance to readiness as a business function. 

Certification is a critical milestone, not the end goal

For many defense contractors who are laser-focused on achieving CMMC certification, the path has been all-consuming: stand up controls, collect evidence, document processes, then pass the assessment.This laser focus is understandable. CMMC certification is the foundational milestone that signals eligibility to support Department of Defense (DoD) programs and establish trust.  

But as more organizations achieve certification in 2026, a realization is setting in: what many thought was the goal was just the starting point. Once certified, they discover the affirmation requirements they may not have fully appreciated during the intensity of preparation. The CMMC Program and Final Rule makes this explicit: certification establishes a point-in-time posture, but maintaining contract eligibility requires ongoing accountability. 

That’s where annual affirmation comes in — the newly codified requirement for senior leaders to attest that their organization remains compliant long after the assessment ends. This is not a formality, but a leadership obligation with legal weight. 

Affirmation: The new trust accountability layer 

Under 32 CFR § 170.22, every certified organization, prime or subcontractor must designate an Affirming Official to enter an annual affirmation in the DoD’s Supplier Risk System (SPRS). That individual, a senior leader within the Organization Seeking Assessment (OSA), must legally attest that the CMMC security requirements are not only implemented, but maintained continuously. The annual affirmation in SPRS puts that accountability on record. And in doing so, it introduces a new layer of trust validation, one that is not periodic but persistent. 

When we conduct CMMC assessments at A-LIGN, we engage the OSA and Affirming Official early in the process. We want them to understand not just what’s required to achieve certification, but what’s requiredto maintain it across Years Two and Three.  

The key point here is that while a CMMC assessment validates at a moment in time, it’s the affirmation that validates the program over time. 

The window between assessments is the new risk surface 

CMMC Level 2 assessments remain the benchmark for certification across the DIB, and the progress made by hundreds of organizations to date is significant and commendable. But as every defense contractor knows, posture doesn’t preserve itself.  

As a Lead CMMC Assessor, I’ve returned to organizations months after certification, and what I see is a pattern. Programs were designed to survive an assessment, not operate as a sustained business function. Evidence was collected because it was required, not because it was generated continuously. Controls were statically implemented but not really embedded into daily operations. The systems change, staff turns over, controls degrade, and requirements evolve.  

Across a three-year cycle, the distance between “we passed” and “we’re mission ready” can grow dangerously wide and introduce significant risk to the supply chain and mission. That’s why Year 2 and Year 3 of the certification cycle aren’t downtime — they’re critical and where assurance is sustained, posture is defended, and trust is continually validated beyond the formal assessment.  

Continuous assurance: Implementation and validation 

This is the practical definition of continuous assurance: The ability to verify cybersecurity readiness between assessments, not through constant reinspection, but through repeatable evidence, periodic validation, defensible reporting, and intentional governance aligned to mission and business risk. 

Continuous assurance has two components: 

• Implementation: the ongoing execution of security controls, embedded into daily operations, not episodic compliance activities. 
• Validation: the periodic confirmation that those controls remain effective across the lifecycle, through internal reviews, testing, and governance aligned to risk. 

Together, these components provide the evidence and confidence the Affirming Official needs to attest that posture holds not because someone told them it does, but because they can verify and validate it. 

The DoD is already operating this way

This evolution isn’t theoretical — it’s operational. In 2024, the DoD introduced the Cybersecurity Risk Management Construct (CSRMC), a next-generation risk model for lifecycle-aligned cybersecurity that goes far beyond compliance checklists. It integrates five phases, from architecture and engineering to monitoring and operations, all centered on continuous validation, not one-time approvals. This mirrors what’s being asked of contractors under CMMC.  

The DoD’s own adoption of continuous Authorization to Operate models confirms an operational reality: point-in-time validation is no longer enough. Assurance must be ongoing, and posture must match the speed of mission need. The DoD sees the defense base as an extension of itself and has the same expectation for contractors that it has for its own systems.  

What comes after certification? 

This is the question leading contractors are starting to ask. They’ve completed assessments and stood up governance, but now they’re facing a new challenge: How do we sustain trust — operationally, defensibly, and continuously — between certification milestones?  

That’s the new frontier for serious defense vendors across the supply chain. It’s not just about passing an assessment — it’s about showing up to the next proposal, the next contract renewal, or the next security review with clear, confident evidence that posture still holds. It’s no longer just a security conversation; it’s a business imperative. 

Tampa, Fla. (January 13, 2026) – A-LIGN, the leading provider in cybersecurity compliance, has appointed Steve Simmons to serve as President. Simmons, who joined A-LIGN in 2014, served as A-LIGN’s Chief Operations Officer since 2021. 

“Steve has excelled at leading our business through many chapters and he is the right person to assume this new position,” said Scott Price, CEO of A-LIGN. “His strong leadership and commitment to continuous improvement will be invaluable as we enter the next stage of A-LIGN’s evolution and expand our capacity to meet the increasing global demand for our services.” 

In his new role as President, Simmons will oversee a broadened scope of day-to-day operations with a focus on executing A-LIGN’s 2026 strategic priorities. This includes driving international expansion across new geographies and services and further solidifying A-LIGN’s leadership in the Cybersecurity Maturity Model Certification (CMMC) assessment market. He will be responsible for integrating elevated strategy with seamless execution to ensure A-LIGN stays ahead of the industry’s most complex cybersecurity compliance needs.  

At the core of this growth is the continued evolution of A-SCEND, A-LIGN’s proprietary audit management platform. “What excites me most is the opportunity to shape A-LIGN’s future in a rapidly evolving landscape where technology and compliance are merging,” said Simmons. “We are focused on unlocking new possibilities by leveraging A-SCEND’s AI-powered automation to not only drive growth and innovation, but to ensure world-class retention.”  

This leadership appointment comes as A-LIGN has completed a banner year in 2025 with a strategic investment from Hg, which confirmed its status as a unicorn and added new board members. This new organizational structure will empower Price to focus on external strategic priorities including customers and partners, while continuing to set overall vision, while Simmons’ operational expertise provides the foundation for A-LIGN to scale its enterprise-grade audit experience through deeper GRC integrations and technology-led delivery.  

“I joined A-LIGN when we were fewer than 30 employees and being part of that journey has shaped my leadership,” said Simmons. “As we look ahead, I’m excited to build on those lessons as we expand our services, enter new markets, and continue advancing our A‑SCEND technology to elevate our goal of delivering a frictionless, high-quality experience that moves compliance from a point-in-time hurdle to a continuous strategic advantage for our clients.”  

About A-LIGN  

A-LIGN is the leading cybersecurity compliance partner, trusted by over 6,400 organizations worldwide to navigate the complexities of compliance, audit, and risk. With a tech-enabled delivery model and deep domain expertise, A-LIGN has completed more than 36,000 audits. It is the #1 issuer of SOC 2 reports and a top three FedRAMP assessor. Founded in 2009, A-LIGN delivers high-quality, efficient audits across frameworks including SOC 2, ISO 27001, FedRAMP, CMMC, ISO 42001, PCI, and HITRUST. To learn more, visit: https://www.a-lign.com.