CMMC Is the Floor, Not the Finish Line
At TechNet Cyber in Baltimore last week, DoD CIO Kirsten Davie said something that's been circulating in defense contracting circles ever since:
"Compliance does not equal security."
She's right. And the contractors who understand why she's right -- not just that she said it -- are the ones who are going to be in the strongest position in the defense industrial base over the next five years.
What She Actually Said
Davie wasn't dismissing CMMC. She was making a more important point: that the department is shifting toward a "unified, holistic, and risk-driven function, with a bias for action." Checking boxes is not enough. The warfighter depends on suppliers who actually operate securely, not just suppliers who can produce a compliance artifact.
That framing matters. Because there's a version of the DoD CIO's comments that defense contractors can use to rationalize doing less. And a version that pushes them to do more.
The second version is the right read.
Compliance Is the Foundation -- Not the Ceiling
CMMC was never designed to be security nirvana. It was designed to push the Defense Industrial Base toward a base level of defensible cybersecurity -- because for too long, weak supplier security in the supply chain was a known vulnerability that adversaries were actively exploiting.
The 110 controls in NIST 800-171, the assessment requirements, the Plan of Action and Milestones -- these aren't bureaucratic overhead. They're the minimum structural requirements for handling Controlled Unclassified Information without putting DoD programs at risk.
"Compliance does not equal security" is not an argument against those requirements.
It's an argument against stopping there.
What Contractors Need to Build on Top
Getting to CMMC Level 2 means you have the controls. It means you've documented your System Security Plan. It means you've had an assessment. That's real work, and it matters.
But the contractors who treat CMMC as the whole job are missing the point. Here's what operational security looks like on top of a solid compliance foundation:
Continuous monitoring. A compliant environment at the moment of assessment is not the same as a secure environment six months later. Configurations drift. Vulnerabilities emerge. Staff turn over. Monitoring has to be ongoing.
CUI ownership. Knowing where your CUI lives, who has access to it, and how it flows through your systems is a discipline that goes beyond a one-time documentation exercise. It's an operational habit.
Incident response readiness. Having a plan on paper and having a team that can actually execute under pressure are different things. The bias for action Davie described applies here too.
Risk discipline. CMMC defines controls. Risk management defines priorities. Contractors who understand their actual threat exposure -- not just their control gaps -- make better security decisions.
The Question Industry Should Be Asking
Davie's comments raise a legitimate question for contractors: does the department's shift toward a risk-driven, holistic approach mean CMMC requirements get loosened?
It shouldn't. And if history is any guide, the trajectory is toward more accountability, not less. The 2025 DFARS rule, the C3PAO assessment requirements, the phased rollout of Level 2 and Level 3 -- all of it points toward a DoD that is serious about raising the floor in the DIB, not lowering it.
What the shift toward holistic, risk-driven security means is that compliance is no longer the destination. It's the entry point.
What This Means for Defense Contractors Right Now
If you're still working toward your first CMMC assessment, the goal hasn't changed: get compliant, get assessed, get certified. That's the floor, and you need to be on it.
If you've already achieved CMMC Level 2, the question is what you're building on top of that foundation. Monitoring, CUI discipline, incident response, risk management -- these are the areas where the DoD CIO's comments should be driving investment.
"Compliance does not equal security" is not a message that compliance doesn't matter.
It's a message that it matters enough to take seriously -- all the way through.
BomberJacket Networks is a C3PAO providing CMMC assessment, gap analysis, and implementation support to defense contractors. 25+ years in IT and cybersecurity, focused on CMMC since 2020.
Related Resources
Free Ebooks & Guides
View All
IT Support vs Break Fix Support
Discover the key differences between proactive managed IT support and reactive break-fix services, and which model saves your business more money.
Download Free
TRUST MATTERS
Discover why trust is the foundation of successful IT partnerships and how to build lasting relationships with technology providers who truly care about your business.
Download Free
Choose a GREAT IT SERVICE PROVIDER
Essential checklist and evaluation criteria for selecting the right managed IT services provider to support your business growth and security needs.
Download FreeVisual Guides & Infographics
View All
Co-Managed IT Support
Discover how co-managed IT partnerships can enhance your existing IT team with expert support and 24/7 monitoring.
Download Free
Network Security Layers
Understanding the multiple layers of network security protection that safeguard your business from cyber threats.
Download FreeNeed Help with IT Support?
BomberJacket Networks offers 24/7/365 managed IT services with American helpdesk support, proactive monitoring, and strategic technology planning. Let us be your trusted IT department.