Author: sHq_LoGiNz

By Scott Register

If you’re in the Defense Industrial Base (DIB), you’ve probably felt the shift: cybersecurity has moved from a contractual footnote to a deciding factor in who gets to compete. The Cybersecurity Maturity Model Certification (CMMC) is the clearest signal yet that the Department of Defense (DoD) is moving away from “trust us” security and toward verified compliance.

And in the face of a rapidly evolving threat landscape, that’s not unreasonable. The DIB faces increasingly frequent and complex cyber-attacks, and an extended supply chain is only as resilient as its weakest link. To meet these challenges, CMMC serves as a market gate: it changes who is eligible, who is credible, and who gets picked.

So let’s talk about the uncomfortable part: the cost of non-compliance. Because non-compliance isn’t theoretical. It entails lost opportunity, delayed revenue, supply chain exclusion, and, in the worst cases, legal consequences tied to the gap between what you claimed and what you can prove.

A Practical Reality: Readiness Takes Longer Than Most Expect

CMMC isn’t optional, and it isn’t “someday.” Assessment requirements are being implemented using a four-phase plan over three years, beginning with Phase 1, which launched on November 10, 2025, and adding requirements incrementally until full implementation of program requirements in Phase 4.

That runway may sound generous, but it will dissipate quickly because building a defensible compliance posture takes sustained work and a robust plan combining scoping, implementation, evidence collection, and validation. Waiting until requirements are widespread across your target solicitations is not a plan. It’s a decision to compete later… assuming you can afford to.

The Readiness Gap Is Massive, and It’s a Business Problem (Not Just a Cyber Problem)

Keysight’s commissioned research surveyed 206 cybersecurity leaders across the DIB and revealed two jarring numbers that should reset expectations:

• Only 2% of organizations are audit-ready
• Only 3% use automated validation tools to continuously verify compliance

The conversation is no longer only about “will we pass an audit?” but “will we be eligible to bid or even remain in the supply chain?” Where CMMC applies, contractors and subcontractors entrusted with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve a specific CMMC level as a condition of contract award, creating concrete competitive differentiation where none previously existed.

CMMC raises the bar for security by raising the bar for proof.

Non-Compliance Costs Stack Up Fast

With the history of NIST SP800-171 compliance via self-attestation, many organizations adopted a performative approach to certification with any gaps addressable on a line-item basis by bringing in some consultants or deploying new security tools. This was easy to account for, but in reality the costs of non-compliance now go far beyond those budget items. The cost of non-compliance can quickly become a stack of compounding penalties that far exceed projections.

Lost Contract Eligibility (the “Silent Failure”)

The most immediate consequence is blunt: you can’t compete for contracts requiring a specific CMMC level. CMMC requirements are implemented through contract clauses, and the required level depends on the type and sensitivity of the information involved.

That’s not a cybersecurity problem. That’s pipeline and revenue.

Audit Delays and Schedule Risk (the “Time Tax”)

CMMC assessments are not one-size-fits-all. Depending on the contract and the information scope, organizations may be required to complete a self-assessment or a certification assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO). For Level 3, assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessment paths have different logistics and timing implications, and delays can directly affect eligibility windows.

Remediation Under Pressure (the “Expensive Scramble”)

If you treat compliance as a late-stage scramble, you pay for it twice: once in rushed remediation, and again in operational disruption. CMMC is designed to increase confidence that organizations are implementing required cybersecurity standards for systems that process, store, or transmit FCI or CUI. Often, the teams scrambling to remediate audit shortcomings are also on the hook to support production operations, posing immediate jeopardy to revenues from both commercial and government sales.

Credibility and Supply Chain Positioning (the “Trust Gap”)

Cybersecurity credibility is becoming a differentiator. If you can’t demonstrate evidence aligned to the applicable level, you become harder to select and harder to defend.

Legal Liability (the “One Nobody Budgets For”)

This is where “paper compliance” becomes dangerous. The Department of Justice has pursued cybersecurity-related cases under the False Claims Act, and Keysight’s research cites nearly $40M in recent settlements tied to alleged noncompliance and misrepresentation.

One referenced case is especially telling: a contractor submitted a self-assessment score of 104 out of 110, while an external review calculated the company’s actual score to be -142.19. That case resulted in a $4.6M settlement.

The lesson is simple: the gap between “we believe” and “we can prove” is where exposure lives. CMMC is pushing the industry from intent to evidence.

Why the Gap Exists: Complexity, Resources, and Manual Proof Readiness

When asked about obstacles, respondents cited three major pain points:

• 35% pointed to the complexity of requirements
• 30% cited lack of internal resources
• 30% struggled with understanding requirements and lack of clear guidance

The combination of high complexity, constrained teams, and uneven clarity is a daunting challenge.

It’s also made worse by a common assumption: “If we’ve been working toward NIST SP 800-171, we’re basically there.” The nuance matters. The CMMC program focuses on protecting FCI and CUI. Level 1 requires an annual self-assessment and annual affirmation against the 15 requirements in FAR 52.204-21. CMMC Level 2 is aligned to the 110 requirements in NIST SP 800-171 Rev. 2, including an assessment every three years (self or C3PAO, depending on the solicitation), and requires annual affirmations. Level 3 requires a prerequisite CMMC Level 2 status and a DIBCAC-led assessment every three years, plus annual affirmations (including continued Level 2 affirmations).

That’s also why automation matters. Modern cyber defense moves too fast for manual attestation to keep up. Yet only 3% reported using automated security validation tools today.

What Winning Looks Like: Making Compliance Credible

The best way to think about CMMC isn’t as a checkbox. It’s a credibility engine. When compliance is built as an evidence-based program, a few things happen:

• Controls become measurable.
• Audit prep becomes continuous.
• Gaps surface earlier, when fixes are less expensive.
• Cyber maturity improves in ways that reduce incidents.
• Market positioning strengthens because you can prove readiness.

In other words, you don’t just “meet requirements.” You’re becoming a more trusted, lower-risk partner, one to whom customers can confidently award CMMC-governed contracts.

Tools for a More Streamlined Path to Compliance

CMMC readiness can feel overwhelming because it touches scoping, implementation, documentation, validation, and sustainment.

Keysight network visibility and security solutions can help organizations shift to evidence-based, continuously validated security.

Turn Visibility Into Audit-Ready Evidence.

Keysight network visibility solutions, such as Vision Series Network Packet Brokers, help ensure security tools receive the right traffic and telemetry. That supports audit trails and monitoring needed for domains like Audit and Accountability (AU) and System and Information Integrity (SI). Without visibility, every other control becomes harder to prove.

Validate Controls Continuously, Not Just at Audit Time.

Keysight’s breach and attack simulation capabilities (like Threat Simulator) help organizations continuously validate defensive controls by emulating real-world attack behaviors and producing measurable results. Continuous validation reduces surprises, shortens remediation cycles, and increases confidence before an assessor ever arrives.

Build Sustainment into the Operating Model.

CMMC is not a one-time event. Certification results are recorded in government systems, and organizations must complete affirmations (after assessments and annually thereafter, depending on level). Readiness fades without reinforcement. Keysight Cyber Range Training (KCTS) helps teams practice incident response and maintain operational readiness between assessments, supporting the people and process side of a sustainable program.

CMMC is a forcing function, but it’s also an opportunity. Organizations that treat it as an evidence problem, solved with visibility, validation, and repeatable proof, won’t just stay eligible. They’ll build credibility the market can actually trust.

Read the Full Research White Paper

By Scott Register

If you’re in the Defense Industrial Base (DIB), you’ve probably felt the shift: cybersecurity has moved from a contractual footnote to a deciding factor in who gets to compete. The Cybersecurity Maturity Model Certification (CMMC) is the clearest signal yet that the Department of Defense (DoD) is moving away from “trust us” security and toward verified compliance.

And in the face of a rapidly evolving threat landscape, that’s not unreasonable. The DIB faces increasingly frequent and complex cyber-attacks, and an extended supply chain is only as resilient as its weakest link. To meet these challenges, CMMC serves as a market gate: it changes who is eligible, who is credible, and who gets picked.

So let’s talk about the uncomfortable part: the cost of non-compliance. Because non-compliance isn’t theoretical. It entails lost opportunity, delayed revenue, supply chain exclusion, and, in the worst cases, legal consequences tied to the gap between what you claimed and what you can prove.

A Practical Reality: Readiness Takes Longer Than Most Expect

CMMC isn’t optional, and it isn’t “someday.” Assessment requirements are being implemented using a four-phase plan over three years, beginning with Phase 1, which launched on November 10, 2025, and adding requirements incrementally until full implementation of program requirements in Phase 4.

That runway may sound generous, but it will dissipate quickly because building a defensible compliance posture takes sustained work and a robust plan combining scoping, implementation, evidence collection, and validation. Waiting until requirements are widespread across your target solicitations is not a plan. It’s a decision to compete later… assuming you can afford to.

The Readiness Gap Is Massive, and It’s a Business Problem (Not Just a Cyber Problem)

Keysight’s commissioned research surveyed 206 cybersecurity leaders across the DIB and revealed two jarring numbers that should reset expectations:

• Only 2% of organizations are audit-ready
• Only 3% use automated validation tools to continuously verify compliance

The conversation is no longer only about “will we pass an audit?” but “will we be eligible to bid or even remain in the supply chain?” Where CMMC applies, contractors and subcontractors entrusted with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve a specific CMMC level as a condition of contract award, creating concrete competitive differentiation where none previously existed.

CMMC raises the bar for security by raising the bar for proof.

Non-Compliance Costs Stack Up Fast

With the history of NIST SP800-171 compliance via self-attestation, many organizations adopted a performative approach to certification with any gaps addressable on a line-item basis by bringing in some consultants or deploying new security tools. This was easy to account for, but in reality the costs of non-compliance now go far beyond those budget items. The cost of non-compliance can quickly become a stack of compounding penalties that far exceed projections.

Lost Contract Eligibility (the “Silent Failure”)

The most immediate consequence is blunt: you can’t compete for contracts requiring a specific CMMC level. CMMC requirements are implemented through contract clauses, and the required level depends on the type and sensitivity of the information involved.

That’s not a cybersecurity problem. That’s pipeline and revenue.

Audit Delays and Schedule Risk (the “Time Tax”)

CMMC assessments are not one-size-fits-all. Depending on the contract and the information scope, organizations may be required to complete a self-assessment or a certification assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO). For Level 3, assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessment paths have different logistics and timing implications, and delays can directly affect eligibility windows.

Remediation Under Pressure (the “Expensive Scramble”)

If you treat compliance as a late-stage scramble, you pay for it twice: once in rushed remediation, and again in operational disruption. CMMC is designed to increase confidence that organizations are implementing required cybersecurity standards for systems that process, store, or transmit FCI or CUI. Often, the teams scrambling to remediate audit shortcomings are also on the hook to support production operations, posing immediate jeopardy to revenues from both commercial and government sales.

Credibility and Supply Chain Positioning (the “Trust Gap”)

Cybersecurity credibility is becoming a differentiator. If you can’t demonstrate evidence aligned to the applicable level, you become harder to select and harder to defend.

Legal Liability (the “One Nobody Budgets For”)

This is where “paper compliance” becomes dangerous. The Department of Justice has pursued cybersecurity-related cases under the False Claims Act, and Keysight’s research cites nearly $40M in recent settlements tied to alleged noncompliance and misrepresentation.

One referenced case is especially telling: a contractor submitted a self-assessment score of 104 out of 110, while an external review calculated the company’s actual score to be -142.19. That case resulted in a $4.6M settlement.

The lesson is simple: the gap between “we believe” and “we can prove” is where exposure lives. CMMC is pushing the industry from intent to evidence.

Why the Gap Exists: Complexity, Resources, and Manual Proof Readiness

When asked about obstacles, respondents cited three major pain points:

• 35% pointed to the complexity of requirements
• 30% cited lack of internal resources
• 30% struggled with understanding requirements and lack of clear guidance

The combination of high complexity, constrained teams, and uneven clarity is a daunting challenge.

It’s also made worse by a common assumption: “If we’ve been working toward NIST SP 800-171, we’re basically there.” The nuance matters. The CMMC program focuses on protecting FCI and CUI. Level 1 requires an annual self-assessment and annual affirmation against the 15 requirements in FAR 52.204-21. CMMC Level 2 is aligned to the 110 requirements in NIST SP 800-171 Rev. 2, including an assessment every three years (self or C3PAO, depending on the solicitation), and requires annual affirmations. Level 3 requires a prerequisite CMMC Level 2 status and a DIBCAC-led assessment every three years, plus annual affirmations (including continued Level 2 affirmations).

That’s also why automation matters. Modern cyber defense moves too fast for manual attestation to keep up. Yet only 3% reported using automated security validation tools today.

What Winning Looks Like: Making Compliance Credible

The best way to think about CMMC isn’t as a checkbox. It’s a credibility engine. When compliance is built as an evidence-based program, a few things happen:

• Controls become measurable.
• Audit prep becomes continuous.
• Gaps surface earlier, when fixes are less expensive.
• Cyber maturity improves in ways that reduce incidents.
• Market positioning strengthens because you can prove readiness.

In other words, you don’t just “meet requirements.” You’re becoming a more trusted, lower-risk partner, one to whom customers can confidently award CMMC-governed contracts.

Tools for a More Streamlined Path to Compliance

CMMC readiness can feel overwhelming because it touches scoping, implementation, documentation, validation, and sustainment.

Keysight network visibility and security solutions can help organizations shift to evidence-based, continuously validated security.

Turn Visibility Into Audit-Ready Evidence.

Keysight network visibility solutions, such as Vision Series Network Packet Brokers, help ensure security tools receive the right traffic and telemetry. That supports audit trails and monitoring needed for domains like Audit and Accountability (AU) and System and Information Integrity (SI). Without visibility, every other control becomes harder to prove.

Validate Controls Continuously, Not Just at Audit Time.

Keysight’s breach and attack simulation capabilities (like Threat Simulator) help organizations continuously validate defensive controls by emulating real-world attack behaviors and producing measurable results. Continuous validation reduces surprises, shortens remediation cycles, and increases confidence before an assessor ever arrives.

Build Sustainment into the Operating Model.

CMMC is not a one-time event. Certification results are recorded in government systems, and organizations must complete affirmations (after assessments and annually thereafter, depending on level). Readiness fades without reinforcement. Keysight Cyber Range Training (KCTS) helps teams practice incident response and maintain operational readiness between assessments, supporting the people and process side of a sustainable program.

CMMC is a forcing function, but it’s also an opportunity. Organizations that treat it as an evidence problem, solved with visibility, validation, and repeatable proof, won’t just stay eligible. They’ll build credibility the market can actually trust.

Read the Full Research White Paper

 By Baker Tilly’s Chris Wagner and Dave DuVarney

Artificial intelligence has quickly moved from an experimental technology to a boardroom priority. Leadership teams across industries are being asked the same question: What is our AI strategy?

Despite the growing pressure, many organizations struggle to answer that question. AI can feel powerful but ambiguous, and without a clear starting point, initiatives often stall or fail to deliver results. In fact, a significant percentage of AI initiatives fail to produce meaningful outcomes in their first year.

The organizations that succeed with AI tend to take a structured but practical approach — balancing leadership direction, experimentation, governance and a focus on real business problems.

Start with executive alignment

Successful AI adoption begins with leadership. Without executive support, AI efforts often remain scattered experiments rather than strategic initiatives.

Leaders don’t need to start with a massive strategy document. What matters most is establishing clear intent: AI is important to the organization, and exploring its potential is a priority.

When executives actively encourage teams to explore AI — asking how it might improve workflows or create new capabilities — it signals that innovation is expected and supported. This tone from the top creates the momentum organizations need to begin experimenting and learning.

Build a cross-functional AI team

Although AI relies on technology, it cannot succeed as an IT-only initiative.

Organizations benefit from forming a cross-functional team responsible for guiding AI adoption. This group typically includes representatives from technology, operations, finance, marketing and other key business functions.

Their role is to help the organization move forward intentionally by:

• Identifying and prioritizing potential AI use cases
• Establishing governance and risk policies
• Selecting enterprise AI tools
• Encouraging adoption across departments
• Developing business cases for investment

This team acts as the internal steering function that balances experimentation with strategic alignment.

Encourage Grassroots Innovation

One of the most transformative aspects of modern AI, especially generative AI, is its accessibility. Employees across the organization can experiment with these tools to solve everyday problems.

Organizations can benefit from encouraging this experimentation and capturing the best ideas. A simple innovation funnel can help:

1. Employees experiment with AI tools.
2. Promising ideas are shared with the organization.
3. The most impactful use cases are evaluated and expanded.

Many AI platforms also provide usage data that can highlight successful workflows. If a particular tool or process becomes widely used internally, it may signal an opportunity to formalize and scale that solution across the organization.

Focus on problems, not technology

A common mistake organizations make is starting with the question, “Where can we use AI?”

A better approach is to start with the problem. Ask, “What business challenge are we trying to solve?”

Sometimes AI will be the best solution. Other times, simpler tools, such as spreadsheets, automation platforms, or traditional analytics, may be more effective.

Treating AI as one tool among many ensures that organizations apply it where it truly creates value rather than forcing it into every problem.

Capture everyday productivity gains

Not every AI benefit comes from large transformation projects. Some of the most immediate value comes from small improvements in daily work.

Employees are already using AI tools to help with tasks like:

• Drafting emails and reports
• Summarizing information
• Brainstorming ideas
• Structuring plans and strategies
• Working through complex problems

These small efficiencies may be difficult to measure individually, but when multiplied across an entire workforce, they can significantly improve productivity and job satisfaction.

Over time, this also helps employees become more comfortable and creative with AI tools, which can lead to larger innovation opportunities.

Strengthen governance and security

Security concerns are one of the biggest barriers organizations face when adopting AI. Leaders worry about sensitive data exposure, regulatory risks and the rapid growth of AI tools.

Addressing these concerns requires a thoughtful approach.

Provide enterprise-grade AI tools

Organizations should offer secure AI platforms within their own environments. If employees lack access to approved tools, they will likely use public alternatives, which increases risk.

Providing enterprise tools gives employees a safe place to experiment.

Extend existing data policies

Most organizations already have data governance policies. AI policies should simply extend those rules.

For example, sensitive company data should only be used within approved platforms rather than public AI tools.

Clear guidelines help employees understand how to use AI responsibly while still enabling innovation.

Review security practices

AI systems often interact with large volumes of organizational data, which can expose weaknesses in existing access controls.

Organizations should review how administrative privileges and sensitive data access are managed. Strengthening these controls ensures AI tools do not unintentionally expand access to information.

Learn from external expertise

AI technology is evolving quickly, and many organizations lack deep expertise internally.

Leaders can accelerate progress by learning from external sources such as:

• Industry communities and professional groups
• Peer organizations experimenting with AI
• Advisors and technology partners
• Educational resources and training programs

These networks help organizations stay informed, avoid common mistakes and move forward with greater confidence.

Moving forward with AI

Organizations don’t need a perfect strategy before they begin exploring AI. What matters most is creating the right environment for progress.

That environment includes:

• Clear leadership support
• Cross-functional collaboration
• Safe experimentation
• Strong governance and security
• A focus on real business problems

By combining these elements, organizations can move beyond the hype surrounding AI and begin realizing real value — one practical use case at a time.

How we can help

Baker Tilly helps organizations safely and effectively harness AI. Our AI consulting services support you from strategy development through implementation, including model design, data and AI governance, workflow automation and organizational readiness programs. Ready to accelerate your AI journey? Connect with a Baker Tilly specialist to get started. 

 By Baker Tilly’s Chris Wagner and Dave DuVarney

Artificial intelligence has quickly moved from an experimental technology to a boardroom priority. Leadership teams across industries are being asked the same question: What is our AI strategy?

Despite the growing pressure, many organizations struggle to answer that question. AI can feel powerful but ambiguous, and without a clear starting point, initiatives often stall or fail to deliver results. In fact, a significant percentage of AI initiatives fail to produce meaningful outcomes in their first year.

The organizations that succeed with AI tend to take a structured but practical approach — balancing leadership direction, experimentation, governance and a focus on real business problems.

Start with executive alignment

Successful AI adoption begins with leadership. Without executive support, AI efforts often remain scattered experiments rather than strategic initiatives.

Leaders don’t need to start with a massive strategy document. What matters most is establishing clear intent: AI is important to the organization, and exploring its potential is a priority.

When executives actively encourage teams to explore AI — asking how it might improve workflows or create new capabilities — it signals that innovation is expected and supported. This tone from the top creates the momentum organizations need to begin experimenting and learning.

Build a cross-functional AI team

Although AI relies on technology, it cannot succeed as an IT-only initiative.

Organizations benefit from forming a cross-functional team responsible for guiding AI adoption. This group typically includes representatives from technology, operations, finance, marketing and other key business functions.

Their role is to help the organization move forward intentionally by:

• Identifying and prioritizing potential AI use cases
• Establishing governance and risk policies
• Selecting enterprise AI tools
• Encouraging adoption across departments
• Developing business cases for investment

This team acts as the internal steering function that balances experimentation with strategic alignment.

Encourage Grassroots Innovation

One of the most transformative aspects of modern AI, especially generative AI, is its accessibility. Employees across the organization can experiment with these tools to solve everyday problems.

Organizations can benefit from encouraging this experimentation and capturing the best ideas. A simple innovation funnel can help:

1. Employees experiment with AI tools.
2. Promising ideas are shared with the organization.
3. The most impactful use cases are evaluated and expanded.

Many AI platforms also provide usage data that can highlight successful workflows. If a particular tool or process becomes widely used internally, it may signal an opportunity to formalize and scale that solution across the organization.

Focus on problems, not technology

A common mistake organizations make is starting with the question, “Where can we use AI?”

A better approach is to start with the problem. Ask, “What business challenge are we trying to solve?”

Sometimes AI will be the best solution. Other times, simpler tools, such as spreadsheets, automation platforms, or traditional analytics, may be more effective.

Treating AI as one tool among many ensures that organizations apply it where it truly creates value rather than forcing it into every problem.

Capture everyday productivity gains

Not every AI benefit comes from large transformation projects. Some of the most immediate value comes from small improvements in daily work.

Employees are already using AI tools to help with tasks like:

• Drafting emails and reports
• Summarizing information
• Brainstorming ideas
• Structuring plans and strategies
• Working through complex problems

These small efficiencies may be difficult to measure individually, but when multiplied across an entire workforce, they can significantly improve productivity and job satisfaction.

Over time, this also helps employees become more comfortable and creative with AI tools, which can lead to larger innovation opportunities.

Strengthen governance and security

Security concerns are one of the biggest barriers organizations face when adopting AI. Leaders worry about sensitive data exposure, regulatory risks and the rapid growth of AI tools.

Addressing these concerns requires a thoughtful approach.

Provide enterprise-grade AI tools

Organizations should offer secure AI platforms within their own environments. If employees lack access to approved tools, they will likely use public alternatives, which increases risk.

Providing enterprise tools gives employees a safe place to experiment.

Extend existing data policies

Most organizations already have data governance policies. AI policies should simply extend those rules.

For example, sensitive company data should only be used within approved platforms rather than public AI tools.

Clear guidelines help employees understand how to use AI responsibly while still enabling innovation.

Review security practices

AI systems often interact with large volumes of organizational data, which can expose weaknesses in existing access controls.

Organizations should review how administrative privileges and sensitive data access are managed. Strengthening these controls ensures AI tools do not unintentionally expand access to information.

Learn from external expertise

AI technology is evolving quickly, and many organizations lack deep expertise internally.

Leaders can accelerate progress by learning from external sources such as:

• Industry communities and professional groups
• Peer organizations experimenting with AI
• Advisors and technology partners
• Educational resources and training programs

These networks help organizations stay informed, avoid common mistakes and move forward with greater confidence.

Moving forward with AI

Organizations don’t need a perfect strategy before they begin exploring AI. What matters most is creating the right environment for progress.

That environment includes:

• Clear leadership support
• Cross-functional collaboration
• Safe experimentation
• Strong governance and security
• A focus on real business problems

By combining these elements, organizations can move beyond the hype surrounding AI and begin realizing real value — one practical use case at a time.

How we can help

Baker Tilly helps organizations safely and effectively harness AI. Our AI consulting services support you from strategy development through implementation, including model design, data and AI governance, workflow automation and organizational readiness programs. Ready to accelerate your AI journey? Connect with a Baker Tilly specialist to get started.