With only 366 certficiations completed and mandatory rollout beginning in less than two weeks, defense firms need smarter tools to meet cybersecurity requirements without breaking the bank, writes Steven Hess, CEO, Deep Fathom. Compliance has increasingly become an operating drag as organizations struggle to keep pace with the expanding surface area of risk and demands on resources. The ongoing rollout of the Cybersecurity Maturity Model Certification 2.0 process shows how quickly today’s compliance system can be overwhelmed when demand collides with limited capacity.
In CMMC and other compliance processes, data spans more systems, vendors and geographies than ever before, and every connection adds another point that must be mapped, secured, and proven.
Teams spend months corralling documents, validating controls, and reworking evidence scattered across spreadsheets and siloed systems. Instead of enabling business, compliance readiness too often blocks it, slowing contracts, delaying opportunities, and straining resources in ways most organizations can’t sustain.
This strain isn’t unique to any one framework. Across industries, compliance programs have outgrown the systems built to support them, leaving organizations wrestling with structural limitations:
- Controls and complexity have outpaced legacy approaches.
- Tools are too complicated for general business use.
- Compliance experts remain scarce and expensive.
- Processes, communications and data sharing remain fragmented.
CMMC as a Case Study
These pressures appear differently across sectors, but nowhere are the cracks more visible than in defense contracting and the rollout of mandatory CMMC certification. While great efforts are being made to expand the number of auditors, since beginning voluntary compliance in early 2025, the total number of certifications completed through the end of September were 366 as announced in the September CyberAB CMMC townhall meeting.
Audit preparation using common legacy methods can take up to two years. Third-party assessments add three to six more months due to incomplete preparation, rework and rescheduled audits, pushing labor and resource demands past $400,000 for many organizations.
Publication of the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) formalizes this mandatory rollout beginning Nov. 10, 2025. The stakes are high: new contract awards could be blocked, bidding eligibility withdrawn, and even existing contracts put at risk.
Large primes have been preparing for this shift, but small and mid-sized suppliers face disproportionate burdens, often without dedicated compliance teams to manage the workload or absorb the costs.
Where Current CMMC Approaches Break Down
CMMC Level 2 requires documentation against 110 controls from NIST 800-171, a wide-ranging set of requirements that must be proven. Yet many organizations still approach this through generalized templates, spreadsheets and manual tracking. Whether handled internally or by consultants, these methods introduce errors, duplication, and tasks completed in the wrong order, triggering rework and delays.
Available tools rarely resolve the core issues. Many focus on diagnosing compliance gaps but fall short in guiding actual remediation. A common thread across current solutions is either insufficient CMMC-specific detail or an assumption of high technical or compliance fluency, leaving stretched teams with even more work to accomplish.
This gap between identifying gaps and guiding remediation is precisely where emerging approaches like Agentic AI offer a fundamentally different path forward.
Grounding Agentic AI in Compliance
Effectiveness with CMMC begins with clearly defining the scope and grounding the AI model in authoritative sources, such as NIST and DoD guidance, then layering in the organization’s infrastructure and business context. Raw AI models alone produce unreliable results. What makes an AI system effective is the structure around it, integrating relevant data, applying standards and automated checks and creating clear paths for actions, ensuring accuracy, context, and traceability.
With this structured foundation in place, an agentic system can actively help close compliance gaps rather than simply identify them. Such a system sequences remediation steps, automates evidence collection and tagging, and objectively scores the scope and sufficiency of documentation. By organizing tasks, surfacing dependencies, and preserving audit-ready trails, agentic AI transforms compliance from a static checklist into a managed, coherent workflow, always within defined boundaries and subject to human approval.
Conclusion
Manual compliance methods were never designed for today’s volume, complexity and risk surface area. The complexity and limited resources available to accomplish CMMC certifications can have a significant impact on the defense industry supply chain that must be managed and mitigated.
Agentic AI offers an opportunity to realign compliance work around intelligent task sequencing, rigorous evidence grounding and transparent traceability, without removing the human judgment compliance depends on.
For compliance leaders, standing still is no longer an option. As obligations accelerate and resources lag, the cost of clinging to legacy methods has never been higher. Agentic AI won’t replace human expertise, but it might finally clear the logjam blocking compliance readiness today.
Steven Hess is the CEO and co-founder, Deep Fathom. He drives Deep Fathom’s efforts to deliver compliance efficiencies for business across compliance frameworks. Before co-founding Deep Fathom, Hess served as chief executive officer at Cloud Storage Security, which was trusted by federal and private sectors to protect critical data, and has held leadership roles in multiple technology and security organizations.
]]>
