On June 2, 2026, at the TechNet Cyber conference in Baltimore, the Pentagon’s top IT official delivered a blunt message to the defense contracting community: meeting a standard is not the same as being secure. Department of War Chief Information Officer Kirsten Davies, a longtime private sector CISO now leading IT for the department formerly known as the Department of Defense, called for a more aggressive focus on foundational cybersecurity, and made clear that the expectation extends beyond government networks into the defense industrial base. For the contractors and suppliers that serve the Pentagon, her remarks are a signal that strong cybersecurity compliance is the floor, not the goal. This article breaks down what Davies said, why compliance alone falls short, where CMMC fits, and what defense contractors should do now to build security that holds up in operations and not just on paper.
What the Pentagon CIO Actually Said
Davies used the conference stage to argue for a sharper, more operational view of cybersecurity across the department and its suppliers. Her central point was direct and, coming from a former enterprise CISO, carried the weight of someone who has lived the difference between passing an audit and stopping an attacker.
“Compliance Does Not Equal Security”
According to Davies, compliance “does not equal security,” a view she said held true during her years in industry and still holds from her current position. Her career outside government, including senior security roles across global enterprises, shapes that perspective. The message to contractors was that certificates and checklists describe a baseline, while real security is measured by operational resilience: a cybersecurity posture that is dynamic and fit for purpose rather than static and document driven.
A Posture That Extends Into the Defense Industrial Base
Davies was explicit that the department’s security posture reaches beyond its own networks into those of its contractors and suppliers. She warned that a compromise at even a small supplier can jeopardize a warfighter making a real time decision at the edge, and framed that risk as unacceptable for everyone in the room. The takeaway for the defense industrial base is that supplier security is now treated as warfighter security, and that the weakest link in the supply chain can undermine the capabilities the department depends on.
She also described a broader paradigm shift underway at the Pentagon, reshaping its cybersecurity into a single, risk led function built for action, with further changes coming to the CIO’s office in the months ahead.
Why Compliance Alone Falls Short
Davies’s message will resonate with anyone who has watched an organization pass a readiness review and still suffer an incident. Compliance and security overlap, but they are not the same discipline, and treating one as a proxy for the other leaves predictable gaps.
Compliance Is a Point in Time, Security Is Continuous
Most compliance assessments capture a snapshot. They confirm that controls existed and operated at a moment in time, often the moment an assessor was watching. Security, by contrast, is continuous. Cloud configurations drift, new software ships weekly, vendors change, and attackers adapt. A certificate earned in one quarter says little about the control that quietly broke in the next. This is why audit readiness works best as an ongoing operational discipline rather than a periodic event.
The Small Supplier Problem
The risk Davies named is concentrated where resources are thinnest. Many small and mid sized suppliers in the defense industrial base treat security requirements as paperwork to clear rather than a posture to maintain, in part because they lack dedicated security staff. Yet these are precisely the organizations an adversary will target to reach a larger prime or a sensitive program. Foundational cybersecurity, in Davies’s framing, has to extend to every tier of the supply chain, including the suppliers least equipped to fund it. Capabilities such as a virtual CISO and managed vulnerability management exist precisely to close that resource gap.
Where CMMC Fits
It would be a mistake to read “compliance does not equal security” as a signal that compliance no longer matters. For defense contractors, the opposite is true. The Cybersecurity Maturity Model Certification (CMMC) remains the mechanism the department uses to verify a baseline, and Davies indicated she would have more to say about CMMC at a later time.
CMMC Sets the Floor, Not the Ceiling
Introduced in 2019, CMMC requires companies that do business with the Pentagon to demonstrate a defined level of cybersecurity, and the program has evolved through several iterations since. CMMC is necessary, and for contractors handling controlled unclassified information it is non negotiable. What Davies’s remarks make clear is that the certification establishes a minimum, and that the department increasingly expects suppliers to operate well above that minimum. Earning the certificate is the entry ticket, not the finish line.
From Certificate to Operational Resilience
The practical implication is that contractors should design their programs to satisfy CMMC as a byproduct of running genuinely secure operations, rather than building a thin layer of controls that exists only to pass an assessment. Programs anchored to the NIST Cybersecurity Framework and maintained continuously tend to clear CMMC more smoothly and, more importantly, withstand the threats the framework is meant to address.
What Defense Contractors Should Do Now
Davies’s remarks are a posture signal, not a new rule, but the direction is unmistakable. Contractors that move early will be better positioned for whatever guidance and expectations follow, and better defended in the meantime.
Treat Audit Readiness as Continuous Discipline
Shift from last minute preparation to year round readiness. Integrate control verification into daily operations so that evidence is always current and gaps surface early, well before an assessor or an attacker finds them. A structured remediation timeline turns that intention into a schedule the whole organization can follow.
Assign Ownership and Validate Controls
Security fails quietly when everyone is responsible and no one is accountable. Assign a single accountable owner for each control, extend ownership beyond the security team to IT, engineering, and operations, and validate that controls work through independent testing such as penetration testing. Validation, not documentation, is what separates a control that protects from a control that merely exists.
Close the Gap Between Paper and Reality
The contractors that benefit from this shift will be the ones whose evidence reflects controls that genuinely operate, not policies that sit unread in a folder. Closing that gap is the work of turning compliance into security. Book a Readiness Call with Elevate’s compliance and cybersecurity experts to assess where your program stands and build a posture that satisfies CMMC while holding up in operations.
Conclusion
The Pentagon CIO’s message to the defense industrial base is a useful reframing for any organization that has confused a passing assessment with a secure posture. Compliance verifies a baseline; security is the ongoing discipline of keeping controls effective as conditions change. For defense contractors, that means treating CMMC as the floor, extending foundational cybersecurity across every tier of the supply chain, and investing in continuous readiness, clear ownership, and real validation. Book a Readiness Call with Elevate to turn cybersecurity compliance into security that protects the mission.
Key Takeaways
The Pentagon CIO’s call for foundational cybersecurity reframes compliance as a starting point rather than a destination, with direct implications for every contractor in the defense industrial base.
- Compliance is the floor, not the goal – The Pentagon CIO told contractors that meeting a standard is not the same as being secure, and signaled the department wants operational resilience, not just certificates.
- Small suppliers are the weak link – A compromise at a small supplier can reach the warfighter at the edge, so foundational cybersecurity has to extend across every tier of the supply chain.
- CMMC sets a baseline, not a ceiling – Certification confirms a minimum level of cybersecurity, but the remarks point to expectations that go well beyond the certificate, with more on CMMC promised later.
- Continuous readiness beats point in time prep – Security that holds up in operations comes from year round discipline, control ownership, and validation, not a once a year scramble before an assessment.
- Close the gap between documentation and reality – The contractors that benefit will be those whose evidence reflects controls that actually work, validated through testing rather than assumed on paper.
The difference between clearing an audit and being secure comes down to whether an organization treats cybersecurity compliance as the end of the work or the beginning of it.
FAQs
Q1. What did the Pentagon CIO say about cybersecurity compliance? Speaking at TechNet Cyber on June 2, 2026, Department of War Chief Information Officer Kirsten Davies argued that compliance does not equal security and called for a stronger focus on foundational cybersecurity across both the department and its contractors. Her point was that certifications describe a baseline, while real security is measured by continuous operational resilience.
Q2. What is “foundational cybersecurity”? As Davies used the term, foundational cybersecurity is a more forceful, operational security posture that goes beyond meeting requirements on paper. It emphasizes resilience that is dynamic and fit for purpose, applied not only to the department’s own networks but to the defense industrial base that supplies it.
Q3. Does this mean CMMC is going away? No. The Cybersecurity Maturity Model Certification remains the mechanism the Pentagon uses to verify a baseline level of cybersecurity for its contractors, and Davies indicated she would address CMMC further at a later time. The message is that CMMC sets a minimum to build on, not a ceiling to stop at.
Q4. Why does a small supplier’s security matter to the Pentagon? Because the supply chain is only as strong as its weakest link. Davies warned that a compromise at a small supplier can affect a warfighter making a real time decision at the edge. Adversaries often target smaller, less defended vendors to reach larger primes or sensitive programs, which is why foundational cybersecurity has to reach every tier of the defense industrial base.
Q5. How can defense contractors move beyond compliance to real security? The practical steps are to treat audit readiness as a continuous discipline rather than a last minute event, assign a single accountable owner for each control across IT, engineering, and operations, and validate that controls actually work through independent testing. Programs built this way tend to satisfy CMMC as a byproduct of being genuinely secure.