HX5 founder Margarita Howard explains why compliance is a defining challenge of the contracting environment.
By Exec Edge Editorial Staff
By the end of 2025, only about 270 of the roughly 80,000 defense contractors expected to require Level 2 cybersecurity certification in 2026 had obtained it. Margarita Howard, founder and chief executive of contractor HX5, runs one of the 270.
“The [DoD] is demanding that contractors meet very stringent criteria and benchmarks under the cybersecurity standards,” she said. “We’ve already had to do a lot of that.”
Legal analysts at White & Case characterized what government contractors absorbed in 2025 as “upheaval.” Four distinct regulatory tracks advanced in parallel, each with its own documentation requirements, its own enforcement logic, and its own timeline. No single change was necessarily unmanageable on its own. The problem was the simultaneity.
Whether a contractor can absorb that kind of environment comes down, in most cases, to whether its operational infrastructure was built to manage distributed accountability as a continuous practice rather than the size of its legal department or the timing of its compliance investments.
Research published at the 2024 IEEE International Conference on Cyber Resilience, reviewing outcomes across organizations that had adopted compliance as a standing operational discipline versus those that treated it as a periodic audit function, found that the proactive, integrated approach consistently produced stronger resilience outcomes in contract management, incident response, and operations security that reactive programs couldn’t replicate.
But building and sustaining that infrastructure carries a real cost: technology investment, organizational overhead, and the ongoing operational discipline required to make it function across dozens of contract vehicles and government sites simultaneously. The companies that paid that cost before they were required to are now competing from a materially different starting position.
Four Regulatory Tracks
The regulatory pressure of 2025 moved independently across four tracks, creating compounding compliance demands for contractors managing programs across multiple agencies, contract vehicles, and facility types.
1. CMMC
The Cybersecurity Maturity Model Certification program entered Phase 1 on November 10, 2025. The change converted cybersecurity compliance into a hard contractual condition of award. New defense solicitations began carrying mandatory certification requirements. Contractors without current status in the Supplier Performance Risk System couldn’t compete for covered business. Those with unresolved gaps received a 180-day remediation window under a conditional certification, after which their provisional standing expired.
Phase 1, however, isn’t what most of the industry is primarily focused on. Phase 2 is. On November 10, 2026, Level 2 certification will become mandatory for contracts handling Controlled Unclassified Information, which covers the majority of defense prime contracts and flows down through the supply chain. The DoD estimates roughly 65% of the Defense Industrial Base will be affected, representing approximately 118,000 companies requiring Level 2 certification. There are currently 83 certified third-party assessment organizations authorized to conduct those assessments.
According to some estimates, C3PAO would need to complete roughly 118 assessments per month to process the queue before the Phase 2 deadline. C3PAOs in high-demand defense corridors are already booking into late 2026 and 2027. CMMC Compliance projects that processing 80,000 Level 2 certifications requires between 2,000 and 3,000 Certified CMMC Assessors, but current supply is under 800. Full Defense Industrial Base compliance isn’t projected until November 2029, three years after the statutory deadline.
For a company operating at HX5’s scale, the CMMC framework introduces a specific coordination challenge that smaller or more centralized contractors don’t necessarily encounter in the same form. Under the framework, prime contractors bear responsibility for ensuring their subcontractors meet applicable CMMC requirements: compliance accountability extends through every subcontractor relationship, every contract vehicle, and every data-handling arrangement across the entire operational footprint. For HX5, managing that flow-down obligation requires the same kind of systematic contract oversight and real-time monitoring that the firm’s distributed operating model was already demanding for ordinary program management. Companies whose compliance programs were built for more centralized environments face a structurally different problem when flow-down accountability becomes a condition of award.
2. FAR Reform
The FAR Council pursued removal of more than 500 acquisition provisions in 2025, with another 500-plus under review, in a reform effort oriented toward more commercial-style contracting.
The move was meant to encourage greater contracting officer discretion, expanded reliance on Other Transaction Authority agreements exempt from standard FAR requirements, and performance-based contract structures.
The American Small Business Chamber warned that proposed changes to FAR Part 13 could eliminate set-aside protections covering $24.6 billion in annual simplified acquisitions, the channel through which small businesses captured $15.2 billion across more than one million contract actions.
Others have worried that expanded contracting officer discretion reduces standardized risk allocation. Companies with legal infrastructure to negotiate individualized contract terms come out ahead; those without it absorb greater exposure.
The expanded use of Other Transaction Authority agreements adds a further layer. OTA terms are negotiated individually, which means intellectual property protections, data rights, and post-termination obligations vary by agreement.
3. The Hegseth Directives
Defense secretary Hegseth’s April 2025 memo restricting new IT consulting and management services contracts required DoD components to demonstrate that no existing government employees could perform contracted IT work before executing new awards. A November 2025 announcement positioned the April directive as one component of a broader DoD acquisition transformation rather than a contained policy correction.
The government pursued a comparable insourcing initiative under the Obama administration: costs ran higher than projected, technical vacancies went unfilled against private-sector competition, and the Army scaled the program back.
The April memo’s scope is worth reading carefully. It targeted IT consulting and management services: advisory firms, systems integrators, program management support. Embedded technical support, research and engineering, and mission operations work occupies different contractual and operational territory. Specialized technical work tied to mission-specific programs, performed by teams with years of site-specific familiarity and active clearances, has historically resisted insourcing at comparable performance and cost.
“To best support our customers and their respective missions, it’s imperative we fully understand and comprehend the specifics of their needs and priorities,” Howard said. “Experience in their respective fields, while supporting these agencies’ respective programs and missions, is very different from experience gained from working in the commercial world.”
4. The FY 2026 NDAA
Signed December 18, 2025, the National Defense Authorization Act addressed the acquisition framework on a fourth, legislative track.
The threshold for mandatory certified cost or pricing data submissions rose from $2.5 million to $10 million, effective for contracts entered after June 30, 2026. Full Cost Accounting Standards coverage threshold increased from $50 million to $100 million. Nontraditional defense contractors received broad relief from cost accounting and pricing requirements.
The NDAA shifted acquisition toward a portfolio-based model and redefined “best value” to incorporate cost, quality, technical capability, and delivery schedule. Contracting officers now have more latitude to weight non-price factors in source selection. For contractors with documented performance histories at government facilities across multiple contract cycles, that redefinition could be a substantive advantage. For new entrants, it places a premium on demonstrated technical capability that can’t be assembled quickly.
“There are heightened cybersecurity requirements, and contractors will not have a choice but to implement them if they want to remain a government contractor,” Howard said.
HX5’s Compliance Architecture
Margarita Howard built HX5 around the conviction that government clients need technical teams embedded at the places where the work happens. That conviction produced HX5’s operational model: specialists in research and development, engineering, information technology, and mission support, deployed to government facilities and structured around the client’s requirements rather than HX5’s administrative convenience.
Managing across dozens of subcontractor relationships and contract vehicles at dozens of government locations means accountability, reporting, and oversight can’t be functions of a central compliance team. They have to be embedded in how the organization runs across its operations.
“From working in the industry, we knew the importance of impeccable record keeping. All our records, everything we say we do, must always be supported with appropriate documentation and recorded accurately, because as a government contractor, all of our records are open to the government’s inspection and audits at any time,” Howard said.
That orientation predates CMMC because the operational reality of government contracting demanded it. The compliance infrastructure that model required, including contract management processes, subcontractor monitoring systems, and communication cadences that function across a geographically dispersed workforce, is what transfers directly to the demands of a multi-track regulatory environment. It’s also what takes years to build.
But the cost of that infrastructure is real. HX5 has invested in the technology systems, personnel, and organizational processes required to manage compliance across its operational footprint. Some of those costs are recoverable through contract vehicles; others represent the ongoing overhead of operating as a government contractor at scale.
“We try to stay ahead of changing technologies like artificial intelligence and cybersecurity,” Howard said. “It’s expensive to ensure it’s done right, but it’s worth it.”
The 270 contractors who entered 2026 already holding their CMMC certification share one characteristic: treating compliance infrastructure as an operational necessity, something that works every day rather than something assembled in response to an audit notice.
Clearance Advantages and the Veteran Workforce
More than 30% of HX5’s approximately 1,000 employees are veterans. Since 2021, HX5 has participated in the SkillBridge and Hiring Our Heroes Corporate Fellowship programs and has brought transitioning service members directly into contractor roles as they separate from active duty. The company received the Department of Labor’s 2025 HIRE Vets Gold Medallion Award (the program’s highest recognition), tied to veteran hiring rates, retention, and the depth of support programs in place.
“We prefer to hire experienced individuals, people who have worked with, or supported, the Department of Defense. This experience is always very helpful,” Howard said.
In the context of the current compliance environment, that preference has operational dimensions that extend beyond workforce culture. The defense contracting industry has long characterized the search for personnel who carry both technical depth and active security clearances as among its most persistent institutional constraints. A veteran’s existing clearance can transfer to a new contractor in a fraction of the time it takes to process a new investigation for a civilian candidate, a gap ClearanceJobs has documented in the context of the DoD’s persistent cleared-talent shortage.
A 2023 Journal of Information Systems Education analysis of 935 cybersecurity job postings by researcher Christopher Ramezan found that just 19% required any security clearance. Among sub-fields, governance, risk, and compliance roles carried the highest concentration of clearance requirements, a finding that runs counter to the intuition that cleared positions cluster in the most operationally intense areas. But wherever those requirements concentrate, the pool of candidates who are both technically credentialed and already cleared remains a small fraction of an already undersupplied market.
The Phase 2 deadline makes that timing differential a direct operational issue. Thousands of companies will need to demonstrate CMMC Level 2 compliance (which for most means deploying CMMC-ready technical personnel) on roughly the same schedule, in a market where the relevant talent is scarce. Companies whose veteran hiring and SkillBridge participation has been building that workforce over years aren’t scrambling to solve a clearance timeline problem their peers are encountering for the first time.
Veterans entering the defense industrial base from military service also arrive with familiarity that can shorten the compliance orientation period on more complex, embedded contracts. Understanding security protocols, classification requirements, and the operational culture of government facilities is not something that can always be accelerated by training.
The Readiness Gap
CyberSheath’s 2025 State of the DIB Report tracked contractor self-reported readiness for CMMC audits: 8% in 2023, 4% in 2024, and 1% by September 2025, just six weeks before Phase 1 went live. As the deadline was approaching the preparation actually seemed to be declining.
The same survey found that 69% of contractors claimed DFARS compliance through self-assessment, while only 30% had completed medium- or high-level assessments that would validate their actual security posture.
A 2021 systematic review of the academic literature on cybersecurity skills gaps, led by researchers at Laurea University of Applied Sciences, argued that the core problem is rooted in human vulnerability and training deficits that persist even when organizations maintain formal compliance programs. The review concluded that compliance must be continuously reinforced as an organizational practice rather than periodically refreshed. It’s a finding that tracks with what the industry data keeps confirming: self-reported scores and independently assessed scores diverge most sharply in organizations that treat compliance as an event rather than a discipline.
The readiness data points to decisions made over years, not size or ownership structure, as the primary factor separating the 270 certified contractors from the thousands that remain unprepared.
The NDAA’s threshold increases will reduce compliance overhead for mid-range contracts and expand the pool of companies competing for DoD work by reducing barriers for nontraditional entrants. Some of those entrants will bring genuine technical capability. But they’ll enter a contracting environment in which Phase 2 assessment slots are already oversubscribed, the standardized contract protections that new entrants typically rely on have been reduced by the FAR overhaul, and the compliance infrastructure that established prime contractors built over years isn’t something available to acquire in a single procurement cycle.
The July 2025 executive order directing that large language model procurement adhere to defined neutrality and risk standards, with contract termination provisions for non-compliance, added a new compliance layer for contractors working on AI-enabled defense systems. Each of these developments requires active institutional management from contractors that intend to remain competitive in the DoD market through the transition.
Resilience, in this environment, has a price. It’s paid in the ongoing investment in systems that work every day, in the workforce development practices that build cleared technical capacity over time, in the legal and compliance overhead that feels expensive before the enforcement environment makes it necessary. The contractors who paid it early are positioned differently than those now discovering the cost for the first time, in a Phase 2 assessment queue that’s already running out of room.
READ MORE
Final Panel Agenda and Closing Registration: 2nd Princeton CorpGov Forum May 21 – Endowments, Activism and Entertainment
Never Miss our Weekly Highlights HERE
