CMMC: Compliance? Security? Neither? Both?

10–6–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, October 6, 2025, and today we’re going to use the newly finalized CMMC rule - or Cybersecurity Maturity Model Certification - here in the US to discuss some nuance around security and compliance, and talk through how these two things might both work well together and also be in somewhat of a conflict.

CMMC: Compliance? Security? Neither? Both?

Let’s start by zooming out a little bit and providing some context around this new mechanic being put to the entire Defense Industrial Base (or DIB) here in the United States. Having finalized the rule known colloquially as CMMC 2.0 last month, the controls outlined in a documents known as NIST 800-171 Revision 3 must now be met by all future defense contractors who handle CUI or Controlled Unclassified Information.

That’s new, as is the requirement tying it to funding awards.

What’s not new is the 800-171 controls, or the fact that the defense sector has to adhere to them - now there’s just a financial incentive to do so.

These controls, which have been widely and freely available for nearly a decade (since December of 2016), lay out a common sense and comprehensive approach to cybersecurity, and through this comprehensiveness end up with 110 controls that provide a very solid foundation for a security program.

They’re also somewhat cumbersome to implement, especially at scale, with legacy technology stacks, or if you’re starting from zero - and that’s where the rub between compliance and security can really be seen.

It’s far easier to achieve compliance with a robust security program than it is to achieve security goals with a compliance-oriented approach. CMMC is only the latest regulation or certification to drive this point home, but there have been others for many years, whether it’s ISO 27001, or SOC 2, or HITRUST, or HIPAA any number of other frameworks.

In short, if you’re just looking to check a box - i.e. be compliant - you’re likely to look for ways to make that simpler and more cost effective to achieve. Perhaps that comes in the form of a scope adjustment (as is common in the certification world of ISO and SOC), or perhaps it’s just doing the bare minimum to meet a requirement.

Regardless, this check-the-box approach will only do just that, check the box. Managing risk, and building a risk-based approach to a security program, requires nuance and tradeoffs and investments and a deep understanding of not only your IT environment but also your business, customers, and strategic goals.

By focusing on the larger risk management efforts, translating those into demonstrable, compliant mechanics across the enterprise becomes a much simpler task - combined with the benefit of actual risk reduction that’s present regardless of compliance status.

So, does that mean there’s no value in compliance exercises? Of course not - but these should be seen for what they are: sales enablers or table stakes. Literally everybody in the Defense Industrial Base is going to have to be CMMC compliant, so that’s no longer a differentiator. Necessary but not sufficient, you could say.

So, to set yourself apart, take a risk-based approach. It will make compliance more straightforward, it will help you actually manage the risks, and it will give you room to differentiate yourself from others who are merely out to check the box.

Fundraising

From a fundraising perspective, we’re looking at more than $36B in newly committed capital this week, led by CVC Capital Partners who raised €10.4b for their fourth direct lending fund.

We also saw:

• Brookfield raise over $4b for the first close of its fourth infrastructure debt fund;

• PAI Partners raise a €3.6b single-asset continuation fund for its 50% stake in Froneri, an ice cream maker whose brands include Häagen-Dazs; and

• Percheron Capital raised a $1.6b single-asset continuation fund for Big Brand Tire & Service.

Despite the big numbers and focused raises, we also saw an article in the Wall Street Journal this morning asserting that Private Equity fundraising has slumped for the second year in a row through September.

More and more the theme is that both things can be true - and being able to navigate that dichotomy will be a tremendous skillset to have.

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.

We’ll see you next week for another edition of the Intentional Brief.

Links

https://natlawreview.com/article/cmmc-no-longer-optional-final-rule-launches-november-10

https://www.wsj.com/articles/private-equity-fundraising-slump-deepened-through-september-912b840b