Tactical Air Support scores perfect 110 in CMMC review
Tue, 14th Jul 2026 (Today)
Tactical Air Support has achieved a perfect 110 score in a formal Level 2 Cybersecurity Maturity Model Certification assessment, after an internal review found the defence contractor was less prepared than expected.
The company, which provides adversary air support, tactical aviation expertise, aircraft modernisation and logistics support to US military customers, said the assessment exposed weaknesses not only in technical controls, but also in governance, documentation and operational evidence.
Ed Harshany, Chief Technology Officer and Chief Information Officer at Tactical Air Support, said the company initially believed it was close to meeting the standard before a more detailed internal audit showed otherwise.
"It was a little eye-opening because we were not as far along as we thought we were," Harshany said.
"We had sort of anticipated, 'Hey, we're really close to being fully ready for CMMC,' and then we did an internal audit that showed us we weren't quite yet ready to get there," he said.
The experience reflects a wider issue across the defence industrial base as contractors face CMMC requirements tied to handling sensitive government information. Many companies may already have cybersecurity tools and experienced IT teams, but the assessment also examines whether controls are documented, repeatable, auditable and consistently enforced.
Operational shift
For Tactical Air Support, that meant changing how compliance work was organised. Rather than treating CMMC as a narrow IT exercise, it rebuilt its framework around daily working sessions focused on controls, policies, procedures and evidence.
Harshany said the challenge was linking each control objective to a policy, then connecting that policy to procedures, artefacts and operational workflows that could be shown during an assessment.
"Technology alone doesn't equal compliance," he said.
"It was very difficult for us to get through. Here's an objective that belongs to a control family. Link the objective to a policy. The policy links to procedures. The procedures produce artifacts. All of that is then in an operational workflow," he said.
At one stage, the company decided its original approach to documentation would not hold up under formal review and rebuilt the structure.
"We basically took everything we had and said, Scrap these. Let's start over. Let's build it a different way," he said.
The revised model was more modular and easier to govern and maintain across the business. The work also expanded beyond the cybersecurity team to include staff from compliance, contracts, facilities, operations and people operations.
That cross-functional approach reflected how CMMC requirements affect different parts of a contractor's activities, from how information is received and handled to how access, records and physical safeguards are managed.
"It became a true enterprise-wide initiative," he said.
"If we had waited until we felt comfortable and then tried to integrate everyone else, we just wouldn't have gotten across the finish line at the time we did," he said.
External review
After its internal remediation work, Tactical Air Support engaged SSE, a registered provider organization based in St Louis, to run a mock assessment and test whether it was ready for a formal Certified Third-Party Assessor Organisation review.
Harshany said the external adviser's role was to challenge internal assumptions and prepare the company for the discipline of the formal assessment process.
"For us, selecting the right RPO mattered tremendously," he said.
"We were looking for a partner with deep expertise who could challenge our assumptions, validate our readiness, and help us think operationally, not someone who's just going to give you templates or try to sell you tools," he said.
He added that the mock assessment was especially valuable because, while the company was close on scoring, it still might have struggled in a live review.
"Even though we were pretty close on the score, I think we would have struggled going immediately to a C3PAO," he said.
"Having an RPO was a great rehearsal for us," he said.
Contract pressure
The formal assessment itself was manageable because the mock process closely resembled the final review. That preparation may become more important as contractors face longer waits for assessors and CMMC clauses appear more often in procurement.
Harshany said lead times that were once around two months are now stretching to between three and six months in some cases. For a company that acts as both a prime contractor and subcontractor, the requirements can come directly from government buyers or through larger contractors passing compliance obligations down the supply chain.
The company said it is already seeing those obligations appear in active contract awards.
"The process itself was relatively predictable because of how we prepared," he said.
"When we got to the C3PAO assessment, it was very much like the mock assessment that SSE did for us, so we felt like we knew what was coming," he said.
He said the contracting environment is changing quickly as Level 2 requirements begin to appear earlier in awards and subcontracting relationships.
"We just got a contract that required CMMC Level 2," he said.
"And we're seeing that flow down to subcontractors as well. So, if you think you have plenty of time, you don't," he said.