Essex Junction, VT  |  Montebello, NY 802-335-2662 dkoran@davidkoran.com
DK
David Koran& Associates
Publication

The CMMC Decision

Second Edition
David W. Koran
CyberAB Registered Practitioner Advanced

Written for CEOs and senior executives of small and mid-sized defense contractors, The CMMC Decision provides the strategic framework to ask the right questions, evaluate the answers, allocate resources appropriately, and lead an organization through the compliance process. The second edition reflects Phase 1 enforcement realities and the assessment landscape taking shape for Phase 2.

Free Download (PDF) → Contact the Author
Free Download
The CMMC Decision
2026
David W. Koran
Registered Practitioner Advanced

What This Book Addresses

The requirements behind CMMC are not particularly complicated. The direction is clear, contractual implementation is advancing through phased adoption, and the costs are manageable for organizations that plan appropriately. The challenge is not the framework itself but the way the information reaches executives: buried in technical jargon, scattered across government websites, or filtered through vendors whose primary interest is selling a product rather than explaining a regulatory obligation.

The CMMC Decision is written for CEOs and senior executives of small and mid-sized defense contractors. These organizations form the backbone of the defense industrial base, yet they do not have the compliance departments or dedicated security teams that large prime contractors maintain. Their leadership needs to understand CMMC well enough to make informed decisions without becoming cybersecurity experts themselves.

The book provides the strategic framework to ask the right questions, evaluate the answers, allocate resources appropriately, and lead an organization through the compliance process. It addresses what an executive is actually signing when certifying an organization's security posture, and what that signature means in both legal and professional terms.

Chapters

1
The Teeth of Compliance
The False Claims Act, personal executive liability, whistleblower provisions, and the enforcement framework that makes cybersecurity misrepresentation a federal matter.
2
The Data Divide
Federal Contract Information, Controlled Unclassified Information, the three CMMC levels, and the data categories that determine compliance scope and cost.
3
The Cost of Compliance
Budgeting across Discovery, Remediation, and Assessment Certification, including hidden costs, benchmarking ranges, and the three-year financial perspective.
4
The Twelve Month Roadmap
A phase-by-phase timeline from Discovery through Assessment Certification, including the evidence window, project management, and why the timeline resists compression.
5
The Expertise Gap
Why internal IT is not enough, the tool versus program confusion, the Registered Practitioner and RPA credentials, and the training mandate.
6
Blind Spots
Physical security risks that live outside IT, from cleaning crews and third-party access to printers, whiteboards, and after-hours building access.
7
The Dress Rehearsal
The mock audit process, the say-do gap, interview preparation, the mock audit report, and the go or no-go decision.
8
Assessment Day
Executive presence during formal Assessment Certification, the staff speak principle, the practitioner's limited role, and the post-assessment review process.
9
Your SPRS Score
How scores get wrong, the False Claims Act standard applied to SPRS inaccuracy, and why legal counsel must come first.
10
Taking CMMC Forward
Maintaining certification through the three-year cycle, the RPA support plan, regulatory change management, and the strategic position of sustained compliance.
Written For

Who This Book Serves

The second edition is written for the people who make or influence the compliance decisions inside defense contracting organizations, and for the attorneys who advise them on the contractual and legal dimensions of those decisions.

Defense Contractor Leadership

Executives, program managers, and operations leaders responsible for contract eligibility and the organizational commitment CMMC certification requires.

Legal Counsel

Government contracts attorneys advising clients on DFARS compliance obligations, supply chain risk, and the liability that flows from certification representations.

IT and Security Leaders

CISOs, IT directors, and security managers who will own the technical implementation and need to understand how each decision connects to the assessment outcome.

About the Author

David W. Koran

David Koran is a CyberAB Registered Practitioner Advanced and the founder of a CMMC advisory practice serving defense aerospace manufacturers and the legal counsel who support them. With more than three decades in information technology and a cybersecurity specialization dating to 2002, he brings a practitioner perspective that spans the technical, operational, and contractual dimensions of CMMC compliance.

As an Associate Member of the American Bar Association Section of Public Contract Law, he works at the intersection of technical implementation and legal accountability. His published research includes an extensive library of practitioner white papers addressing topics from C3PAO assessment capacity and CUI scope reduction to artifact integrity and supply chain compliance.

CyberAB Registered Practitioner Advanced
ABA Section of Public Contract Law
30+ Years IT Experience
Cybersecurity Since 2002

Questions about the book, or interested in how the topics it addresses apply to your organization's CMMC position? Start with a conversation.

Contact the Author →