CMMC Enterprise Risk Framework — Charles K. Johnson

This is an enterprise risk framework, not legal advice. False Claims Act exposure analysis and compliance posture classification require qualified counsel for any specific engagement. Use this framework to structure the conversation with counsel, not to replace it.

THE FOUNDATIONAL DISTINCTION

A defense contractor facing CMMC compliance displacement is in one of two postures. The two postures are not points on a spectrum — they are categorically different legal situations with different remediation paths and different exposure profiles under the False Claims Act.

Getting the classification wrong does not cost the campaign. It creates liability for the client. The classification is therefore the gate — the first work product, before any outreach asset is built.

THE TWO POSTURES

POSTURE A

Lapse situation

The contractor previously held a compliant posture but has fallen out of compliance — control degradation, missed assessment, environment drift, change in scope. The remediation conversation is about restoring a previously-held state.

POSTURE B

Never-compliant situation

The contractor has been operating under contractual obligations that included compliance attestations, while never actually having met those attestations. The conversation is not about remediation. It is about exposure — the gap between what was attested and what was true.

FCA EXPOSURE ANALYSIS — THE GAP

The False Claims Act creates exposure when a federal contractor knowingly submits a claim that is materially false — including a claim conditioned on compliance with a federal requirement that the contractor did not, in fact, meet.

The exposure surface differs by posture:

Posture A (lapse): Exposure is generally bounded by the date of the lapse forward, and remediation activity tends to reduce ongoing exposure.
Posture B (never-compliant): Exposure may extend back through the entire period of attestation. Self-disclosure considerations apply. Remediation activity may inadvertently create discoverable evidence of the prior gap.

The distinction matters for the conversation the seller has with the prospect. In Posture A, the seller can lead with remediation services. In Posture B, the seller leads with risk evaluation — remediation services come after qualified counsel has framed the situation.

DECISION TREE

CLASSIFICATION GATE

QUESTION 01

Has the contractor previously achieved a documented compliant posture?

If YES → potential Posture A. Continue. If NO → potential Posture B. Continue to risk-evaluation track.

QUESTION 02

Did the contractor submit claims to the federal government during the gap period?

If YES → FCA exposure surface exists. Engage counsel before outreach asset references compliance services. If NO → remediation-only track.

QUESTION 03

Were the federal claims conditioned on compliance attestations?

If YES → the falsity question is material. Self-disclosure analysis. If NO → exposure is reduced but not eliminated; still engage counsel.

QUESTION 04

Has counsel issued guidance on self-disclosure posture?

If YES → outreach assets align to that guidance. If NO → outreach is suspended pending guidance. Building campaign assets before counsel issues guidance is the highest-risk path.

GOVERNANCE SEQUENCING GATES

Campaign assets are gated by classification work. Each gate must be cleared before the next phase begins.

Gate 1: Classification framework

The lapse vs. never-compliant decision tree is documented and reviewed by counsel. The framework defines how prospect conversations classify the situation before any service conversation occurs.

Gate 2: Counsel guidance per posture

Counsel provides written guidance on what the seller can and cannot say in each posture. The guidance defines safe topics, topics requiring escalation, and topics that trigger an immediate handoff to legal review.

Gate 3: Campaign architecture

Outreach sequencing, messaging, technical content, and qualification questions are built to match the classification framework. Each asset is reviewable against the framework: which posture does this message work for? What does it do if the prospect is in the other posture?

Gate 4: Seller enablement

Sellers are trained on the classification framework before first contact. The qualification questions surface the classification early; the conversation flow is different by posture; the seller knows when to escalate.

Gate 5: First contact

Only now does outbound communication begin. The pipeline that results carries the audit trail of every prior gate.

The pipeline is the output. The classification framework, counsel guidance, campaign architecture, and seller enablement are the inputs. Inverting the order is the failure mode.

APPLICATION BEYOND CMMC

The pattern is portable. Any compliance displacement event — ITAR, HIPAA, PCI, FedRAMP, ISO — presents the same classification question: lapse situation or never-compliant situation? The legal exposure surface differs by regime, but the architectural answer is the same: classification before outreach, counsel guidance per posture, campaign architecture aligned to classification, seller enablement before first contact, only then pipeline.

Governance before execution is not unique to CMMC. CMMC is just one of the clearest cases where inverting the order produces measurable liability.