COMPLIANCE ARCHITECTURE · ENTERPRISE RISK

Governance First. Then the Campaign. Then the Pipeline.

Coalfire Advisory · Defense Industrial Base

The threat vector

The CMMC compliance displacement was framed by the field as a campaign opportunity. The actual stakes were legal. A defense contractor with a lapsed compliance posture is not the same as a contractor that was never compliant — those aren't points on a spectrum, they are categorically different legal postures with categorically different False Claims Act exposure.

The decision determines whether outreach is a remediation conversation or a self-disclosure conversation. Getting it wrong doesn't cost the campaign. It creates liability for the client.

The governance layer

Before any campaign content was created, I built a decision framework: lapse situation, or never-compliant situation? That distinction became the gate. Every subsequent campaign asset — outreach sequence, technical messaging, sales enablement, qualification questions — branched from that classification.

Six assets shipped before the first seller made contact. Governance preceded the campaign. The campaign preceded the pipeline. The sequence is not interchangeable.

The outcome

$5M combined pipeline value across two compliance campaigns

6 campaign assets delivered before first seller contact — governance before execution

0 False Claims Act exposure incidents introduced by campaign messaging

The pattern

Governance before execution is not unique to CMMC. The principle applies to any enterprise initiative where the legal or compliance framing precedes the marketing framing. A campaign architecture without a governance layer is a liability accelerator. A governance layer without a campaign architecture is unused infrastructure. Both must be built; the order is non-negotiable.

DOWNLOADABLE FRAMEWORK · MIT LICENSED

CMMC Enterprise Risk Framework

Governance Before Outreach — The Lapse vs. Never-Compliant Decision Tree

→