Veteran-Owned Firm Joins Elite Group to Tackle CMMC Certification Backlog

DALLAS–FORT WORTH METROPLEX, Texas – February 27, 2026 – As the Department of War’s ambitious cybersecurity mandate enters a critical enforcement phase, a veteran-owned firm from Texas has been authorized to join the small but vital cadre of organizations tasked with verifying the digital defenses of the nation's military suppliers. Perezdiaz Federal, the assessment division of Perezdiaz, LLC, announced it has achieved CMMC Third-Party Assessment Organization (C3PAO) authorization, positioning it on the front lines of a looming certification bottleneck that threatens to disrupt the U.S. defense supply chain.

The authorization, granted by The Cyber AB on February 24, 2026, empowers the firm to conduct official Cybersecurity Maturity Model Certification (CMMC) Level 2 assessments. This certification is rapidly becoming a non-negotiable prerequisite for any company handling Controlled Unclassified Information (CUI) on behalf of the Department of War. Perezdiaz Federal’s entry comes at a pivotal moment, as it joins a group of fewer than 100 authorized C3PAOs responsible for assessing an ecosystem of more than 80,000 defense contractors.

The CMMC Certification Bottleneck

For years, the CMMC framework was a distant requirement on the horizon. Now, it is an immediate reality. With the final rules published and a phased rollout underway since late 2025, the demand for certification is surging. According to the Department of War's implementation plan, CMMC compliance will be a requirement for all new DoD contract awards by October 31, 2026, putting immense pressure on both contractors to prepare and the limited pool of assessors to perform the evaluations.

Industry analysts have been sounding the alarm about a potential “certification crisis.” With tens of thousands of contractors requiring a Level 2 assessment—a process that can take a company 12 to 18 months to prepare for—the current capacity of C3PAOs is stretched thin. Projections indicate that wait times for an assessment could exceed 18 months by the third quarter of 2026, creating a significant risk for businesses that fail to plan ahead. A delay in certification could mean being locked out of new contracts, effectively halting a company’s participation in the Defense Industrial Base (DIB).

This high-stakes environment underscores the significance of each new C3PAO authorization. These organizations are not just auditors; they are the gatekeepers to the multi-billion dollar defense market, tasked with providing the objective assurance that contractors can be trusted with sensitive national security information.

From Self-Attestation to Verified Trust

The CMMC program represents a fundamental shift in the Pentagon’s approach to cybersecurity. For years, contractors were permitted to self-attest that they met the security standards outlined in NIST SP 800-171. However, persistent data breaches across the DIB demonstrated that self-attestation was insufficient. CMMC replaces that system with one based on verified trust, where an independent third party must confirm that a contractor’s safeguards are not just documented, but fully implemented and effective.

CMMC Level 2, which aligns with the 110 security controls of NIST SP 800-171, is the new standard for companies that process, store, or transmit CUI. For these organizations, the path to compliance now leads through a rigorous assessment by a C3PAO. Perezdiaz Federal operates under the strict independence requirements defined in federal regulations, functioning exclusively as an assessment body.

“Our role is not to advise. Our responsibility is to independently verify that security controls are implemented, operational, and producing the intended risk outcomes,” stated George Perezdiaz, Founder and Managing Director of Perezdiaz, LLC. This clear separation of duties is central to the CMMC model, ensuring that assessors remain objective and free from conflicts of interest that could arise from also providing consulting or remediation services.

A Firm Built on Assessment-Grade Realism

Leading this new wave of assessors are individuals with deep experience in the very environment they are now charged with securing. George Perezdiaz brings over two decades of experience in aerospace and defense, having served in the United States Air Force before holding roles supporting the National Military Command Center (NMCC) and the Office of the Secretary of Defense. He is one of the first 50 Lead Certified CMMC Assessors (CCA) in the country and holds advanced industry certifications in systems auditing and risk control.

This background in high-stakes government and defense environments informs the firm's core philosophy: “Controls must perform in practice. Not simply exist in documentation.” This principle of “assessment-grade realism” signals a departure from check-the-box compliance. Instead, the focus is on a holistic evaluation of a company’s security posture under real-world operational conditions. Perezdiaz’s experience, which includes leading a successful high-level assessment for a Fortune 500 prime contractor, provides a unique perspective on what it takes to build a defensible and truly secure program.

This veteran-led approach emphasizes a practical understanding of how security measures function day-to-day, rather than just how they appear in a System Security Plan. The goal is to determine if risks are being actively managed and if CUI is genuinely protected, not just whether a paper trail for compliance exists.

Navigating the Path to Certification

For contractors, the journey to CMMC Level 2 certification is fraught with challenges. Many businesses underestimate the complexity, time, and resources required. Common stumbling blocks include improperly scoping which parts of their network handle CUI, failing to generate the 320 distinct pieces of evidence needed for an assessment, and lacking the robust documentation that must be audit-ready at all times. Perezdiaz Federal’s assessments are designed to probe these very areas, determining if controls are functioning as intended, if risks are being actively managed, and if CUI is safeguarded appropriately across the entire environment.

Recognizing that compliance is a continuous process, the firm also provides independent internal assessments. These engagements help companies evaluate their control effectiveness between formal certification cycles, identify security gaps that may have emerged over time, and provide defensible evidence to senior leaders who must now annually affirm their organization's compliance status to the government.

As CMMC becomes fully embedded in federal acquisitions, the message to the Defense Industrial Base is clear. “CMMC is not a compliance exercise. It is a trust verification mechanism across the defense supply chain,” Perezdiaz said. “Our responsibility is to confirm that the safeguards organizations attest to are in place, functioning, and protecting the information entrusted to them.” With the clock ticking, the ability of firms like Perezdiaz Federal to provide this objective, evidence-based assurance will be crucial to strengthening the security of the entire defense ecosystem.