What Boards Need Now
Why defense-adjacent mining and critical-materials boards need cyber fluency before the capital arrives
7/2/20269 min read
Opening: trust is the real premium
After 30 years in the corporate world, one of my favorite sayings is still: work with people you know and trust. Trust is the hardest asset to build and the easiest one to lose and in capital markets, trust shows up in execution. Companies that consistently do what they say they will tend to earn more from investors, lenders, customers, and counterparties.
That is why cyber fluency now matters for defense-adjacent mining and critical-materials boards. This is no longer just an IT issue, it is a trust issue, a governance issue, and increasingly, a federal-contracting issue.
Boards have traditionally needed fluency in resource estimates, capital allocation, operations, permitting, safety, and commodity cycles. The same argument now extends into a domain many mining and critical-materials boards have not historically had to govern with at the same level of precision: cybersecurity and federal compliance.
The new fault line: when defense capital changes the perimeter
The Department of Defense / Department of War under Executive Order 14347, entered into a public-private partnership with MP Materials in July 2025 that included a $400 million preferred-stock investment. The agreement positioned DoW to become MP Materials’ largest shareholder and included a 10-year NdPr price-floor commitment of $110 per kilogram, a 10-year magnet offtake framework, and additional financing support for rare-earth processing and magnet capacity.
The significance is not just the size of the investment, it is the signal. The federal government is no longer only buying finished defense products. It is increasingly using capital, offtake commitments, loans, and price floors to shape the industrial base behind those products. For critical materials, that means the boundary between a resource company and the defense supply chain can become much thinner than many boards assume or are used to.
Here is the governance point too few boardrooms have internalized: defense capital alone does not automatically create CMMC obligations but when a mining, processing, chemical, graphite, lithium, copper, or rare-earth company accepts defense-adjacent work and its contracts require it to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), the company may move into the Defense Industrial Base compliance perimeter. At that point, cybersecurity is no longer just a technical control environment, tt becomes contract eligibility, attestation, evidence, and governance.
The mine does not change. The regulatory perimeter can.
From metallurgy and geology to CUI and federal acquisition law
For a sector whose technical depth has historically run toward metallurgy, geology, permitting, processing, and project finance, this is a meaningful governance gap. Many resource companies were not built to administer NIST control families, manage CUI boundaries, maintain System Security Plans, submit SPRS scores, or defend a federal cyber attestation. Yet that is where parts of the critical-materials sector are moving as national-security capital and defense supply-chain exposure become more important.
That is exactly the kind of gap boards should not leave open until a contract, diligence process, or enforcement inquiry forces the issue.
With money comes responsibility
Three obligations now travel with defense-adjacent revenue and federal-contracting exposure, and all three are board-relevant.
1. CMMC is no longer theoretical.
The CMMC program’s foundational rule, 32 CFR Part 170, became effective in December 2024. The Defense Federal Acquisition Regulation Supplement (DFARS) acquisition rule that gives CMMC contractual force was published in September 2025 and became effective November 10, 2025. The rule allows DoW to include CMMC requirements in solicitations and contracts through the phased implementation of clauses including DFARS 252.204-7021 and related provisions.
The rollout is phased and Phase 1 began on November 10, 2025, with self-assessment requirements and select certification requirements appearing first. Phase 2, potentially beginning November 10, 2026, allows broader use of third-party Level 2 certification requirements through authorized Certified Third-Party Assessor Organizations (C3PAOs). Later phases expand the use of Level 2 and Level 3 requirements, with broader application after the three-year implementation period.
Level 2 maps to the 110 security requirements in NIST SP 800-171. Where a solicitation or contract requires a particular CMMC status, an offeror without the required current status and affirmation in Suppler Performance Risk System (SPRS) may be ineligible for award. Companies should not assume a grace period will be available. Eligibility will turn on the solicitation, required CMMC level, current status, and any permitted conditional status or Plan of Action and Milestones (POA&M) rules.
2. Certification is signed by a person, not an abstract department.
The CMMC rule requires an affirmation of continuing compliance by an Affirming Official after the relevant assessment status is achieved and annually thereafter. That official must be a senior-level representative with authority to affirm the organization’s continuing compliance within the relevant assessment scope.
That signature matters because it turns cybersecurity posture into an executive-level representation. I am not a lawyer, and companies should work with counsel before making federal attestations. But the enforcement direction is clear: when a contractor knowingly or recklessly misrepresents cybersecurity compliance tied to federal work, the False Claims Act can become part of the risk picture.
Since the Department of Justice launched its Civil Cyber-Fraud Initiative in 2021, cybersecurity representations have become more than technical statements. They can become governance, contract, diligence, and enforcement issues. The False Claims Act can carry treble damages and per-claim penalties, which is why the board should care about the evidence behind the signature before the signature is made.
3. The board cannot create an IT ticket and call it governance.
The instinct in many companies is to hand this to the CISO, the head of IT, or an outside consultant and move on. The enforcement record shows why that instinct is incomplete. Cyber compliance is not just about whether a control exists somewhere in a spreadsheet. It is about whether the company can prove the right controls are implemented across the correct scope, whether the scope is defensible, whether the representations in SPRS are accurate, and whether leadership understands what is being affirmed.
Cautionary examples
· Raytheon / Nightwing — $8.4 million, announced May 1, 2025. DOJ alleged cybersecurity non-compliance under federal contracts involving DoD, including conduct that occurred before the business was later sold. The successor-liability signal matters for M&A.
· MORSECORP Inc. — $4.6 million, announced March 26, 2025. DOJ said MORSE admitted responsibility for using a third-party email provider without ensuring FedRAMP Moderate-equivalent requirements for covered defense information, failing to fully implement NIST SP 800-171 controls, lacking consolidated System Security Plans, and submitting an inaccurate SPRS score.
· Georgia Tech Research Corporation — $875,000, announced September 30, 2025. DOJ alleged failures involving required cybersecurity controls tied to Air Force and DARPA contracts, including issues around anti-malware tooling, System Security Plan timing, and an allegedly inaccurate assessment score.
· Penn State — $1.25 million, announced October 22, 2024. DOJ alleged non-compliance with contractual cybersecurity requirements across certain DoD and NASA contracts, including issues with assessment scores, plans of action, and cloud-service-provider requirements.
· Aero Turbine and Gallant Capital Partners — $1.75 million, announced July 31, 2025. DOJ included both the defense contractor and its private-equity owner in a False Claims Act resolution involving cybersecurity requirements and sensitive defense information.
Read those examples through a director’s lens. The exposure can reach the company, the acquirer, the sponsor, the successor, and the individual or team responsible for the representation. A board that treats CMMC as a back-office IT chore is likely mispricing a fiduciary and transaction risk.
The SEC reinforces the same governance point
Public companies also have the SEC’s 2023 cybersecurity disclosure rules to consider. Those rules require disclosure of material cybersecurity incidents within four business days after the company determines the incident is material, and annual disclosure describing board oversight of cybersecurity risk and management’s role in assessing and managing material cybersecurity risks.
The SEC rule does not require every board to become technical. It does require companies to describe governance processes, in practice, that makes unsupported boilerplate harder to defend. You cannot credibly describe oversight you have not built.
What good looks like: the bilingual director
This is where a very specific skill set earns its premium. A director or trusted advisor who can speak both languages, that is enterprise security and governance on one side, and DoD assessment, CMMC scoping, SPRS, CUI boundaries, and corporate-liability mechanics on the other does something a pure technologist and a pure generalist board member may each struggle to do alone: translate.
The value is not in turning the board into the IT department. The value is in helping the board ask better questions, recognize weak answers, support management, and understand when a representation is ready to be made.
It produces better questions.
Instead of asking, “Are we compliant?” a cyber-fluent director asks: What exactly is in our CMMC assessment scope, and who decided that boundary? Which systems touch CUI? Which systems only touch FCI? What does our SPRS score reflect? Who is signing the affirmation? What evidence supports that signature? If we fail Phase 2, which contracts are affected, and what is that worth?
Those questions surface flawed scoping, weak evidence, and over-claiming before they become diligence findings or enforcement exhibits.
It de-risks M&A.
The Raytheon/Nightwing matter and the Aero Turbine/Gallant settlement show why cybersecurity compliance is now diligence-critical in defense-adjacent transactions. A target that claims Level 2 readiness on a flawed scope can become a problem the buyer inherits. A board with this literacy knows to commission a genuine scope and evidence review before signing, not a checkbox review after closing.
It gives executives real air cover.
Because a senior official must affirm continuing compliance, the people signing need confidence that the representation is true. A board that has built credible oversight, defined reporting cadence, accountable ownership, and independent validation can help protect the company and support the individual who signs. That is the difference between a rushed attestation and a defensible governance process.
It strengthens the team rather than replacing it.
Board-level fluency is not about doing management’s job. It is about asking for the right work and recognizing when that work has been done well. Many defense-adjacent resource companies lack deep in-house CMMC expertise because they were built to mine, process, and finance projects, not to administer federal cybersecurity-control regimes. A fluent director or fractional advisor can give the internal team cover to invest properly, translate the issue to the rest of the board, and create a standard the company can actually meet.
Teams get stronger when someone competent is asking hard, specific, and fair questions.
The caveats
One impressive certification on a board roster does not constitute a cyber-risk program. Regulators, plaintiffs, and diligence teams may challenge a token appointment if the underlying oversight is weak. The value is in the questions asked, the evidence reviewed, and the oversight exercised, not the letters after a name.
Second, do not over-index on a single person. The same diversification logic that applies to supply-chain resilience applies by analogy to boards: one company does not fix the supply chain, and one “cyber director” does not fix cyber governance. Fluency should raise the whole board’s baseline, not concentrate comfort in one individual.
Third, compliance is a floor, not a strategy. CMMC certification shows that an organization met a defined federal requirement within a defined scope at a defined point in time. It is necessary for contract eligibility where required. It is not, by itself, the security posture a serious adversary should worry about. Boards should treat it as the entry ticket, not the destination.
Closing the loop
The federal government’s pivot from buying products to directly shaping the capital stack behind critical materials has quietly rewritten the obligations for parts of the resource sector. Companies that take defense-adjacent work are no longer only price-takers in a commodity market. Where federal contracts, FCI, CUI, flowdowns, certification, and affirmation enter the picture, they become participants in the Defense Industrial Base with governance obligations that many boards were not originally assembled to oversee.
The trust premium is real, and it is earned by doing what you say you are going to do. For a defense-adjacent producer, “what you say you are going to do” may now include a signed federal affirmation that cybersecurity controls are real within the relevant scope. A board that can govern that promise credibly, technically, and without flinching is not adding compliance overhead. It is protecting the rarest commodity in the business: trust.
Sturnella advises defense contractors, mining, energy, and critical infrastructure companies on CMMC readiness, SEC cybersecurity disclosure, and board-level cyber governance.
contact@sturnellahq.com | sturnellahq.com | news.sturnellahq.com
Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.
Sources and Notes
Sources reflect public information available as of June 30, 2026.
· Executive Order 14347 / White House fact sheet on Department of War as secondary title: https://www.whitehouse.gov/fact-sheets/2025/09/fact-sheet-president-donald-j-trump-restores-the-united-states-department-of-war/
· MP Materials July 10, 2025 investor release on DoD public-private partnership: https://investors.mpmaterials.com/investor-news/news-details/2025/MP-Materials-Announces-Transformational-Public-Private-Partnership-with-the-Department-of-Defense-to-Accelerate-U-S--Rare-Earth-Magnet-Independence/default.aspx
· Federal Register public inspection document for DFARS CMMC acquisition final rule, September 2025: https://public-inspection.federalregister.gov/2025-17359.pdf
· eCFR 32 CFR Part 170, including CMMC affirmation requirements: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
· SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
· DOJ Raytheon / Nightwing settlement, May 1, 2025: https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating
· DOJ MORSECORP settlement, March 26, 2025: https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud
· DOJ Georgia Tech Research Corporation settlement, September 30, 2025: https://www.justice.gov/opa/pr/georgia-tech-research-corporation-agrees-pay-875000-resolve-civil-cyber-fraud-litigation
· DOJ Penn State settlement, October 22, 2024: https://www.justice.gov/usao-edpa/pr/penn-state-agrees-pay-125-million-resolve-false-claims-act-allegations-relating-non
· DOJ Aero Turbine and Gallant Capital Partners settlement, July 31, 2025: https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims
Contact
Reach out for discreet advisory support
contact@Sturnellahq.com
Sturnella LLC © 2026 All rights reserved.
Independence
Governance Precision
Discretion
Capital Markets Alignment
Accountability