Blog

CISO and CCO Guide to AI Governance Accountability in Defense

CISOs and CCOs at defense contractors need clear AI governance accountability lines before CMMC L2 Phase 2. RACI, board reporting, and a 90-day readiness roadmap.

11 min read

AI governance accountability in defense contracting is not a shared inbox — it is a set of distinct, documented ownership lines that a C3PAO assessor will scrutinize. For CISOs and CCOs at Defense Industrial Base (DIB) firms, the upcoming CMMC Level 2 Phase 2 milestones means those lines need to be drawn now, not during a pre-assessment scramble. This guide maps exactly who owns what, when to consider a dedicated AI Risk Officer, what boards need to hear, what failure patterns look like, and how to sequence the next 90 days.


How CMMC 2.0 Splits AI Governance Accountability Between the CISO and CCO

CMMC 2.0 does not use the words “CISO” or “CCO.” What it does is create a control environment — 110 practices across 14 domains — that, when AI systems touch Controlled Unclassified Information (CUI), generates accountability questions that fall cleanly into two different executive lanes.

The CISO lane: technical control ownership. AI governance CISO responsibilities under CMMC 2.0 center on the security domains: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Incident Response (IR), and System and Communications Protection (SC). When an AI model is deployed inside the CUI boundary, the CISO owns the questions: Is the model’s access to CUI scoped to least privilege? Are inference logs retained and reviewable? Is the model’s configuration baselined and change-controlled? These are not policy questions — they are technical implementation questions with evidence artifacts.

The CCO lane: policy, attestation, and flowdown. Chief Compliance Officer AI governance responsibilities sit in a different register. The CCO owns theDFARS 252.204-7021 attestation — the signed representation to the prime or the government that the contractor has implemented the required practices. The CCO also owns the policy framework that governs which AI tools are permitted in the CUI environment, the vendor due diligence process for AI supply chain, and the training program that ensures employees understand acceptable use. When a prime contractor sends an AI governance flowdown letter, the CCO is the receiving executive.

Where the lanes cross — and how to prevent collisions. The intersection point is the AI system inventory. The CISO needs it to scope technical controls. The CCO needs it to scope the attestation. If both executives maintain separate inventories, assessors will find gaps. The AI governance best practice for defense contractors is a single authoritative inventory, jointly owned, with the CISO accountable for the technical attributes (data classification, network placement, access controls) and the CCO accountable for the policy attributes (approved use cases, vendor contracts, training records).

RelatedCMMC 2.0 AI Requirements for Defense Contractors: What You Need to Know in 2026


The AI Risk Officer Role: When Defense Contractors Need a Third Seat at the Table

Most 200–800 FTE defense contractors do not have an AI Risk Officer. The answer to whether they need one before Phase 2 depends on three conditions.

The case for distribution. At firms where AI use is limited — a handful of approved SaaS tools, no internally developed models, no AI touching CUI directly — the CISO AI compliance strategy and CCO policy framework can absorb AI governance without a dedicated role. The CISO adds AI systems to the existing asset inventory and control framework. The CCO adds AI to the existing vendor risk and acceptable use policy stack. AI governance executive accountability is maintained through a standing agenda item at the monthly CISO-CCO sync.

The case for a dedicated AI Risk Officer. Three conditions shift the calculus:

  1. The firm is developing or fine-tuning AI models, not just consuming vendor APIs.
  2. AI systems are making or influencing decisions that affect contract performance, cost reporting, or export-controlled data.
  3. The CISO and CCO are already at capacity with existing CMMC remediation work.

When any of these conditions apply, the AI risk officer role for a defense contractor is not overhead — it is a risk mitigation investment. The role sits between the CISO and CCO, owns the AI system inventory, runs the model risk assessment process, and serves as the single point of contact for C3PAO questions about AI-specific controls.

A practical middle path. Many mid-market DIB firms are creating a “virtual” AI Risk Officer function: a cross-functional working group with a named chair (often a senior IT security manager or deputy compliance officer), a defined charter, and a quarterly reporting obligation to both the CISO and CCO. This satisfies the governance structure requirement without adding a full-time headcount.

RelatedAI Governance Framework for Defense Contractors


Board-Level Reporting: What CISOs and CCOs Must Surface on AI Governance

DFARS 252.204-7021 creates a flowdown obligation — primes pass CMMC requirements to subs, and subs must attest compliance. That attestation ultimately traces back to what the board has been told and what it has approved. CCO AI governance board oversight is not a formality; it is a legal exposure question.

What the board needs to know — and when. A defensible reporting cadence for a mid-market DIB firm looks like this:

  • Quarterly: AI system inventory status (number of systems, CUI exposure classification, control implementation percentage). Open findings from internal audits or C3PAO readiness assessments. Incident summary (any AI-related security events or policy violations).
  • Annually: Full AI governance program review, including policy updates, training completion rates, vendor risk assessment results, and attestation readiness status.
  • Event-triggered: Any material change to the AI system inventory (new deployment, vendor change, model update that affects CUI access), any government inquiry or prime contractor audit finding related to AI, any AI-related incident that meets the DFARS incident reporting threshold.

The disclosure checklist. Before a C3PAO assessment, the CISO and CCO should be able to confirm the board has received and approved:

  • The AI acceptable use policy and its most recent revision date
  • The AI vendor risk assessment process and results for all CUI-adjacent tools
  • The AI system inventory and its CUI boundary mapping
  • The incident response plan addendum covering AI-specific scenarios
  • The CMMC attestation scope statement, including AI system inclusions

Why this matters for DFARS scrutiny. Under DFARS 252.204-7021, a false attestation carries False Claims Act exposure. Boards that have not been briefed on AI governance cannot provide meaningful oversight of the attestation. Documented board reporting is the evidence that oversight existed — and that the attestation was not a checkbox signed without executive awareness.


Lessons Learned: AI Governance Failures That Cost Defense Contractors Their Contracts

Four patterns appear repeatedly in C3PAO assessment findings and IG audit reports. No firms are named, but the accountability gaps are specific and actionable.

Pattern 1: The shadow AI deployment. A program manager deploys a commercial AI writing tool to help draft technical reports. The tool is cloud-hosted, the firm’s CUI ends up in the vendor’s training pipeline, and neither the CISO nor the CCO knows the tool exists until a prime contractor audit surfaces it. The AI governance lesson learned for CMMC purposes: the AI system inventory must be a living document with a discovery mechanism, not a one-time exercise. Shadow IT controls that work for standard SaaS do not automatically capture AI tools, which employees adopt faster and with less IT involvement.

Pattern 2: The attestation signed without CISO input. A CCO signs the DFARS 252.204-7021 attestation based on a compliance checklist completed by the IT team. The CISO was not consulted on the AI-specific controls. During the C3PAO assessment, the assessor finds that three AI systems in the CUI environment lack audit logging — a direct contradiction of the signed attestation. The result: a major finding, a remediation period, and a contract award delay. This AI compliance case study for defense contractors illustrates a consistent pattern: attestation is a joint CISO-CCO act, not a compliance-only exercise.

Pattern 3: The governance structure that existed only on paper. A firm creates an AI governance policy, assigns ownership to the CISO, and files it. No training is conducted, no inventory is maintained, and no board reporting occurs. During an assessment, the assessor asks for evidence of governance program operation — meeting minutes, training records, audit logs, board briefing materials. None exist. The policy is a document; the program is not. This is the most common AI governance lessons learned CMMC assessors report: documentation without operationalization fails.


A 90-Day CISO–CCO Alignment Roadmap for CMMC Phase 2 Readiness

The Phase 2 timeline is fixed in DoD’s rollout schedule. A 90-day sprint, started now, creates the governance foundation a C3PAO assessor expects to see. Each phase is tagged by primary owner.

Days 1–30: Inventory and ownership alignment

  • [CISO] Complete AI system discovery scan across all environments that touch CUI. Document each system’s data classification, network placement, and current control implementation status.
  • [CCO] Audit all vendor contracts for AI components. Identify which vendors have AI features enabled, whether those features are in scope for CUI, and whether contracts include data processing agreements that satisfy DFARS requirements.
  • [Joint] Reconcile CISO and CCO inventories into a single authoritative AI system register, assign a named owner for each system, and decide whether to create a dedicated AI Risk Officer function or a cross-functional working group. Document the decision and the governance structure.

Days 31–60: Control gap remediation and policy update

  • [CISO] For each AI system in the CUI boundary, run a gap assessment against CMMC 2.0 practices. Prioritize: access control scoping, audit log configuration, incident response plan coverage, and configuration baseline documentation.
  • [CCO] Update the AI acceptable use policy to reflect current system inventory. Add AI-specific provisions to the vendor risk assessment process. Schedule and complete AI governance training for all personnel with CUI access.
  • [Joint] Prepare the first board briefing package: inventory summary, gap assessment results, remediation timeline, and attestation readiness status.

Days 61–90: Attestation readiness and board approval

  • [CISO] Complete technical remediation for all high-priority gaps. Run an internal audit against the CMMC 2.0 AI-relevant practices. Document evidence artifacts.
  • [CCO] Draft the DFARS 252.204-7021 attestation package. Review with CISO to confirm all technical representations are accurate. Obtain legal review.
  • [Joint] Present attestation package to board for awareness and approval, document the board’s review in meeting minutes, and schedule a C3PAO readiness assessment or gap review with a third-party assessor.

If your CISO and CCO don’t yet have documented ownership lines, a joint AI system inventory, and a board reporting cadence in place, the 90-day window is already running.

Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources