Revenue model
The Defense Compliance Report is supported by three revenue streams. First, lead-generation referral fees from CMMC solution providers who pay to receive matched qualified leads routed through our "Get Matched" and "Request a Quote" forms. Second, sponsored placements on provider verdict cards and dedicated sponsored content, always labeled with the SPONSORED badge. Third, affiliate commissions on a subset of outbound provider links, always carrying rel="sponsored noopener" and "sponsored link · paid placement" microcopy.
How sponsored content is labeled
When named provider verdict cards are published, each card must carry a clear label identifying whether it is an independent editorial pick, a sponsored placement, an affiliate/partner listing, or another compensated placement. Never both editorial and sponsored. Never unlabeled. Outbound sponsored and affiliate CTAs carry "sponsored link · paid placement" microcopy and rel="sponsored noopener". Dedicated sponsored articles, if and when published, carry a full-width "SPONSORED CONTENT" band above the headline, with a link to this policy.
How sponsored content is created
Sponsored content originates from the sponsor or is co-developed with the sponsor. Sponsored content is reviewed by editorial for factual accuracy against primary sources before publication — sponsors cannot publish factually incorrect claims about the CMMC regulation through this publication. Sponsors do not have editorial-approval rights over (a) coverage of competitors or (b) editorial coverage of themselves outside of the sponsored placement.
Editorial Pick vs. Sponsored Listing
An Editorial Pick is a provider designation made by the editorial team based on the methodology documented at /methodology/. Editorial Picks are not for sale. A sponsor cannot purchase an Editorial Pick designation, and we do not award an Editorial Pick to a provider on the basis of a sponsorship relationship.
A Sponsored Listing is a paid placement that meets a defined minimum quality threshold — at minimum, a legitimate provider in the relevant CMMC category, with verifiable Cyber AB or other relevant credential status where applicable. Sponsored Listings are not editorially selected; they are paid placements that meet a quality floor.
Conflict-of-interest handling
When a sponsor is also a candidate for editorial evaluation in the same category, the publication takes one of two approaches: (a) include the sponsor in editorial evaluation and explicitly disclose the sponsor relationship in the relevant editorial coverage, or (b) decline to editorially evaluate the sponsor in that category. We never silently award an Editorial Pick to a paying sponsor.
Lead-routing and referral fees
When you submit a "Get Matched," "Request Information," or "Request a Quote" form, the information you provide may be shared with one or more matched CMMC providers so they can respond directly to your request. The information shared may include your name, work email, company, role, employee count, CMMC level, compliance stage, DoD contract status, timeline, cloud environment, budget range, and any non-sensitive notes you provide.
We may receive referral, lead-routing, sponsorship, affiliate, or other compensation from providers that receive or respond to matched inquiries. When we receive referral or lead-routing compensation from a provider, that provider relationship is considered commercial and is subject to the independence rules described in this policy.
We do not sell personal information to unrelated data brokers or advertising networks. When you submit a provider-matching form, you are directing us to share the submitted information with matched providers for the purpose of responding to your request. Full data handling is in the Privacy Policy.
Do not submit CUI, classified information, controlled technical data, export-controlled content, non-public contract details, passwords, system diagrams, vulnerability details, incident timelines, or sensitive security information through any form on this site.
What sponsors do not get
- Approval rights over editorial coverage of themselves or competitors.
- An Editorial Pick designation based on the sponsorship.
- Removal of negative editorial coverage in exchange for sponsorship.
- Exclusive rights over a CMMC category covered by editorial.
- An unlabeled or improperly labeled placement that misrepresents the commercial relationship to readers.
Sponsorship inquiries
Reach the publication at partners@thedefensecompliancereport.com or via the contact page under inquiry type "Sponsorship inquiry." Questions about editorial integrity should be sent under "Editorial correction" or "General reader feedback" and will receive an editorial-team response.
How sponsored and editorial content is labeled
Every placement on this publication is one of three types, and each type is labeled at the point of display:
- Editorial coverage — selected by the editorial team based on the Methodology. Not for sale. No sponsor can purchase an editorial designation.
- Sponsored placement— a paid placement that meets a defined minimum quality threshold (verifiable credentials, no misrepresentation). Clearly labeled "SPONSORED" at the top of the card, section, or article.
- Affiliate or referral listing— a listing where the publication receives referral or lead-routing compensation when a reader engages. Labeled "sponsored link · paid placement" inline; outbound links carry
rel="sponsored noopener".
No placement is unlabeled. No placement is labeled as editorial if compensation is involved. If an editorial pick later enters a sponsor relationship, the editorial pick label is removed or the relationship is disclosed in the editorial coverage.
Provider removal policy
The Defense Compliance Report reserves the right to remove or suspend a listed or partner provider under any of the following conditions:
- Loss of authorization or credential — a C3PAO, RPO, or CCP/CCA whose Cyber AB or applicable authorization is revoked, suspended, or lapses without renewal will be removed from all listings and routing flows pending re-verification.
- Verified contractor complaints — credible, documented complaints from contractors indicating materially misleading claims, failure to deliver contracted services, or conduct that harms the contractor will trigger a review. Providers with sustained complaints may be suspended pending investigation.
- Factual misrepresentation — a provider found to have made materially false or unverifiable claims about their credentials, capabilities, or CMMC compliance record will be removed immediately.
- Violation of editorial-independence requirements — any provider attempting to condition compensation on editorial coverage decisions, suppress editorial criticism, or manipulate the editorial pick process will be removed and the attempt disclosed.
- Conflict-of-interest violation — see section below on C3PAO independence requirements.
Removed providers are not re-listed without a documented remediation and a new verification. Removal decisions are made by the responsible editor.
Conflict-of-interest rules — C3PAO independence requirement
The Cyber AB requires a separation between CMMC readiness consulting and CMMC assessment: a firm or individual that provides readiness consulting (scoping, SSP, gap assessment, remediation support) to a contractor may not also serve as the authorized C3PAO assessor for that same contractor's Level 2 assessment. This is an active Cyber AB eligibility rule, not a preference.
The Defense Compliance Report extends this principle to its own routing and directory:
- We do not route a contractor to a firm as both their readiness consultant and their C3PAO assessor in the same lead.
- Any provider listed as both an RPO and a C3PAO must maintain documented, operationally separate practices with firewalls between the readiness and assessment teams, consistent with Cyber AB requirements.
- We do not accept sponsored placement from a firm that obscures the independence boundary or markets itself as providing both readiness and assessment to the same client as a package deal.
Methodology for ranked lists
The Defense Compliance Report does not currently publish named provider rankings determined solely or primarily by payment. When provider rankings, "best of" lists, or editorial picks are published, they will follow this methodology:
- Eligibility criteria — providers must hold current, verifiable Cyber AB authorization (for C3PAOs and RPOs), carry appropriate credentials and insurance, and have a published methodology or capability statement.
- Evaluation depth — the editorial team documents what information was reviewed (public filings, interviews, client feedback, primary source verification) and what was not. Depth is disclosed on the review page.
- Compensation relationship disclosed— any compensation relationship between the publication and a listed provider is disclosed on the provider's card or review page, before the first CTA.
- Verification date — all ranked list entries carry the date credential status was last verified. Entries are re-verified no less than annually for any list that remains published.
- Sponsored vs. editorial distinction maintained — sponsored placements may appear on the same page as editorial picks, but they are in separate, clearly labeled sections. A sponsor cannot purchase placement in the editorial section.
Readers who believe a ranked list entry is inaccurate, stale, or improperly compensated should contact partners@thedefensecompliancereport.com.