Three Mile Island and the Hidden Danger of Self-Attestation: A Cautionary Tale for CMMC Compliance

In March 1979, the operators at the Three Mile Island nuclear power plant believed they were fully prepared. Their documentation was in order. Their training records were complete. Safety protocols were written and reviewed. According to every regulation, they were compliant.

Then came 4:00 AM on March 28.

A stuck valve—a routine malfunction—triggered a chain of events that quickly spiraled out of control. Operators, overwhelmed by contradictory alarms and unclear procedures, made critical errors. Most notably, they turned off the emergency cooling system—exactly the opposite of what the situation required. Radioactive water leaked. Confusion spread. And just like that, a self-attested “compliant” system revealed its critical vulnerabilities.

The parallels to CMMC compliance in today’s defense industrial base (DIB) are hard to ignore.

What Three Mile Island Teaches Us About CMMC Compliance

Just like the nuclear operators in 1979, many defense contractors today believe they are compliant. They’ve filled out their self-assessments. They’ve documented security policies. They’ve checked all the boxes for NIST SP 800-171. On paper, they meet the standard.

But CMMC compliance isn’t just about having documentation. It’s about demonstrating that cybersecurity controls work under pressure—during an actual cyberattack, not just an audit.

When adversaries strike, there’s no time to reference binders of procedures or call in a consultant. Controls must be implemented, tested, and understood across the organization. That’s the difference between compliance and resilience.

From Self-Attestation to Independent Verification

After Three Mile Island, President Jimmy Carter—trained as a nuclear engineer—saw the root problem clearly. The issue wasn’t fraud or dishonesty. It was misplaced trust in self-attestation. The operators genuinely believed they were ready. But belief wasn’t enough.

Carter’s response led to a seismic shift in nuclear safety: self-attestation was replaced by independent verification. Resident inspectors were placed at every plant. Emergency procedures had to be tested under realistic conditions. Documentation alone was no longer sufficient.

That same transformation is now happening in cybersecurity through CMMC compliance. The Department of Defense no longer accepts self-assessed “trust me” claims from contractors handling Controlled Unclassified Information (CUI). Instead, it requires a third-party assessment to verify that the cybersecurity controls outlined in NIST SP 800-171 are actually in place and working.

This shift is not a rebuke of contractor integrity—it’s a recognition that independent verification is the only way to bridge the dangerous gap between perceived and actual readiness.

CMMC Compliance Is More Than a Checklist

CMMC compliance isn’t about passing an audit once. It’s about proving—consistently—that your organization can detect, respond to, and recover from cyber incidents. Just as a nuclear plant must demonstrate safety procedures in real-world drills, defense contractors must demonstrate that their cybersecurity practices can withstand real-world attacks.

This is especially important as threats increase in complexity. From the SolarWinds supply chain attack to the F-35 program compromise, recent breaches have shown that even organizations that “attest” to cybersecurity compliance may have critical blind spots. Without independent assessment, those gaps remain invisible—until it’s too late.

The Stakes of Getting CMMC Compliance Right

The Three Mile Island incident didn’t happen because people didn’t care. It happened because people trusted processes that had never been tested under fire.

CMMC compliance seeks to avoid that same mistake in the cyber domain. It ensures that contractors who manage sensitive defense data aren’t just compliant on paper—but are actually capable of defending their systems in a real-world scenario.

As President Carter understood, independent oversight isn’t a burden—it’s a safeguard. And when national security is on the line, it’s a necessity.

The Bottom Line:CMMC compliance is the defense industry’s version of the post-Three Mile Island reforms. It’s the move from self-attestation to accountability. Because in cybersecurity, as in nuclear safety, confidence means nothing without capability.

Check out the Cyber-Minute episode on this topic: