There are two ways to build a compliance operation inside a government services company. One treats compliance as a set of obligations attached to specific contracts: present in the language of each award, managed by whoever has been assigned the task, scaled back where scrutiny is low. The other treats compliance as the foundational layer of the organization itself, the thing that has to be correct before a contract is ever pursued.
Both approaches can sustain a business for a period of time. When the regulatory environment shifts sharply — as it has with the Cybersecurity Maturity Model Certification requirements now embedded in defense contracting — the difference between the two tends to become legible quickly.
Margarita Howard, the CEO of defense and aerospace contractor HX5, has operated under the second model since founding the company in 2004. The firm employs roughly 1,000 people across more than 70 government locations in over 20 states, serving the Department of Defense and NASA with engineering, research and development, information technology, and mission operations support. Over two decades, it has navigated the layered requirements of DoD and NASA work without the underlying structure of the organization giving way under the audit pressure. That track record does not happen by accident.
The phrase “compliance culture” circulates widely in government contracting circles, but what it describes in practice is more granular than the phrase suggests. Fundamentally, it is not a training program or any single process, but rather is a collection of specific organizational decisions — about what systems to buy, what expertise to hire, what credentials to require, what infrastructure to build before any particular mandate requires it. Examining what those decisions look like inside HX5 offers a case study of how compliance culture gets built.
HX5’s Compliance Architecture: Margarita Howard’s Organizational Choices
The earliest and most consequential of HX5’s compliance investments was its accounting infrastructure. When the company was still small enough to operate on simpler systems, Howard chose to purchase a specialized accounting platform designed specifically for government service contracting — one that DoD auditors already knew, that handled the cost accounting structures, billing requirements, and reimbursement documentation specific to federal contracts, and that could survive the kind of detailed billing review that comes with virtually every government award.
The choice meant spending money on back-office infrastructure instead of other early priorities. It also meant that when audits arrived, the company’s financials could be examined without the auditors having to reconstruct records that had been kept in systems they weren’t built to evaluate.
“The company must, through the entire life cycle of the contract being performed, maintain financial integrity and accountability standards that meet or exceed the government standards,” Howard says. “You must ensure, at every level, accurate accounting practices, financial reporting, and full compliance with all audit requirements while always adhering to government contract accounting cost principles and regulations governing allowable costs, billing, and reimbursements.”
The advisory function at HX5 works on the same principle. Howard has maintained a dedicated team covering legal, accounting, and technical compliance matters, drawing on specialists in government contracting rather than generalist staff capable of handling any regulatory question.
Compliance law and regulation is a specialized practice that changes continuously, particularly in government contracting. The Federal Acquisition Regulation spans dozens of parts, each with subparts, agency supplements, and overlapping provisions. The Defense Federal Acquisition Regulation Supplement adds another thick layer. Managing that framework with non-specialist staff produces gaps in documentation, misclassification of data handling requirements, and failure to catch the FAR or DFARS changes that carry real contract implications. Specialist advisers track those changes as a primary function.
“We have built and maintain a team of advisers that specialize in the government industry,” Howard says. “They help us stay current with the policies and regulations that govern the defense sector.”
CMMC is the most recent and consequential regulatory development those advisers have been tracking. The first rule establishing the framework was finalized in October 2024. A second rule attaching CMMC requirements to actual contracts was finalized in September 2025 and became effective in November — launching a phased implementation schedule that runs through 2028. Contractors who had been following the rulemaking process understood what November 2025 meant and had been building toward it. Those who had not found themselves at the start of a remediation timeline with little runway.
Leading a Distributed Workforce Through Regulatory Transition
The organizational challenge CMMC poses for HX5 is not primarily a technical one. The technical requirements are defined and manageable with the right infrastructure investment. The harder problem is maintaining consistent security practices across more than 70 locations, dozens of distinct network environments, and a workforce of roughly 1,000 people whose daily decisions about how they handle data carry compliance implications regardless of where they’re working.
Security standards don’t enforce themselves at scale. They require training that reaches the entire workforce, monitoring mechanisms that surface deviations before they become findings, and a hiring profile that starts with people who already understand the basic expectations: what it means to operate inside a cleared facility, how controlled information gets handled, why the documentation requirements exist.
Howard’s hiring model reflects this directly. HX5’s workforce is heavily weighted toward professionals who have operated inside military or government organizations before joining the company, people who have cleared security reviews, worked inside DoD or NASA program structures, and are familiar with the operational norms of the environments where HX5’s employees work.
Veterans make up more than 30% of HX5’s employees, a figure that runs well above the national private-sector average of around 7%. Many veterans arrive with active clearances, which matters for a firm whose contracts frequently require immediate placement on sensitive programs. Since 2021, HX5 has participated in the Hiring Our Heroes Corporate Fellowship Program, a DoD SkillBridge initiative that places transitioning service members with host companies during their final 180 days of active duty. HX5 has brought in two fellows per year through the program. The Department of Labor recognized those practices with a 2025 HIRE Vets Gold Medallion Award.
“We prefer to hire experienced individuals — people who have worked with, or supported, the Department of Defense,” Howard says. “This experience is always very helpful.”
CMMC’s phased rollout through 2028 will impose additional requirements on each successive contracting cycle. Each phase is also a filtering event: contractors who haven’t met the prior phase’s benchmarks face more constrained remediation options as the implementation timeline advances. Howard’s reading of that trajectory is consistent with how she has approached regulatory change across twenty years of operation.
“We try to stay ahead of changing technologies like artificial intelligence and cybersecurity,” Margarita Howard says. “It’s expensive to ensure it’s done right, but it’s worth it.”
For HX5, the cost of doing it right was absorbed across the years before the mandate as part of a steadily developing culture of compliance. For contractors who deferred that investment, the cost of doing it right now is both higher and less flexible.
