Castellum (NYSE: CTM) secures CMMC Level 2, targets DoD contracts and IR push

Rhea-AI Filing Summary

Castellum, Inc. filed a report describing that it has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2 after a comprehensive assessment by an accredited C3PAO. Management explains this validates that Castellum and its subsidiaries meet advanced cybersecurity requirements for protecting Controlled Unclassified Information on U.S. Department of Defense programs.

The company notes a perfect score of 110 out of 110 controls and 320 objectives with no open remediation items, positioning it to compete for Department of Defense work that explicitly requires CMMC Level 2. Castellum also highlights a step-by-step technical roadmap, with a redesigned corporate website expected to launch in the second quarter, and mentions working with The Equity Group to enhance investor relations outreach.

Insights

Cybersecurity & government contracting analyst

CMMC Level 2 boosts Castellum’s eligibility for sensitive DoD contract work.

Castellum reports achieving CMMC Level 2 certification through an accredited C3PAO, meeting all 110 controls and 320 objectives with a perfect score. This confirms compliance with advanced cybersecurity standards required to protect Controlled Unclassified Information on U.S. Department of Defense programs.

This status allows Castellum to pursue Department of Defense opportunities that mandate CMMC Level 2 and respond to related Requests for Proposals. The company also emphasizes a broader growth roadmap, including a redesigned website expected in the second quarter and expanded investor-relations support from The Equity Group, which together may support visibility as CMMC-driven opportunities develop.

8-K Event Classification

2 items: 8.01, 9.01

2 items

Item 8.01 Other Events Other

Voluntary disclosure of events the company deems important to shareholders but not covered by other items.

Item 9.01 Financial Statements and Exhibits Exhibits

Financial statements, pro forma financial information, and exhibit attachments filed with this report.

Key Figures

CMMC level: Level 2 Controls met: 110 controls Objectives met: 320 objectives +2 more

5 metrics

CMMC level Level 2 Cybersecurity Maturity Model Certification level achieved

Controls met 110 controls CMMC Level 2 framework controls fully satisfied

Objectives met 320 objectives CMMC Level 2 framework objectives met in assessment

CMMC score 110 Perfect Level 2 assessment score with no open POA&Ms

Website launch timing second quarter Company expects redesigned website launch in the second quarter

Key Terms

CMMC Level 2, C3PAO, Controlled Unclassified Information, Plan of Action and Milestones, +2 more

6 terms

CMMC Level 2 technical

"announces that it has achieved Cybersecurity Maturity Model Certification (“CMMC”) Level 2 following a comprehensive assessment"

CMMC Level 2 is a U.S. government cybersecurity certification that requires companies to adopt a set of documented practices and processes to protect sensitive but unclassified information; Level 2 is the intermediate step between basic cyber hygiene and the highest, most stringent controls. For investors, achieving Level 2 is a practical signal that a company can compete for certain government contracts, reduce the chance of costly data breaches, and demonstrate disciplined risk management—think of it as upgrading from a basic door lock to a keypad plus alarm system for corporate data.

C3PAO technical

"following a comprehensive assessment conducted by an accredited Certified Third‑Party Assessment Organization (“C3PAO”)"

A C3PAO is an independent, accredited assessor authorized to evaluate a company’s cybersecurity practices against government standards for handling sensitive information. Think of it as a certified building inspector for digital security: its stamp of approval can be required to win certain government or military contracts, reduce legal and breach risk, and therefore directly affect a company’s ability to compete and its investment appeal.

Controlled Unclassified Information technical

"requirements necessary for protecting Controlled Unclassified Information (“CUI”) in support of U.S. Department of Defense (“DoD”) programs"

Controlled unclassified information (CUI) is government or contract-related material that is not a classified secret but still requires restricted handling, storage, and sharing. Think of it as a sensitive file in a locked cabinet: it isn’t top secret, but mishandling can lead to legal, contractual, or reputational harm. For investors, CUI matters because failures to protect it can trigger fines, lost contracts, and increased compliance risk that may affect a company’s value.

Plan of Action and Milestones technical

"with no open Plan of Action and Milestones and a perfect 110 score"

forward-looking statements regulatory

"This release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933"

Forward-looking statements are predictions or plans that companies share about what they expect to happen in the future, like estimating sales or profits. They matter because they help investors understand a company's outlook, but since they are based on guesses and assumptions, they can sometimes be wrong.

Investor Relations financial

"our new Investor Relations partner, The Equity Group"

Investor relations is the communication process between a company and its current or potential investors. It involves sharing information about the company's performance, strategies, and outlook to help investors make informed decisions. Effective investor relations build trust and transparency, similar to a clear conversation between a business and someone considering investing, ensuring both parties understand each other's interests and expectations.

Understanding 8-K Material Events →

0001877939False00018779392026-04-232026-04-23

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of the Securities and Exchange Act of 1934

Date of Report (Date of earliest event reported): April 23, 2026

CASTELLUM, INC.

(Exact name of Registrant as specified in its charter)

Nevada

001-41526

27-4079982

(State or other jurisdiction of incorporation)

(Commission File Number)

(IRS Employer Identification No.)

1934 Old Gallows Road, Suite 350

Vienna, VA 22182

(Address of principal executive offices, including zip code)

(703) 752-6157

(Registrant’s telephone number, including area code)

Check the appropriate box below if the 8-K filing is intended to simultaneously satisfy the filing obligations of the registrant under any of the following provisions:

☐			Written communication pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐			Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
☐			Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
☐			Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13(c)).

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

Trading Symbol(s)

Name of each exchange on which registered

Common stock, par value $0.0001 per share

CTM

NYSE American LLC

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (17 CFR §230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (17 CFR §240.12b-2).

Emerging growth company ☒

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☒

Item 8.01 Other Events.

On April 23, 2026 Castellum, Inc. issued a press release announcing it has achieved CMMC Level 2 C3PAO Certification. The full text of the press release is attached hereto as Exhibit 99.1 and is incorporated herein by reference.

Item 9.01 Financial Statements and Exhibits.

(d) Exhibits.

Exhibit No.			Exhibit Title
99.1			Press Release dated April 23, 2026
104			Cover Page Interactive Data File (embedded within the Inline XBRL document).

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned, hereunto duly authorized.

CASTELLUM, INC.

Date: April 23, 2026

By:

/s/ Glen R. Ives

Name:

Glen R. Ives

Title:

Chief Executive Officer (Principal Executive Officer)

Exhibit 99.1

Castellum, Inc. Achieves CMMC Level 2 C3PAO Certification

VIENNA, Va., April 23, 2026 (GLOBE NEWSWIRE) -- Castellum, Inc. (NYSE-American: CTM) (“Castellum” “CTM”, “we” or the “Company”), a cybersecurity, electronic warfare, and software services company focused on the federal government, announces that it has achieved Cybersecurity Maturity Model Certification (“CMMC”) Level 2 following a comprehensive assessment conducted by an accredited Certified Third‑Party Assessment Organization (“C3PAO”).

This certification demonstrates that Castellum and all its subsidiaries meet the advanced cybersecurity requirements necessary for protecting Controlled Unclassified Information (“CUI”) in support of U.S. Department of Defense (“DoD”) programs. This achievement reflects Castellum’s longstanding commitment to safeguarding sensitive data, maintaining rigorous security practices, and supporting the modernization of cybersecurity across the defense industrial base.

With CMMC Level 2 certification, Castellum is positioned to:

•Support DoD programs requiring the protection of CUI.

•Respond to Requests for Proposals requiring CMMC Level 2 certification in line with its organic growth framework.

•Strengthen partnerships with prime and subcontractor partners.

•Demonstrate validated cybersecurity maturity to customers and stakeholders.

•Continue building a culture of security aligned with DoD expectations.

The CMMC program plays a critical role in protecting sensitive information throughout the defense supply chain. By achieving Level 2 certification, Castellum reinforces its commitment to meeting and exceeding those standards.

“Achieving CMMC Level 2 certification is a significant milestone for our organization,” said Drew Merriman, Chief Operating Officer of Castellum. “We met all 110 controls and 320 objectives of the Level 2 framework with no open Plan of Action and Milestones and a perfect 110 score. This demonstrates the strength of our security posture and our dedication to protecting the information entrusted to us by our customers and partners. I am proud of our team’s hard work and the robust processes they implemented that enabled a successful C3PAO assessment.

Having this certification is critical to continuing to grow and win contracts with DoD. We have implemented a step-by-step technical roadmap prioritizing milestones to enable continued growth. With CMMC complete, the next action on our roadmap is the overhaul and re-design of our company’s website, which we expect to launch during the second quarter.”

Glen Ives, President and CEO of Castellum, added, “CMMC is a strong validation of our capabilities and the discipline we bring to protecting sensitive information. As we sharpen our focus on both customer and investor engagement, we’re complementing our internal efforts with the support of our new Investor Relations partner, The Equity Group. We selected them for their deep experience in advising companies, their strong relationships within the investment community, and their ability to translate complex narratives into clear, compelling messaging. We believe we have a compelling story to share with the investment community, and The Equity Group’s expertise will help us communicate it more effectively, broaden our visibility in the market, and foster more meaningful dialogue. Together, I expect this to drive stronger, more sustained engagement with both our customers and the investment community.”

About Castellum, Inc.

Castellum, Inc. (NYSE-American: CTM) is a technology company focused on leveraging the power of information technology to help solve our Nation's most pressing national security challenges. CTM provides US government and commercial clients with Cybersecurity, Software Development, Systems Engineering, Information / Electronic Warfare, Program Support, and Data Analytics services. It also offers subject matter expertise in artificial intelligence / machine learning, 5G technologies, model-based systems engineering, program management, information assurance, intelligence analysis, and CMMC compliance. In addition to constantly innovating and enhancing its organic capabilities, Castellum is executing strategic acquisitions of firms that share our passionate commitment to US national security and have a history of bringing exceptional value to their clients. – For more information visit: https://castellumus.com.

Forward-Looking Statements:

This release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 2lE of the Securities Exchange Act of 1934, as amended. These forward-looking statements represent the Company's expectations or beliefs concerning future events and can generally be identified by the use of statements that include words such as "estimate," "project," "believe," "anticipate," "shooting to," "intend," "in a position," "looking to," "pursue," "positioned," "will," "likely," "would," or similar words or phrases. Forward-looking statements include, but are not limited to, statements regarding the Company's expectations for revenue growth, new customer opportunities, improvements to cost structure, and profitability. These forward-looking statements are subject to risks, uncertainties, and other factors, many of which are outside of the Company's control, that could cause actual results to differ (sometimes materially) from the results expressed or implied in the forward-looking statements, including, among others: the Company's ability to compete against new and existing competitors; its ability to effectively integrate and grow its acquired companies; its ability to identify additional acquisition targets and close additional acquisitions; the impact on

the Company's revenue due to a delay in the U.S. Congress approving a federal budget; and the Company's ability to maintain the listing of its common stock on the NYSE American LLC. For a more detailed description of these and other risk factors, please refer to the Company's Annual Report on Form 10-K and its Quarterly Reports on Form 10-Q and other filings with the Securities and Exchange Commission ("SEC") which can be viewed at www.sec.gov. All forward-looking statements are inherently uncertain, based on current expectations and assumptions concerning future events or the future performance of the Company. Readers are cautioned not to place undue reliance on these forward-looking statements, which are only predictions and speak only as of the date hereof. The Company expressly disclaims any intent or obligation to update any of the forward-looking statements made in this release or in any of its SEC filings except as may be otherwise stated by the Company.

Investor Relations:

The Equity Group

Lena Cati

(212) 836-9611

lcati@theequitygroup.com

Val Ferraro

(212) 836-9633

vferraro@theequitygroup.com

FAQ

What did Castellum (CTM) announce in its latest 8-K filing?

Castellum announced it has achieved CMMC Level 2 certification after a comprehensive assessment by an accredited C3PAO. This confirms its cybersecurity program meets advanced Department of Defense standards for handling Controlled Unclassified Information across the company and its subsidiaries.

What is CMMC Level 2 certification and why is it important for Castellum (CTM)?

CMMC Level 2 certifies that Castellum meets advanced cybersecurity requirements for protecting Controlled Unclassified Information in Department of Defense programs. This status helps the company support DoD contracts that require CMMC Level 2 and respond to related Requests for Proposals within its growth strategy.

What performance did Castellum (CTM) report on its CMMC assessment?

Castellum reports meeting all 110 controls and 320 objectives in the CMMC Level 2 framework, achieving a perfect 110 score with no open Plans of Action and Milestones. Management characterizes this as evidence of a strong security posture supporting customer and partner confidence.

How does CMMC Level 2 certification affect Castellum’s (CTM) business opportunities?

With CMMC Level 2, Castellum states it can support DoD programs requiring protection of Controlled Unclassified Information and respond to Requests for Proposals that specify this certification. It also expects stronger partnerships with primes and subcontractors that prioritize validated cybersecurity maturity.

What future initiatives did Castellum (CTM) highlight alongside its CMMC milestone?

Castellum highlighted a step-by-step technical roadmap, noting that with CMMC achieved, its next action is overhauling and redesigning its corporate website, which it expects to launch in the second quarter. The company also referenced working with The Equity Group on investor relations efforts.

Who is supporting Castellum’s (CTM) investor relations efforts?

Castellum is working with The Equity Group as its investor relations partner. Management cites the firm’s experience, relationships in the investment community, and ability to clarify complex narratives as reasons, aiming to improve communication, visibility, and engagement with investors and other stakeholders.

Filing Exhibits & Attachments

4 documents

Press Releases

• EX-99.1 EX-99.1 14.2 KB

Other Documents

• EX-101 XBRL TAXONOMY EXTENSION SCHEMA DOCUMENT 1.7 KB
• EX-101 XBRL TAXONOMY EXTENSION LABEL LINKBASE DOCUMENT 22.9 KB
• EX-101 XBRL TAXONOMY EXTENSION PRESENTATION LINKBASE DOCUMENT 13.3 KB