Compliance comes for every industry. Healthcare has HIPAA. Retail had the Payment Card Industry Data Security Standard. Now it’s defense industrial base (DIB).
With the rollout of the Cybersecurity Maturity Model Certification (CMMC), the Department of War (DOW)—and Katie Arrington’s advocacy through her former role as DOW chief information officer—are forcing a generational shift in how the defense supply chain protects sensitive data.
CMMC isn’t mere guidance. It’s a contractual line in the sand that won’t stop with mega defense contractors. CMMC covers the small and midsize businesses across the U.S. that keep the nation’s economy moving and its security intact. It will transform how contractors operate, how deals get done, and who gets to stay in the defense supply chain at all.
The scale is hard to ignore. Tens of thousands of businesses are already on the wrong side of it. For the defense industrial base, this isn’t a policy tweak. It’s a seismic and costly shift. And for business leaders across the supply chain, CMMC is quickly becoming the four-letter word they can’t avoid.
CMMC DEFINED
CMMC sets a new standard of trust between the DOW and the companies that support it.
In September, the DOW issued the long-awaited final rule implementing CMMC. It says federal contractors must now evaluate their ability to protect Controlled Unclassified Information, a broad category of sensitive data.
Under this final rule, which went into effect on November 10, CMMC requirements will now be a contractual condition of eligibility for defense work. The rule will phase in over three years, from self-assessments to third-party verification.
THE BURDEN OF READINESS WILL BE DISPROPORTIONATELY DISTRIBUTED
The defense industrial base includes 220,000 companies. Around 76,000—including 57,000 small businesses—will require at least Level 2 CMMC certification within the next seven years. Thousands won’t be ready.
And they’re not fringe players. They’re suppliers, subcontractors, software developers, tech partners, and systems integrators. For many, this will be their first serious cybersecurity audit.
Level 2 sets a high bar. Contractors must implement all 110 security controls defined in NIST SP 800-171. That means access controls. Incident response plans. System integrity. Vulnerability management. And certification requires a third-party audit, complete with evidence, audit trails, and remediation plans.
Then there’s the cost, which will likely affect smaller members of the DIB hardest. Industry estimates put CMMC compliance at more than $63 billion over the next two decades. For small and midsize firms, new audit expenses will compete directly with R&D, hiring, and delivery. While the largest contractors have fulfilled CMMC requirements for decades, small shops who have to add disproportionately high compliance costs may decide that defense work is no longer worth it.
The results will reshape the defense industrial base. Expect consolidation, spinoffs, and acquisitions. CMMC status will show up in diligence decks. And cyber risk will be weighed right alongside revenue and growth.
COMPLIANCE WILL RESHAPE THE MISSION
CMMC also signals a broader shift once compliance is no longer a self-managed check-box exercise. Workflows must embed controls. Data protection must account for location, device, user identity, and context. Security must travel with the data. That includes when a contractor uses a personal device, accesses a cloud application, or supports a mission from a remote site.
In other words, the scope of CMMC will affect how daily work gets done, and it will run through nearly every aspect of our economy. CMMC will shape software vendors, logistics providers, training companies, professional services firms, and even those operating in classified-adjacent spaces.
The time is now to prepare the defense industry to preserve its businesses, secure our nation, and support our military’s mission.
Steve Tchejeyan is the president of Island.