AI And Crippling CMMC Regulations Converge On Small Businesses

“NATIONAL DEFENSE MAGAZINE” By  Pete Sfoglia

“The marriage of artificial intelligence, quantum computing, robotics and crippling regulation creates a perfect storm headed straight at the Cybersecurity Maturity Model Certification program”

________________________________________________________________________________

“The marriage of artificial intelligence, quantum computing, robotics and crippling regulation creates a perfect storm headed straight at the Cybersecurity Maturity Model Certification program, and those who designed the mandate have no more understanding of what it means at ground level than Bill Gates has of the price of groceries.

The intent was sound. The consequences may be catastrophic. Make no mistake: the convergence of these four forces represents significant disruption.

CMMC 2.0 was a necessary response to a real threat. Nation-state adversaries have spent years gutting the U.S. defense industrial base, walking off with designs and manufacturing processes that took U.S. companies decades to build.

Self-reported compliance scores that bore no relationship to actual security posture had to end. But what followed was a compliance architecture that drops enterprise-grade financial burdens on small manufacturers running margins that can’t absorb them, while mandating encryption standards already being defeated and ignoring the AI and robotics threats that are rewriting the rules of engagement in real time.

The Defense Department estimates 118,000 companies fall under CMMC Level 2. The overwhelming majority have never heard of security information and event management, or SIEM, technology, let alone budgeted for it.

Before a CMMC compliance assessor walks in the door, cybersecurity costs for a typical small or medium-sized business are about $60,000 to $100,000 per year — a SIEM subscription is $14,000 annually, and it costs $30,000 to implement and configure it — plus multi-factor authentication, endpoint detection and security hardening on top. Add a virtual chief information security officer at $70,000 a year — because none of these tools run themselves — and a company is looking at $200,000 to $300,000 in year one, and $110,000 to $145,000 every year after. The assessment fee is almost beside the point by then.

A company doing $3 million in defense revenue at a 7 percent margin clears $210,000 in profit. Year-one compliance takes every dollar of it. And it hits the contractor who has been implementing National Institute of Standards and Technology 800-171 controls for five years the same as the one who’s done nothing. There’s no credit for prior effort, no discount for good faith.

The U.S. defense industry has already shed numerous small business participants over the past decade. Without relief, CMMC accelerates the exodus. And the first ones out the door won’t be the weakest. They will be the most capable, the ones with commercial customers who don’t require a six-figure annual compliance tax.

This is the part that should alarm everyone, and doesn’t, because the lawmakers shaping this policy wouldn’t know an IP packet if they tripped over one. The CMMC Level 2 encryption mandates, the Rivest-Shamir-Adleman family of public-key cryptosystems and elliptic-curve algorithms over Transport Layer Security 1.2 will fold like a cheap lawn chair against a quantum computer. Algorithms that would take an army of supercomputers decades to crack will evaporate in minutes using superposition and quantum entanglement.

Here’s what makes it worse — nobody has to wait for quantum computers to arrive. Adversaries are vacuuming up encrypted traffic, VPN sessions and controlled unclassifed information file transfers and storing them for the day decryption becomes trivial. Harvest now, decrypt later. It’s not theoretical. It’s operational.

NIST finalized post-quantum cryptography standards in 2024. The federal government has published a migration roadmap. CMMC ignores both. Small and medium businesses are bleeding out financially to implement encryption, and their adversaries are already stockpiling. That’s not a security mandate. It’s a very expensive illusion of one.

Meanwhile, AI-powered malware now rewrites its own attack signatures faster than defenses can respond. AI-generated phishing — personalized, convincing and relentless — accounts for the majority of attacks. And for defense manufacturers, AI-driven robotics has created an entirely new category of exposure that CMMC doesn’t address.

Computer numerical control machines and robotic assembly lines tied into corporate networks for efficiency carry attack surfaces that didn’t exist when NIST 800-171 was written. A compromised robotic system doesn’t just leak controlled unclassified information, it can embed manufacturing defects in weapons components that nobody finds until something fails in the field.

The fiscal year 2026 National Defense Authorization Act tells the Defense Department to fold AI security into CMMC, meaning this already unaffordable mandate will get heavier before most small businesses have finished choking down the current version.

For now, don’t abandon CMMC. Fix it. A tiered subsidy program, modeled on Defense Production Act investments, must deliver direct financial assistance to Level 2 subcontractors below defined revenue thresholds and subsidize assessment fees.

CMMC must adopt NIST’s post-quantum standards immediately, not eventually. And the Pentagon needs a real AI and operational technology security framework before it lands as another unfunded mandate on contractors already at the wall.

Phase 2 enforcement starts in November. Currently, small business owners are deciding whether to invest in compliance or walk away from the defense market for good. Every month that passes without relief, without a post-quantum roadmap, without an AI framework, without government subsidies, is a month this supply chain shrinks permanently.

Our adversaries have spent years trying to hollow out the U.S. defense industrial base. They couldn’t have designed a more effective weapon than a compliance mandate that does the job for them.”

ABOUT THE AUTHOR:

Pete Sfoglia served as regional practice leader for cybersecurity at Ernst and Young and as global head of cyber compliance at Wipro. He is now co-founder and CEO of Pistos Information Protection, an independent consulting practice focused on cybersecurity compliance for small and mid-sized businesses.