Failing To Meet CMMC Requirements Can Expose Supply Chain Vulnerabilities

“WASHINGTON TECHNOLOGY” By Aron Freitag

“CMMC is not the holy grail of supply chain risk management, but it is one of the most effective tools for validating that information security vulnerabilities are being addressed.”

_______________________________________________________________________________

“Last year, attacks on the software supply chain occurred at a rate of at least one every two days. 

That’s not just an alarming statistic, it’s a wake-up call. 

One-third of those attacks targeted U.S. companies and IT providers, with many aimed squarely at the defense industrial base. Our adversaries have figured out that the fastest way to compromise national security isn’t always through direct attacks on prime contractors; it’s by targeting the weak links in their supply chains, and it’s happening on a consistent basis. 

That’s where the Cybersecurity Maturity Model Certification (CMMC) comes in.

In recent years, CMMC, NIST standards, and concepts like Zero Trust have come to the forefront of the Department of Defense strategic plans. To that end, there are multiple federal organizations and support activities specifically tasked to support the DIB. The National Security Agency and Department of Defense agencies like the Defense Logistics Agency, CISA, DCSA, and the DOD Cyber Crime Center work as partners to provide many security services, regional outreach offices, and many free security services for DIB Companies. 

Now, let me be clear: CMMC is not the holy grail of supply chain risk management, but it is one of the most effective tools for validating that information security vulnerabilities are being addressed. If we want to meaningfully protect sensitive data like controlled unclassified information (CUI), we must make sure that the NIST 800-171 and DFARS requirements that CMMC validates are not only implemented but flowed down and enforced at every tier of the supply chain.

Why “Flow Down” Isn’t Optional

When a prime receives a DOD contract, that contract includes specific cybersecurity obligations, but those requirements don’t end with the prime. If any subcontractor, or subcontractor of a subcontractor, at any level, processes, stores, or transmits federal contract information (FCI) or CUI, they’re required to meet the same standards. That’s what “flow down” means.

Flow down must be written into the subcontract language to ensure visibility and acknowledgement of the contractual obligations they are agreeing to. If that language is missing or not enforced, the entire supply chain is vulnerable and allows for potential legal loopholes. Adversaries are looking for the weakest link within the security chain. They’re not wasting time trying to breach a hardened prime contractor when they can quietly exploit a small supplier with minimal defenses.

The Role of CUI in Today’s Threat Landscape

CUI isn’t classified, but that doesn’t mean it’s not valuable. It includes many types of information including technical CAD drawings, engineering specs, logistical plans, portions of software code, and support documentation. It’s sensitive information that, in the wrong hands, can provide our adversaries with a strategic advantage or novel intellectual property.

When we protect CUI, we force attackers to work harder. If they have to burn valuable resources just to get their hands on something useful, they may decide it isn’t worth their time. That’s the security posture we should all be aiming for, making attacks cost-prohibitive for the adversary.

But that posture only works if everyone handling CUI plays by the same rules. And that’s exactly why CMMC flow-down is critical.

The Hidden Risk of Noncompliance

When flow-down doesn’t happen or is poorly implemented, the consequences are real and go far beyond noncompliance. We’ve seen repeated instances where attackers gained access to sensitive government data through small contractors that weren’t held to the same security standards. That’s not a hypothetical threat, it’s a recurring example of a threat vector.

If a subcontractor drops the ball, it’s not just their problem. It affects the prime. It affects the program. It affects national security.

What We Need to Do

We’ve come a long way with CMMC, but now’s the time to get serious about implementation, especially for primes. Here’s a few recommendations:

• Verify your SPRS scores are real. Self-assessments should reflect the current, actual state of your environment.

• Flow down requirements to all subs. This includes DFARS 252.204-7012 and, where applicable, full NIST SP 800-171 compliance.

• Support your subcontractors. Cybersecurity is a team sport, and many small businesses need guidance. Help them understand and meet their obligations.

• Validate control implementation. Don’t assume compliance, check for it. Ask for evidence, especially when CUI is involved.

  
  

CMMC was never about checking boxes. It’s about validating the protection of the data that keeps our warfighters safe and our missions on track. If we neglect to flow down those protections, we’re not just missing a requirement. We’re actively weakening the very supply chain we rely on.

Our adversaries aren’t waiting for us to get this right. Let’s not make it easy for them.”

ABOUT THE AUTHOR:

Aron Freitag is a Lead CMMC Certified Assessor and CMMC consultant with Redspin.