There's a version of the CMMC conversation that most of the Defense Industrial Base has been having. It goes something like: What phase are we in? Do I need a C3PAO assessment or can I self-attest? When does my contract actually require certification?
These are legitimate questions. But they are missing the true purpose of CMMC.
At the Secureframe National Cybersecurity Summit, three of the most senior figures in defense cybersecurity policy took the stage. They had different roles in the government and now in the private sector, and they made different points. But they shared one message that every DIB organization needs to hear.
The enforcement pressure building around CMMC isn't about contract-eligibility. It's about the fact that adversaries are actively inside the defense supply chain, stealing the intellectual property and technical data that defines American military superiority, and the DIB has been too slow to respond.
CMMC enforcement is how the government is making the DIB take that threat seriously. But certification is not the point in itself.
Below we recap what each of them said to help you understand why you need to prioritize CMMC as soon as possible, not just ahead of the next compliance deadline.
Katie Arrington: "This is not a compliance issue."
Asked when organizations should have gotten CMMC compliant, Katie Arrington didn't point to Phase 2. She didn't point to Phase 1. She said: "About a year ago or, I don't know, 2017 when it was required by law."
Arrington helped develop CMMC from inside the DoD and now implements it from the other side as CIO of IonQ, a DIB vendor. On both sides of enforcement, she has remained a strong and impatient advocate.
Her argument is that organizations that are still treating CMMC as a compliance checkbox have fundamentally misunderstood the program since its development back in 2019. "What the government is using it for is an insurance policy that you have the right cybersecurity culture and posture," she said at the Secureframe National Cybersecurity Summit 2026. "It's not a checklist. It never was a checklist."
She returned to an example she's used before: the F-35. A classified program unknown to the public for years. Within six months of its public reveal, China launched a jet with a strikingly similar canopy design. The question she posed is not rhetorical: "Do you think the prime leaked that information, or do you think a sub that didn't have proper markings on the data got infiltrated and they picked it from there?"
Her point is that adversaries don't target primes. They target the suppliers who handle the same Controlled Unclassified Information (CUI) with a fraction of the security posture. "They're there. They may not have made themselves aware to you, but they're there and waiting for an opportune moment."
For organizations that still think they're too small or too specialized to be worth targeting, Arrington offered no comfort: "We're almost like ostriches burying our heads in the sand going, 'Oh, it won't happen to me.' It absolutely is going to happen to you. It's just a matter of time."
The stakes of CMMC are therefore much higher than most organizations realize. They are existential—both for individual businesses and for the service members those businesses ultimately support.
"We are all one team, one fight. We are all here to support the warfighter," she said. “So why aren't you, as a company, taking this seriously, going and getting an audit, finding out where your gaps are, and filling them for business resiliency?”
"If you're not doing this, then you don't plan on being in business with the government for long or in business, period, in my opinion.”
What this means for the DIB: The DoD’s CMMC implementation timeline is not the urgency and should not be the catalyst for organizations’ readiness efforts. The threat environment is the urgency and the catalyst. CMMC is just the mechanism the government is using to try to fill cybersecurity gaps that have existed at all tiers in the defense supply chain since 2017 when DFARS 7012 went into effect.
Recommended reading
Katie Arrington on When DIB Organizations Should Get CMMC Certified: "A year ago”
Read More
Stacy Bostjanick: "CMMC is just the bare minimum."
Stacy Bostjanick spent years as the DoD's Chief of Defense Industrial Base Cybersecurity, guiding CMMC through two iterations to the final program the DIB is navigating today. She knows the objections (cost, timeline, assessor availability) because she fielded them inside the building where the program was built. Her response to most of them is the same: there are solutions that organizations are using to overcome these objectives and achieve certification.
"There's been over 1,000 organizations Level 2 certified, and roughly 50% are SMBs. So they're doing it and have been able to afford it," she said at the Summit.
But the deeper point Bostjanick made is about the purpose of the program itself, and why calling it a certification misses what the DoD is actually trying to accomplish.
CMMC's assessment requirements were created because too many DIB organizations were gaming the existing self-attestation system under DFARS 7012. Bostjanick cited a contractor discovered to have a Plan of Action & Milestones that wouldn't have brought them into compliance until 2099. The foundational purpose of adding third-party assessment wasn't punishment. It was accountability: making the opportunity cost of stealing sensitive defense information high enough to meaningfully deter adversaries.
"NIST 800-171 is the ground floor of what you need to do," she said. "We called CMMC a maturity model because we want organizations to mature and grow and anticipate the next hack capability and improve as they go. This isn't a one-and-done slap on the table."
In other words, passing a CMMC Level 2 assessment is not the end goal. The end goal is a DIB that can actually protect sensitive defense information from continuously evolving threats. Certification is the floor the DoD is demanding, not the ceiling organizations should be aiming for.
Her biggest takeaway: "Now is the time for us to step up and get cybersecurity requirements in place for our intellectual property and information to be secure."
What this means for the DIB: Organizations focused on passing their assessment are asking the right first question but stopping too early. The program exists to build cybersecurity maturity across the supply chain, not to generate certificates. The organizations that will be best positioned as enforcement tightens are the ones that internalized that distinction.
Recommended reading
Former DoD Director of CMMC Stacy Bostjanick: "CMMC is just the bare minimum"
Read MoreRob Joyce: "The adversary is already inside."
Rob Joyce spent 34 years at the NSA, eventually leading the Cybersecurity Directorate responsible for publicly attributing nation-state cyber campaigns. He has spent his career in rooms where he had full visibility into what adversaries are capable of. His message at the Summit was a deliberate attempt to share just enough of that capability to shake people out of complacency.
The threat is not hypothetical and it is not equally distributed. A significant share of DIB suppliers with no dedicated security person, a managed antivirus product, and an MSP that checks in monthly are handling the same CUI as primes with 24/7 SOCs and full threat intelligence teams. "The adversary has read the supply chain map," Joyce said. "They know where the soft targets are."
Those soft targets are being actively exploited right now by groups that most DIB suppliers have probably heard of but may not have internalized as threats to their specific business. Volt Typhoon and Salt Typhoon, for example, have positioned themselves inside U.S. critical infrastructure and defense networks not to exfiltrate data immediately, but to lie in wait. The goal of these supply chain attacks is pre-positioning: establishing access that can be activated when a conflict scenario makes that access strategically valuable.
The DIB must limit that access, but this is more challenging than ever due to AI. In today’s AI threat model, the cost of conducting sophisticated cyber attacks is collapsing at the same time as the scale and autonomy of those attacks is expanding.
In other words, the gap between AI-enabled attackers and compliance-first defenders is growing. Defenders need to embrace AI to keep up, and start treating compliance as the floor and continuous protection as the ceiling.
"CMMC is not paperwork. It's operational discipline,” he explained. Continuous control monitoring, evidence collection, and drift detection, among other requirements for CMMC compliance, must be automated.
Those still taking a manual approach misunderstood his biggest takeaway: "The adversary is running an AI speed campaign. Your defense can't move at manual audit speed.”
What this means for the DIB: The justification for CMMC is not abstract. Named adversaries are actively targeting the defense supply chain. The question for every DIB organization is not whether they are a target but whether they are an easy one. Those treating CMMC as a point-in-time assessment every three years are easy.
Recommended reading
“The Adversary Is Already Inside”: Former NSA Director Rob Joyce on Why the DIB Can't Afford to Defend at Human Speed
Read MoreThe real stakes of CMMC enforcement today
The conversation around CMMC enforcement is still primarily about deadlines and contracts. Those things are real and consequential, but they are only one part of the story.
The reason the Pentagon is enforcing CMMC is not to take away contracts from DIB organizations that aren’t “following their rules.” It's because the alternative—a defense supply chain of organizations that continue to handle CUI on the honor system while nation-state adversaries attack the most vulnerable—is a national security risk that’s actively being exploited. CMMC enforcement is how the DoD is attempting to reduce that risk.
