For manufacturers in the defense supply chain, the next 18 months are going to be defining. Phase 2 of the Cybersecurity Maturity Model Certification, known as CMMC, is now underway, and the Department of Defense is steadily writing Level 2 requirements into new contracts involving Controlled Unclassified Information.
Suppliers that cannot show third-party certification will be locked out of an expanding share of the work. Companies that wait will find that the certified-assessor capacity to help them is already fully stretched.
We went through our own CMMC Level 2 third-party assessment at IntelliGenesis earlier this year. Since we're a defense AI and cybersecurity company, you'd think this would be right in our wheelhouse. But even for us, the assessment threw us a few curveballs.
What we learned applies to any company that's part of the defense supply chain.
The Hardest Part Was Not Technology
Going in, I expected our technical controls to be where we were tested. They were not. Where we struggled was in producing the documentation necessary to prove, beyond doubt, that our controls operate the way we claimed. By the time we were ready for the assessment, our team had created more than 50 process and policy documents.
Our System Security Plan, the document that anchors the entire certification effort, grew to roughly four to 500 pages. Every other policy, procedure, and control referenced back to it.
If you're a manufacturer, this probably sounds familiar. You already have quality and safety systems in place on your shop floor. CMMC is asking for the same thing, but focused on how Controlled Unclassified Information moves through your company.
Auditors aren't interested in what you say you'll do, they want to see proof. If you have a control that works in practice, but you can't show the documented procedure, who's responsible, how it's measured, and how often it's updated, it doesn't count.
We also underestimated how hard it would be to define exactly what CUI we held, where it lived, and how it moved between systems and people. The publicly available guidance is useful but applying it inside an operating business with multiple programs, multiple customer relationships, and multiple data paths is not a one-afternoon exercise.
Bringing in an outside specialist to help map this proved to be one of the most valuable decisions we made. Our internal team and our assessor were both excellent.
The Audit and What Comes After
I have managed several certification audits, including ISO 9001. The CMMC Level 2 third-party assessment is unlike anything that I have been through. It runs a full week. Most of it is conducted live.
Our IT lead spent the week pulling up controls on screen and demonstrating, while the assessors watched, that the documentation we provided matched how the environment actually behaved. Because we are permitted to store CUI on premises, the assessors also conducted a physical walkthrough of our facility, including how we print, store, and dispose of sensitive material. If it cannot be demonstrated in real time, it does not count.
What was less obvious going in was that certification is not a finish line. It is the beginning of a new operating discipline. We now run daily, weekly, and monthly checks on our controls. Inventory is updated continuously.
Any significant change to the environment goes through a formal change control process tied back to the System Security Plan. Three years from now we will be reassessed, and the way we have set up our operations means we will be ready, because we are running as if we are mid-assessment every day.
For manufacturers considering the cost of certification, that ongoing reality is the part that matters most. The audit week is the visible piece. The permanent operational shift is the actual work.
The Supply Chain Risk and What to Do Now
The conversation that gets too little attention is what CMMC is going to do to the wider supplier base. IntelliGenesis is a mid-sized company. We were able to commit a multi-disciplinary team for four months, engage outside expertise, and budget for a six-figure preparation cost.
Many of the small contractors and machine shops that primes rely on cannot do that. They may have five, 10 or 20 people. They may have one person carrying IT, security, contracts and human resources at once.
If a good chunk of those suppliers can't make it over the Level 2 hurdle as it shows up in more contracts, the pool of eligible vendors is going to shrink. That's a problem for primes, for program offices, and for the resilience of the supply chains that support sensitive defense work.
The policy makes sense, but making it work is going to be tough, especially for the small, specialized manufacturers that the defense mission really depends on.
If I were talking to another manufacturer right now, I'd start with three things.
- First, get your System Security Plan going as soon as possible and treat it as the backbone of the whole effort - everything else connects to it.
- Second, bring in an experienced outside reviewer early, while you still have time to make changes.
- Third, do a mock assessment well before the real one. The best thing we did was make every team member who said 'we do this' actually show us where the procedure was documented, how it was measured, and how often it was reviewed. That one exercise changed our whole preparation.
The Phase 2 deadline isn't moving. There are only so many certified assessors out there. Realistically, you need six to nine months to get ready. Four months is possible, but it's going to be rough. For manufacturers in the defense supply chain, cybersecurity maturity isn't a nice-to-have anymore, it's the price of staying in the game.
The companies that get that now are going to be in a much better spot than the ones who wait.
Jeremiah Jensen is Chief Operating Officer of IntelliGenesis LLC, a veteran-led, woman-owned defense AI and cybersecurity firm headquartered in Columbia, Maryland.
