Securing the defense supply chain: Critical insights on CMMC 2.0 preparedness

The defense industrial base stands at a critical juncture following the December 2024 publication of the 32 CFR Final Rule for Cybersecurity Maturity Model Certification (CMMC) 2.0. This watershed moment marks the transition from planning to implementation for thousands of defense contractors and their suppliers. A comprehensive survey conducted by Kiteworks and Coalfire reveals significant gaps in preparedness, particularly in supply chain security—a vulnerability that puts both contractors and sensitive defense information at risk.

Current state of CMMC 2.0 preparedness

The research, which surveyed 209 organizations across the defense industrial base, uncovered striking disparities in readiness levels. Only 41% of organizations have completed a thorough gap analysis against NIST SP 800-171 requirements—a fundamental early step in CMMC 2.0 preparation. Another 37% report their gap analysis is currently in progress, while 16% have not yet started, and 6% are uncertain of their status.

Organization size plays a significant role in readiness. Large organizations (10,000+ employees) lead with 47% having completed gap analyses, compared to 40% for medium organizations (500 to 9,999 employees) and 38% for small organizations (under 500 employees). This disparity extends to documentation maturity, with 68% of large organizations reporting fully documented security policies versus 63% for medium and 58% for small organizations.

NextGen Supply Chain Conference

 

Call for speakers: 2025 NextGen Supply Chain Conference looking for industry leaders

The 2025 NextGen Supply Chain Conference is now accepting speaker submissions and sponsor inquiries for its upcoming event, taking place Oct. 22-24, 2025, in Nashville, Tennessee. As the leading event focused on digital transformation in supply chain, the conference is calling on senior-level executives to share how they are leveraging artificial intelligence, robotics, predictive analytics, and next-gen technologies to drive real-world results.

Register to speak today

 

Most concerning, the research reveals that companies at different stages of assessment demonstrate dramatically different security implementations. Organizations with completed gap analyses are significantly more likely to have fully documented policies (73% versus 28% for those that haven't started) and follow verified encryption standards (77% versus 42%).

Supply chain security: The critical vulnerability

Supply chain security emerges as perhaps the most significant vulnerability in CMMC 2.0 readiness. While 66% of organizations report having advanced controls for third-party CUI access, 29% acknowledge having only partial visibility and control—a critical gap in an interconnected defense supply chain.

The research identified a direct connection between documentation maturity and third-party security. Organizations with fully documented policies are 34% more likely to implement advanced third-party access controls than those with partial documentation (75% versus 56%). Even more alarming, organizations with minimal documentation are 30 times more likely to report inconsistent encryption of controlled unclassified information.

Industry differences prove noteworthy, with defense manufacturers leading in advanced security controls (73%) compared to professional services firms (68%) and technology/software companies (63%). This pattern suggests greater awareness of supply chain risks among organizations with established defense manufacturing experience.

The survey found that supply chain complexity correlates strongly with security control implementation. Organizations reporting more than 50 suppliers handling CUI demonstrate substantially higher rates of advanced access controls (79%) compared to those with fewer than 10 suppliers (58%). This indicates that organizations facing greater supply chain complexity recognize the heightened risk and invest accordingly in more sophisticated security mechanisms.

Key challenges in achieving CMMC 2.0 compliance

Resource constraints dominate the compliance landscape, with 36% of respondents identifying budgetary limitations as their greatest challenge. Technical complexity follows at 31%, with scope complexity (12%), executive buy-in (11%), and understanding requirements (10%) rounding out the top concerns.

Budget allocation patterns reflect organizational size disparities. Large organizations lead with 62% reporting approved budgets with dedicated teams, compared to just 38% for medium organizations and 23% for small organizations. This resource gap threatens to create a two-tiered defense industrial base where smaller suppliers struggle to meet compliance requirements.

The research reveals a clear evolution of challenges as organizations progress in their compliance journey. Early-stage challenges center on technical understanding and basic control implementation. Mid-stage challenges shift to resource allocation and systematic documentation. Advanced-stage challenges involve scope definition, partner management, and continuous monitoring—requiring different strategies at each phase.

Interestingly, organizations identifying technical complexity as their primary challenge projected longer compliance timelines, with 67% anticipating certification within 12 to 24 months of the final rule. In contrast, those citing budget constraints showed more aggressive timelines, with 41% planning certification within 6 to 12 months—suggesting that technical understanding, rather than resource availability alone, may be the determining factor in compliance velocity.

Effective strategies for strengthening defense supply chain security

The research identifies several best practices for enhancing supply chain security:

1. Begin with thorough gap analysis. Organizations that completed comprehensive assessments against all 110 NIST SP 800-171 controls demonstrate drastically better security outcomes. This foundation helps identify vulnerabilities requiring immediate attention and drives structured remediation efforts.

2. Engage specialized expertise. External partner engagement correlates strongly with compliance readiness. Organizations working with experienced partners were significantly more likely to report following verified encryption standards (84%) compared to those handling compliance in-house (61%). Medium-sized organizations lead in this approach, with 50% engaging specialized partners.

3. Implement advanced governance tracking for CUI access. Organizations with advanced third-party access controls consistently demonstrate stronger security posture across all dimensions. These organizations are nearly three times more likely to have formal vendor management programs (77% versus 31% for those with partial controls).

4. Develop comprehensive data protection layers. Organizations following documented encryption standards achieve significantly better security across multiple dimensions. These organizations are three times more likely to have fully documented policies and detailed Plans of Action and Milestones compared to those with encryption gaps.

5. Address supply chain complexity systematically. The research shows 29% of organizations have incomplete visibility over third-party CUI access. Implementing zero-trust architectures that maintain security while enabling necessary information sharing addresses this critical vulnerability.

Building a secure defense supply chain

For the defense industrial base, CMMC 2.0 compliance isn’t merely a regulatory hurdle—it’s a business imperative that requires a fundamental shift in how organizations approach supply chain security. The disparities revealed in this research highlight both challenges and opportunities.

Organizations that invest early in thorough assessment, comprehensive documentation, and appropriate external expertise significantly enhance their ability to achieve and maintain compliance while improving their overall security posture. As implementation deadlines approach, these proactive measures will distinguish successful defense contractors from those left behind.

The research makes clear that securing the defense supply chain requires evolving strategies as organizations mature their security practices. By focusing on the most impactful areas—third-party access controls, documented encryption standards, and formal vendor management—defense contractors can strengthen not only their own security posture but the resilience of the entire defense industrial base.

About the author

Frank Balonis

Frank Balonis is chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Balonis has overseen technical support, customer success, corporate IT, security, and compliance, collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy.

SC
MR