Rethinking Cybersecurity in the Defense Industrial Base

For organizations working with primes like Lockheed Martin or Boeing, frameworks such as CMMC, DFARS and ITAR aren’t optional checkboxes. They are the price of entry.

Yet despite years of warnings, much of the industry still treats compliance as a looming obligation rather than a strategic opportunity.

In the latest episode of Trust Issues, Nicholas Bakewell, Director of Information Security at Acuris Aerospace, reveals why that mindset is not just outdated but dangerous. Here are the key takeaways from their conversation.

Listen to the full episode for the full story:

👉 Apple - https://be.thetrustissuespod.com/lt0

👉 Spotify - https://be.thetrustissuespod.com/o8m

“Getting Ready Later” is an Illusion

A striking divide exists across the DIB today, where on one end organizations are proactively investing in cybersecurity maturity, preparing for CMMC Level 2 and beyond, and on the other are those waiting - either for clearer contract language or hoping requirements will be delayed or softened. And, while this hesitation is understandable, it is misguided.

As highlighted in the discussion, many companies rely on a technicality: “There’s no CUI in our environment yet,” shares Nicholas. But that assumption often stems from inconsistent marking practices, not reality. Once CUI designation becomes standardized, those same organizations could find themselves instantly noncompliant (and locked out of contracts overnight).

Compliance Isn’t the Starting Point

One of the more uncomfortable truths that Nicholas introduces in the conversation is that CMMC doesn’t introduce new requirements, but rather enforces existing ones.

DFARS 7012 has required contractors to implement NIST 800-171 controls since 2017. For years, organizations self-attested to compliance, often without fully implementing those controls. CMMC simply replaces trust with verification.

This shift is forcing a long-overdue reckoning - the cost many companies now associate with “becoming compliant” is actually the cost of catching up.

There is No One Right Way

A common misconception about CMMC is that it prescribes a fixed path to compliance. In reality, the framework isn’t prescriptive. It’s intentionally flexible. Because when assessors enter the room, they evaluate whether security objectives are met, not whether a specific tool or method is used. This introduces a critical dynamic: narrative matters.

Organizations that succeed are those that can clearly articulate how their controls meet the intent of each requirement. It’s not about ticking boxes; it’s about telling a coherent, defensible story supported by evidence. This also explains why expertise on the “other side of the table” - understanding how assessors think - can be a decisive advantage.

Network Complexity is a Real Threat

While tools and frameworks dominate the conversation, Nicholas reveals one of the most overlooked risks in the game - architectural complexity.

Many DIB organizations have grown through mergers and acquisitions, resulting in fragmented systems and inconsistent security practices. And, further layering tools onto this complexity often creates more gaps, not fewer.

Nicholas’ preferred approach is simplicity.

By consolidating around integrated ecosystems, such as leveraging native capabilities within a single platform, organizations can reduce overhead, improve visibility and strengthen security outcomes. As the transcript illustrates, many compliance requirements can be met and continuously validated through capabilities already available within existing environments.

The lesson is clear: security maturity isn’t about how many tools you have. It’s about how well you use them.

Compliance vs. Security isn’t a Real Debate

“Compliance doesn’t equal security” has become a common refrain, and while it may be technically true, it misses the point. Frameworks like CMMC define a baseline - a minimum standard for protecting sensitive information. They are not meant to represent the ceiling of security maturity.

However, dismissing compliance as irrelevant ignores the reality that these controls are grounded in real-world threat intelligence. When mapped against frameworks like MITRE ATT&CK, they directly address known attack vectors and adversary behaviors.

In other words, compliance may not guarantee security but it most definitely raises the floor.

The Market WILL Adjust

As CMMC enforcement scales, disruption across the DIB is inevitable - some organizations will exit the market while others will consolidate capabilities or invest heavily to meet requirements.

As Nicholas reminds us all - for those who act early, this creates opportunity.

Fewer compliant suppliers mean increased demand, stronger negotiating power and a competitive edge. For those who delay, the risk is far more existential: loss of contracts, strained relationships with primes and potential exclusion from the supply chain altogether.

Where Should You Start?

Start where it matters the most - data.

As Nicholas reveals, for organizations just beginning their journey, the first step isn’t buying tools or engaging auditors. It’s understanding data. Where does controlled information exist? How does it flow through your systems? Who touches it and where does it reside?

Compliance follows the data, and without a clear map, every other effort is guesswork.

The Bottom Line

Cybersecurity in the defense sector is entering a new phase that is defined, first and foremost, by accountability.

The organizations that will thrive are those that move beyond viewing compliance as a burden and start treating it as a capability. Because in the modern DIB, security isn’t just about passing an audit. It’s about staying in the game for the long haul.

FAQs:

1. What is CMMC, and why is it important?

CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity framework required for companies working with the U.S. Department of Defense. It ensures organizations properly protect sensitive government data.

2. Do small businesses need to comply with CMMC?

Yes. Many small and mid-sized businesses in the defense supply chain must comply even if they only provide materials, software, or services indirectly to government contractors.

3. How long does it take to become CMMC compliant?

For most companies, preparation can take 12–18 months depending on existing security practices and readiness before the formal audit process.

4. Can companies self-attest for CMMC compliance?

Only partially. Level 1 allows self-attestation, but Level 2 requires a third-party audit to achieve full certification.

5. Is compliance finished once you pass the CMMC audit?

Contrary to popular belief, no. Companies must maintain ongoing security practices, perform regular reviews and complete periodic reassessments to keep their certification.

6. Why do many companies struggle with CMMC compliance?

Many underestimate the effort involved and treat it as a checklist rather than a company-wide security initiative that requires continuous monitoring and documentation.