Manufacturers face CMMC readiness gap in defence chain

Small and mid-sized manufacturers in the US defence supply chain are falling behind on Cybersecurity Maturity Model Certification readiness, and industry figures say many still do not understand how far they are from meeting the standard.

The gap is becoming more urgent as CMMC requirements begin to affect Department of Defence contracts and subcontractors, increasing pressure on smaller suppliers to show they can protect sensitive defence information.

Small businesses make up about 73% of companies that support DoD programmes, according to the article, yet many remain unprepared for formal cybersecurity assessments. The problem is especially acute in manufacturing, the most targeted industry for cyberattacks for four straight years.

Michael Eaton, Executive Director of the Missouri Association of Manufacturers, said many owners focus on office systems while overlooking internet-connected production equipment.

"For many manufacturers, when they think about cybersecurity, it's the front-office computers," Eaton said. "Owners think about accounting systems or email. They don't always think about the shop floor machines tied to the internet."

After visiting more than 330 manufacturing operations across Missouri over six years, Eaton said he has seen firsthand how smaller manufacturers measure up against the demands of a CMMC assessment.

"The gap between where an owner might think they are and the reality of their situation is often significant," he said. "No one is hitting the panic button just yet, but that might only be because they don't fully realise the scope of what CMMC requires and the timing of when it all has to be completed."

Readiness gap

The problem is usually not a single missing security tool. More often, it stems from weak documentation, a poor understanding of system boundaries, and confusion over which machines, processes, and data flows fall within the scope of an assessment.

Manufacturers often appear technically sophisticated on the factory floor, with CNC machines, robotics and integrated production lines. Yet those same environments can include legacy systems and connected equipment not designed to withstand current cyber threats.

This mismatch helps explain why firms that consider themselves reasonably prepared can perform badly when their controls are reviewed against evidence. SSE, a Registered Provider Organisation that advises manufacturers on CMMC preparation, has carried out more than 60 gap assessments across small and mid-sized defence suppliers.

"The difference between an organisation's self-assessed score and its evidence-based post-assessment score averaged negative 133 points," said Bob Duffy, Chief Operating Officer of SSE.

That points to a wider weakness in the legacy self-assessment approach under NIST 800-171. Many manufacturers believed they were making reasonable progress, but had not fully understood the level of documentation and proof required when compliance is tested by an external assessor.

"Most manufacturers are doing a lot of the right things," Duffy said. "The problem is they don't realise how much is involved once you look at data flow, documentation and evidence, and how everything connects."

Business impact

The risks extend beyond cybersecurity teams. For subcontractors that rely heavily on defence work, failure to qualify for new awards could quickly become a business problem. Prime contractors also face disruption if suppliers cannot meet contract requirements, forcing delays or a search for alternative vendors.

Preparing for an assessment can take six months or more, depending on a company's starting point. The work can include defining system boundaries, tracing how data moves through the business, writing policies, applying controls consistently and collecting evidence over time.

Eaton said smaller firms often underestimate the management effort involved.

"Manufacturers are exceptionally good at solving tangible problems," he said. "If something breaks on the shop floor, it gets fixed. If a process slows production, it gets reworked. Cybersecurity, on the other hand, is invisible. I once had an owner tell me, 'My nephew dabbles in computers, so I let him handle all the IT stuff.'"

Many owners also lack the internal resources to manage compliance work alongside daily operations, he added.

"This isn't something you muscle through after hours," Eaton said. "Most owners are already spread thin. They don't have the time or the internal resources to interpret what's required, let alone to make sure it all gets completed and documented properly."

Limited capacity

Registered Provider Organisations are meant to help companies prepare for CMMC by conducting gap assessments, identifying deficiencies and supporting remediation plans. As more defence contracts begin to include these requirements, demand for that help is rising while the supply of qualified specialists remains limited.

Eaton said manufacturers need practical guidance rather than general advice.

"My advice is always the same," he said. "Don't try to go it alone. What we do at MAM is connect our members with an RPO."

He said that support is especially important for firms trying to navigate both manufacturing environments and CMMC rules.

"They meet manufacturers where they are and map a path to the finish line," Eaton said. "That clarity is what our members need. They don't need more noise. They need someone who understands manufacturing and understands CMMC."