Many defense contractors across the supply chain are making the dangerous assumption that the Cybersecurity Maturity Model Certification (CMMC) mandate doesn’t apply to them.
Small Doesn’t Mean Exempt from CMMC
In most cases, it’s small and medium-sized businesses that believe they’re flying under the radar, that the government won’t assess a shop with 50 employees, or that CMMC is really just for the big primes like Lockheed Martin or Raytheon. Some have heard about the requirements but figure they have time to look into it later. Others genuinely don’t understand that the rules apply to their operations at all.
Ignoring CMMC could cost them their contracts. Learn more about the DFARS CMMC Final Rule.
CMMC Requirements Flow Down the Supply Chain
If you’re a contractor or subcontractor handling controlled unclassified information (CUI) as part of a contract with the Pentagon, CMMC requirements will apply to you. According to 32 CFR 170.23, those requirements flow down from prime contractors to their subcontractors based on the type of data being processed, stored, or transmitted on your information systems. It’s a regulatory requirement that determines whether you remain eligible to participate in defense contracting.
The Pentagon estimates over 118,000 companies will need CMMC Level 2 certification, and the vast majority of those aren’t primes. They’re the glass manufacturers producing windshields for fighter jets, the machine shops making precision components for weapons systems, the tire companies that supply wheels for tanks and armored vehicles. They have business outside of the defense industrial base (DIB). According to the 2025 State of the DIB Report, defense contracts represent 45% of contractors’ revenue on average. But the portion of operations that serve the DIB is still in scope.
DIBCAC Assessments Can Happen Anytime
The Defense Contract Management Agency conducts random assessments of contractors’ compliance with cybersecurity requirements, and those audits don’t discriminate based on company size. A small operation with 30 employees handling CUI is just as likely to be selected for an audit as a larger contractor.
While major defense contractors have entire cybersecurity departments and significant resources to defend against threats, smaller operations often have limited IT infrastructure and security measures. That makes them attractive targets for adversaries looking for entry points into the defense supply chain.
The 2025 State of the DIB Report shows that while 69% of contractors claim DFARS compliance through self-assessment, only 30% have completed medium or high assessments that would validate their actual security posture. Waiting until a prime contractor demands proof of certification — or worse, until a government audit reveals gaps — will leave you scrambling.
A Real-World DIBCAC Audit Example: Kampi Components
When the Department of Defense (DOD) conducted an unexpected DIBCAC High Assessment at Kampi Components, the company faced immediate pressure to achieve full CMMC Level 2 compliance. The audit uncovered several gaps that required prompt remediation before Kampi could move forward with formal CMMC certification. Rather than scramble under pressure, Kampi partnered with CyberSheath, who quickly identified, prioritized, and closed the compliance gaps — strengthening the company’s cybersecurity posture and ultimately achieving CMMC Level 2 certification with a perfect 110 score.
Read the full case study to see how CyberSheath helped turn a surprise audit into a success story: Kampi Components Case Study
Since 2008, CyberSheath has helped Department of Defense (DOD) contractors and suppliers achieve, maintain, and prove compliance with DFARS, NIST 800-171, and CMMC 2.0. We deliver end-to-end managed compliance through our Assess, Implement, and Manage (AIM™) methodology, ensuring every customer remains audit-ready and eligible for DOD contracts.
Contact our team to understand your actual obligations and develop a plan that keeps you eligible for the contracts that sustain your business and audit-ready.