Although small businesses account for more than 70% of all DoD suppliers, many are discovering gaps in their CMMC readiness as enforcement approaches.
As the Cybersecurity Maturity Model Certification (CMMC) program moves forward with its phased rollout, a significant portion of the Department of Defense (DoD) supply chain is approaching a critical inflection point. Small businesses account for roughly 73% of the companies that support DoD programs, yet many of those suppliers remain far less prepared for formal cybersecurity assessments than they believe.
On the surface, many small and mid-sized manufacturers look highly advanced. CNC machines run around the clock. Advanced robotics operate autonomously. Production systems are tightly integrated to meet demanding tolerances and delivery schedules.
What often gets overlooked is how deeply connected these environments really are.
“For many manufacturers, when they think about cybersecurity, it’s the front-office computers,” says Michael Eaton, executive director of the Missouri Association of Manufacturers (MAM). “Owners think about accounting systems or email. They don’t always think about the shop floor machines tied to the internet.”
Since taking on the leadership role at MAM six years ago, Eaton has spent most of his time with his boots on the ground, visiting more than 330 manufacturing operations across Missouri. Those visits have given him a clear view of where small manufacturers inside the defense industrial base stand when measured against the scope of a CMMC assessment.
“The gap between where an owner might think they are and the reality of their situation is often significant,” Eaton adds. “No one is hitting the panic button just yet, but that might only be because they don’t fully realize the scope of what CMMC requires and then the timing of when you have to have it all completed.”
Recommended CyberTech Insights: Take Control of Your Data: How Data Privacy Priorities are Evolving in 2026
World-Class Production, Blind Spots in Digital Scope
For four consecutive years, manufacturing has been the most targeted industry for cyberattacks. According to IBM’s 2025 Threat Intelligence Index, attackers continue to focus on manufacturers because of the financial leverage, intellectual property, and operational disruption they can extract. In many cases, that exposure is tied to legacy systems and environments that were never designed with modern cyberattacks in mind.
This reality is one of the primary reasons the DoD moved forward with implementing CMMC, which officially rolled out in November 2025, was to compel companies with contract requirements that have existed since at least December 2017. Sensitive defense information has been leaking through supply chains for years, often not through prime contractors, but through smaller suppliers with fewer resources, limited cybersecurity staff, and incomplete visibility into how data moves through their organizations.
CMMC is intended to close that gap. However, for many small and mid-sized manufacturers, the gap between intention and readiness is often far larger than they realize.
“Manufacturers are exceptionally good at solving tangible problems,” explains Eaton. “If something breaks on the shop floor, it gets fixed. If a process slows production, it gets reworked. Cybersecurity, on the other hand, is invisible. I once had an owner tell me, ‘My nephew dabbles in computers, so I let him handle all the IT stuff.’”
The Self-Assessment Hangover
For years, manufacturers were allowed to self-assess their cybersecurity posture under NIST 800-171. Many did exactly that, believing they were making reasonable efforts, without fully understanding the scope and documentation requirements, or how compliance would ultimately be validated and enforced by third-party certification assessments.
That misunderstanding is now colliding with enforcement.
As a St. Louis-based RPO that works with manufacturers preparing for CMMC, we have conducted more than 60 gap assessments across small and mid-sized defense suppliers. On average, companies entered those assessments believing they were far closer to compliance than they actually were.
The difference between an organization’s self-assessed score and its evidence-based post-assessment score averaged negative 133 points.
The discrepancy is rarely tied to a single technical failure. More often, it stems from incomplete documentation, misunderstood control boundaries, or incorrect assumptions about what systems, processes, and data flows fall in or out of scope.
Most manufacturers are doing a lot of things right. The problem is they often do not realize how much is involved once you look at data flow, documentation and evidence, and how everything connects.
In practical terms, that realization often comes during a gap assessment, when an organization sees for the first time how many controls require formal policies, repeatable processes, and documented proof. What once felt like a manageable compliance task quickly becomes a cross-functional effort touching IT, operations, HR, leadership, and the shop floor.
Recommended CyberTech Insights: Collaboration Platforms Have Quietly Become Enterprise Infrastructure
When Readiness Becomes a Business Problem
For small manufacturing subcontractors whose defense work represents a significant portion of revenue, losing eligibility for new awards can force difficult decisions. Primes feel the impact as well. When suppliers fall out of compliance, prime contractors face critical schedule risk, sourcing delays, and the cost of qualifying new vendors. Supply chains become less stable precisely when resilience matters most.
One of the most persistent misconceptions among small manufacturers is that CMMC readiness can be handled internally, incrementally, and in their spare time.
In practice, demonstrating readiness as required can take six months or more, depending on how far along a manufacturer truly is. The work is not just technical. It involves defining system boundaries, mapping how data moves through the organization, creating policies that reflect reality, implementing controls consistently, and gathering evidence that proves those controls are working over time.
For many manufacturers, especially those starting well below required thresholds, the lift is substantial.
“This isn’t something you muscle through after hours,” Eaton explains. “Most owners are already spread thin. They don’t have the time or the internal resources to interpret what’s required, let alone to make sure it all gets completed and documented properly.”
This is where many manufacturers stall out. They know they need to act, but they are unsure where to start, what matters most, or how to avoid wasting time and money on the wrong fixes.
“My advice is always the same,” Eaton adds. “Don’t try to go it alone. What we do at MAM is connect our members with an RPO.”
The Role of a Guide and the Timing Risk
RPOs were fostered by the DoD to help companies prepare for CMMC. These organizations are accredited by the Cyber AB and conduct gap assessments, identify deficiencies, assist with remediation planning, and help manufacturers build the policies, install tools, and collect evidence required for an assessment.
“They meet manufacturers where they are and map a path to the finish line,” says Eaton. “That clarity is what our members need. They don’t need more noise. They need someone who understands manufacturing and understands CMMC.”
As program requirements begin, flow down for new contracts and modifications over the next three years, demand for readiness and assessment services is increasing. When they hit the Primes, they cannot award contracts to subcontractors that have not already fully met the assessment requirements. Capacity to perform this work, however, is limited. Qualified expertise is finite, and assessment timelines are already beginning to compress.
Manufacturers that delay action risk finding themselves competing for limited resources just as compliance becomes a condition for new awards. For suppliers whose defense work represents the majority of their revenue, that timing risk is significant.
A Familiar Pattern and a Narrow Window
Manufacturers have faced moments like this before. New standards emerge. Expectations shift. The early adopters gain ground while others wait, assuming they have more time.
Once the problem becomes clear and tangible, manufacturers respond. The question now is whether clarity arrives early enough to act deliberately or only after contracts, schedules, and opportunities are already at risk, or have, for some, been lost.
CMMC is no longer a future consideration. It is a present reality, and readiness is quickly becoming a stark differentiator across the defense supply chain.
Recommended CyberTech Insights:Roses Are Red, Violets Are Blue: If Your Cloud Won’t Let You Leave, It’s Not the Cloud for You
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
