
The defense industry extends far beyond the sophisticated machinery showcased at prestigious international exhibitions such as Le Bourget, Farnborough, ILA, Eurosatory, or DSEI. Every weapon system comprises a myriad of intricate components, supported by an extensive network of suppliers ranging from specialized firms to internationally renowned corporations.
These suppliers, tasked with the design and manufacture of military-grade components, must not only adhere to rigorous product-specific standards but also ensure comprehensive compliance with the multifaceted regulations governing the global defense sector.
Globalization has enabled a significant number of these suppliers to provision the United States Armed Forces, provided they satisfy stringent legal prerequisites, among which cybersecurity has emerged as a paramount requirement.
To this end, the U.S. Department of Defense endeavor to safeguard sensitive information across its entire supply chain and within defense contracts. Consequently, approximately 200,000 companies worldwide are now required to attain the Cybersecurity Maturity Model Certification (CMMC). While implementation is phased, the definitive deadline is November 2028, at which point certification will become mandatory for all applicable contracts.
Background
In 2002, the Federal Information Security Management Act mandated that every U.S. federal agency develop, document, and implement a comprehensive program to ensure the integrity and security of information and computing systems.
Simultaneously, the Cybersecurity Research and Development Act of 2002 authorized vital funding for the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST). This legislation fostered new initiatives and bolstered support for computer and network security (CNS) research, laying the groundwork for the security requirements now encapsulated within the CMMC framework.
The fundamental purpose of the CMMC is to verify that the information systems employed by U.S. Department of Defense contractors to process, transmit, or store sensitive data comply with rigorous security protocols. The objective is to ensure the robust protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) handled by partners and suppliers.
The implementation of the CMMC is currently in progress. The transition commenced on November 10, 2025, with preliminary self-assessment requirements, followed by additional mandates scheduled for November 2026, and progressively more stringent controls in 2027. The final phase will culminate on November 10, 2028. For many organizations, this represents a critical countdown rather than a theoretical exercise; delaying preparations will inevitably increase the complexity and cost of addressing cybersecurity gaps and achieving formal validation.

The latest developments in the CMMC
The CMMC, designed to protect sensitive data within the U.S. government’s supply chain, encompasses direct contractors, subcontractors, and European entities operating across defense, aerospace, engineering, software, and communications sectors.
The specific requirements are dictated by the nature of the information handled. The framework distinguishes between Federal Contract Information (FCI)—non-public data provided by or generated for the government—and Controlled Unclassified Information (CUI), which is unclassified yet sensitive data requiring specialized protection.
In practice, FCI typically represents the foundational level of contractual data, whereas CUI is significantly more sensitive, necessitating more rigorous security measures. Within the CMMC framework, FCI is generally associated with Level 1, while CUI corresponds to Levels 2 or 3. Depending on the assigned level, companies must undergo either a rigorous self-assessment or an independent external audit.
Three levels of requirements
Level 1 constitutes the foundational tier, targeting organizations that manage FCI through basic cybersecurity controls and mandatory self-assessments.
Level 2 is expected to be the most prevalent standard, applying to entities that process, store, or transmit CUI; requirements at this level range from self-assessments to comprehensive third-party reviews.
Level 3 represents the highest echelon of security, reserved for the most sensitive environments and necessitating mandatory government-led external evaluations.
For the industry at large, the challenges are as much economic as they are technical. Implementation costs vary based on organizational size, existing cybersecurity maturity, and the scope of required remediation, including the necessary investment for third-party certification where mandated.
Implementation costs
This financial burden positions certification as both a formidable barrier to entry for Small and Medium-sized Enterprise (SMEs) and a prerequisite for commercial viability. Failure to achieve compliance risks the loss of existing contracts, renewals, and future tender opportunities, thereby impacting industrial competitiveness and the continuity of the global defense supply chain.
Under this new framework, an estimated €28 billion in contracts held by Spanish firms linked to U.S. defense programs could be at risk. When extrapolated across the European Union, the economic implications are profound.
Implementation timeline
The rollout of the CMMC is steadily advancing. Having commenced in late 2025 with initial self-assessments, the timeline progresses through 2026 and 2027 toward increasingly rigorous oversight, concluding in late 2028. Many firms are now navigating a definitive timeline where early preparation is essential to mitigating the high costs and logistical complexities of securing sensitive data and documenting compliance.
Industry stakeholders have voiced concerns regarding the paucity of centralized official communications and the accelerated implementation schedule. The sheer volume of affected enterprises places a significant burden on Certified Third-Party Assessment Organizations (C3PAOs), raising questions about the feasibility of the proposed deadlines.
The European industry’s position
The impact on the European Union is especially acute given its robust base of SMEs that are deeply integrated into defense, technology, and aerospace supply chains.
While the Pentagon’s new mandates may catalyze cybersecurity investment, they also serve as a filter, favoring suppliers with established maturity standards. Strategically, market access for European firms operating in the United States will be increasingly defined by the ability to achieve timely CMMC certification, transforming a regulatory requirement into a critical competitive advantage.