Background
- The U.S. Department of Defense finalized its Cybersecurity Maturity Model Certification (CMMC) rule, amending the Defense Federal Acquisition Regulation Supplement (DFARS)
- The rule takes effect November 9, 2025, and will roll out across defense contracts over the next three years
- CMMC compliance protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from cyber threats
- Contractors must achieve CMMC Levels 1 to 3 based on the sensitivity of information handled
- Nearly 230,000 small businesses will be impacted
- Compliance will require self-assessments, certification, and ongoing reporting in the Supplier Performance Risk System (SPRS)
Of all respondents surveyed
44% of organizations haven’t implemented end-to-end encryption – a foundational CMMC requirement
42% lack visibility into third-party ecosystems, creating blind spots for CUI flowing through supply chains
Artificial intelligence (AI) introduces new compliance risks:
64% track AI usage
17% have governance frameworks in place
65% still rely on manual governance workflows, limiting auditability and increasing exposure to errors
Survey respondents pursuing CMMC 2.0 Level 2
38% institute governance control & tracking
95% routinely track at least one effectiveness metric
22% put security requirements in supplier contracts
48% run regular supplier audits
12% engage consultants
Explore the October 2025 Issue
Check out more from this issue and find your next story to read.
Latest from Aerospace Manufacturing and Design
- Blue laser scanner for CMMs
- Archer reveals plans for Miami air taxi network
- Threading tool, gage lines expanded
- #55 Lunch + Learn Podcast with KINEXON
- Boeing to build 96 AH-64E Apache helicopters for Poland
- SIDEKICK automation solution
- Ohio awards $10.2M for new defense, aerospace, tech R&D statewide
- Alpha-Beta V dual-axis goniometer stages
