In December 2025, a precision machining subcontractor in Illinois agreed to pay $421,000 to the federal government to resolve allegations that it had falsely certified cybersecurity compliance on contracts involving technical drawings supplied to defense prime contractors. The case originated as a whistleblower lawsuit filed by a former quality control manager from the shop floor. The company had been signing annual affirmations in the Supplier Performance Risk System attesting that its cybersecurity controls met the required standards. They did not.
This was not an isolated incident of fraud. It was the first confirmed enforcement action in what the Department of Justice has signaled will be an expanding campaign against cybersecurity non-compliance throughout the defense supply chain. Seven cybersecurity fraud cases were settled by the DOJ in 2025 alone. The False Claims Act — a Civil War-era statute designed to combat government contract fraud — now applies to any defense contractor or subcontractor whose senior executive signs a compliance affirmation they cannot verify.
The Central Finding: Only 1% of defense contractors are fully audit-ready for CMMC — down from 8% in 2023. There are 600 certified assessors available for 350,000+ contractors requiring certification, with wait times already exceeding 18 months. Phase 2 mandatory third-party certification begins November 2026. The compliance gap is not an administrative inconvenience — it is an open door into the defense programs that protect American national security. The DOJ has now settled nine cybersecurity False Claims Act cases, including the March 2025 MORSECORP settlement for $4.6 million.
The Cybersecurity Maturity Model Certification is not a bureaucratic compliance exercise. It is the direct policy response to a decade of documented, confirmed, ongoing nation-state penetration of the US defense supply chain through its smallest and least-defended members.
A small Australian subcontractor on the F-35 Joint Strike Fighter program — a platform that will cost US taxpayers $1.5 trillion over its lifespan — suffered a confirmed cybersecurity breach. Approximately 30 gigabytes of data was stolen including detailed F-35 design specifications. The attackers gained access using default administrator credentials that had never been changed: "admin" and "guest." A weapon system costing $1.5 trillion, compromised through a password that any IT professional would flag as unacceptable on day one.
From at least January 2020 through February 2022, the FBI, NSA, and CISA jointly documented regular targeting of US cleared defense contractors by Russian state-sponsored cyber actors — targeting both large and small CDCs and subcontractors across programs including command and control systems, weapons and missile development, and intelligence and surveillance infrastructure.
The Supply Chain Logic: Nation-state adversaries do not attack the prime contractor directly when the path of least resistance is a subcontractor three tiers down with inadequate security. A precision machining shop handling technical drawings for a rotor component does not think of itself as a national security target. The adversary does. Every technical drawing in that shop's unprotected network is a data point in a comprehensive intelligence picture of the weapon system being built.
In 2024 and 2025, APT5 sent spearphishing emails to defense employees' personal email addresses — not their work accounts — with lures crafted to match their roles and interests, including fake invitations to defense industry conferences. This approach bypasses every corporate cybersecurity control. The path from a convincing fake conference invitation to a compromised defense contractor network can be as short as one click.
| Threat Actor | Method | Target in Supply Chain | What Was Taken / At Risk |
|---|---|---|---|
| China / APT5 | Personal email spearphishing of engineers | Aerospace and defense employees at all tiers | Credentials, intellectual property, program details |
| Russia / SVR | Credential harvesting, vulnerability exploitation | Small and mid-tier CDCs with weak security | CUI, weapon system specs, targeting data |
| China / Volt Typhoon | Living-off-the-land persistence | Critical infrastructure supporting defense facilities | Network access, OT mapping, pre-positioned disruption |
| Illinois machining shop attacker | Unknown — compliance gap enabled access | Precision subcontractor with technical drawings | CUI — technical specifications flowed down from prime |
| F-35 subcontractor attacker | Default credentials (admin/guest) | Small hardware subcontractor — aircraft program | 30GB F-35 design data — $1.5T program compromised |
In 2023, 8% of contractors were fully audit-ready. In 2025, 4%. Now 1%. As the enforcement deadline approached and the requirements became clearer, readiness went down, not up. This is the signature of a structural problem, not a knowledge or motivation problem.
The compliance gap has three compounding causes: cost, years of voluntary non-enforcement creating a culture of justified negligence, and a failure of communication design. A control requiring "protection of audit logs" does not convey that unprotected audit logs allowed Volt Typhoon to operate inside US infrastructure for five years undetected. A control requiring "multi-factor authentication for privileged accounts" does not explain that its absence allowed a single compromised admin account to wipe 200,000 devices at Stryker Corporation in March 2026. The compliance framework is technically correct. As a communication to machinists and shop floor managers, it is nearly incomprehensible.
The Assessor Math That Does Not Work: 600 certified C3PAO assessors. 350,000 contractors requiring certification. Even at one assessment per week per assessor, total capacity is approximately 31,200 per year. Certifying the full contractor base at that rate would take more than 11 years. Wait times are already exceeding 18 months. The system cannot certify its own requirements at the pace the requirements demand.
Consider how a military helicopter reaches a warzone. The airframe is built by a prime contractor with mature cybersecurity programs. But the rotor assembly components are machined by a specialized shop in Connecticut. The hydraulic system by a supplier in Ohio. The avionics software by a small engineering firm in Virginia. Each handles Controlled Unclassified Information — technical drawings, specifications, tolerances, materials data — that collectively describes how the aircraft is built and where it might be vulnerable.
The F-35 Precedent: Thirty gigabytes of F-35 design data stolen from a small subcontractor through default admin credentials. Lockheed Martin had extensive security controls. The subcontractor had "admin" and "guest" as administrator passwords. The adversary did not need to breach Lockheed Martin. They needed to breach the weakest supplier with access to the program's technical data. This is the structural vulnerability CMMC is specifically designed to close — and that 99% non-compliance leaves wide open.
Under CMMC, every contractor must post an annual affirmation in the SPRS signed by a senior company official attesting that the organization has implemented and is maintaining all required cybersecurity controls. This is a legal certification with federal criminal fraud implications. The FCA does not require intent to defraud — a contractor executive who signs without verifying may be found to have acted with "reckless disregard" sufficient to establish liability. Any employee observing non-compliance is a potential whistleblower with financial incentive to report.
| Scenario | Who Is Liable | Mechanism | Consequence |
|---|---|---|---|
| CEO signs SPRS affirmation — controls not implemented | CEO personally — FCA "reckless disregard" | False Claims Act 31 U.S.C. §3729 | Civil penalties up to 3× damages plus $27K per claim |
| Prime awards subcontract to non-compliant supplier | Prime contractor — flowdown responsibility | DFARS 252.204-7021 flowdown obligation | Prime's own CMMC status at risk |
| Acquisition of a non-compliant contractor | Acquiring company — successor liability | July 2025 FCA successor settlement precedent | Inherited FCA exposure for pre-acquisition failures |
| Employee observes compliance gap | Employer — qui tam whistleblower action | FCA qui tam provision | Whistleblower receives 15–30% of government recovery |
The defense contracting community has spent years treating cybersecurity compliance as an abstract future obligation. That era ended on March 26, 2025, when the DOJ announced its $4.6 million False Claims Act settlement with MORSECORP, Inc. — a Cambridge, Massachusetts defense contractor serving the Army and Air Force.
Between 2018 and 2023, MORSECORP admitted to two compounding failures: using a cloud email provider that did not meet the required FedRAMP Moderate security baseline, and submitting SPRS self-assessment scores claiming compliance — then receiving a third-party assessment showing a substantially lower, failing score — and not updating the record. MORSECORP knew its score was wrong. It did not correct it. A whistleblower filed a qui tam complaint. Settlement: $4.6 million plus interest. The whistleblower received $851,000 — 18.5% of the recovery.
The DOJ's Message Was Explicit: "Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats. We will continue to hold contractors to their commitments." — DOJ statement, March 26, 2025. Seven cybersecurity FCA settlements were reached in 2025. With Phase 2 mandatory certification beginning November 2026, that number will accelerate.
The cost of CMMC compliance is real, and for small manufacturers it is genuinely burdensome. But the data tells a more nuanced story — one in which the investment is almost always rational when measured against the value of the contracts being protected.
Figure 3 — CMMC Level 2 True Cost Breakdown by Organization Size (2026 Data)
| Cost Category | Small (<50) | Medium (50–200) | Large (200+) |
|---|---|---|---|
| Gap Assessment | $3,500 – $10,000 | $8,000 – $20,000 | $15,000 – $20,000 |
| Remediation & Controls | $20,000 – $80,000 | $50,000 – $150,000 | $100,000 – $250,000 |
| C3PAO Assessment Fee | $30,000 – $50,000 | $50,000 – $80,000 | $80,000 – $150,000 |
| Annual Maintenance | $24,000 – $60,000 / yr | $60,000 – $120,000 / yr | $120,000+ / yr |
| Year-1 Total | $75K – $130K | $138K – $285K | $285K – $500K+ |
Source: ISACA · DoD cost projections · C3PAO market data — organizations that prepare thoroughly have consistently lower total costs and higher first-attempt pass rates
In my 15 years as a UX designer working with enterprise technology, I have observed a consistent pattern: the most technically correct systems fail at scale when they are not designed for the humans who must use them. CMMC has this problem in a particularly acute form. The framework is technically sound. The controls, implemented correctly, would close the supply chain security gap. But it is failing to achieve adoption because it was designed by security professionals for security professionals and is being delivered to machinists, engineers, shop floor managers, and small business owners who have no security background and no frame of reference for why any of it matters.
NIST SP 800-171 Control 3.2 — the Awareness and Training domain — consists of just three controls. No minimum hours. No required content structure. No mandatory quiz. No documentation format. No recurrence schedule beyond "at least annual." The result, in practice, is a 30-minute annual video that employees click through while doing something else, followed by a checkbox that becomes a compliance artifact.
The Human Factor Is the Attack Surface: The most common technical failure vectors in defense contractor breaches — phishing, credential theft, default passwords, social engineering — are not technology failures. They are human awareness failures. You can implement all 110 NIST SP 800-171 controls perfectly and still be compromised by an employee who clicks a fake conference invitation in their personal Gmail, because APT5 specifically targets personal accounts to bypass corporate security controls. No technical control prevents that. Only an educated employee prevents that.
On your first week at any company, you were almost certainly required to complete mandatory training on sexual harassment prevention — structured video modules, specific scenarios, comprehension quizzes, a completion certificate recorded in HR systems, and annual recertification. California AB 1825, New York State Law Section 201-g, and Connecticut Public Act 19-16 all mandate this format because voluntary awareness programs were failing. The argument for mandatory, structured cybersecurity training in the defense supply chain is identical in every structural dimension.
The Recommendation: Mandatory CMMC cybersecurity training should follow the established onboarding compliance model: structured modules with quizzes after each section, a minimum hour requirement, completion certificates retained for audit, and annual recertification. Content must be specific to defense supply chain threats — what APT5 spearphishing looks like, what happened at the F-35 subcontractor, what Volt Typhoon's playbook is. Access the 14-module CMMC training program →
| Training Element | Current NIST 800-171 | Proposed Defense Standard |
|---|---|---|
| Timing | Annual — no onboarding requirement | Upon hire (before CUI access), then annual |
| Minimum Duration | Not specified | 2 hours onboarding / 1 hour annual refresh |
| Content Structure | Not specified | Modular video with quiz after each module |
| Content Topics | Security risk awareness — no specifics | Phishing, CUI handling, APT5, Volt Typhoon, reporting procedures |
| Completion Documentation | Format not specified | Certificate retained in personnel file — auditable by C3PAO |
| Failure Consequence | Not specified | CUI access revoked until training completed |
The ITAR Precedent: The defense industrial base already has a working model of mandatory, role-based, documented training as a condition of handling sensitive information: ITAR export control training. ITAR violations carry civil penalties up to $1.3 million per violation and criminal penalties up to 20 years. The training requirement is taken seriously because the consequence is serious. Cybersecurity training for CUI handlers should operate under the identical framework — with identical seriousness.
As of March 15, 2026, CMMC Phase 1 is not a future requirement — it is current law. Self-assessment affirmations have been a condition of contract award since November 10, 2025. Every defense contractor that has signed an SPRS affirmation since that date has assumed False Claims Act liability for its accuracy. Phase 2 begins November 10, 2026. Organizations that have not begun their readiness process are not running behind. They are running out of time.
Connecticut's defense industrial base is one of the most strategically significant in the country. Electric Boat in Groton builds nuclear submarines. Pratt & Whitney in East Hartford builds the engines that power Air Force fighters and military transport aircraft. Sikorsky in Stratford builds military helicopters deployed in active combat zones. Their supply chains run through hundreds of Connecticut small manufacturers.
Based on the national readiness data — 1% audit-ready, declining — the reasonable inference is that a substantial majority of those Connecticut suppliers are not currently CMMC-compliant. They are handling technical drawings, specifications, and controlled unclassified information for the most sensitive defense programs in the country, on networks that likely do not meet the security standards DFARS has technically required since 2017 and that CMMC now makes legally enforceable.
The Local Consequence: A precision machining shop in Groton that loses its Electric Boat subcontract because it cannot achieve CMMC compliance before Phase 2 is not just a business failure. It is a supply chain gap in the nuclear submarine program. The specialized machining capability that took decades to qualify, the institutional knowledge held by the shop's engineers and machinists, the relationship between that shop and the submarine program — none of that can be quickly replaced. The question every prime contractor in Connecticut should be asking right now is not which suppliers will be excluded. It is which suppliers cannot afford to comply and what the prime is going to do about it.
All findings in this report are based on publicly available information including reports from the Department of Justice, CISA, NSA, FBI, Department of Defense, Lockheed Martin program documentation, Holland & Knight legal analysis, DefenseScoop, GovConWire, Accorian, and CompassMSP. CMMC requirements and deadlines are sourced directly from 32 CFR Part 170 and DFARS 252.204-7021. This represents the author's independent analysis and does not reflect the views of any employer, client, or government agency.
Yana Ivanov is a security analyst and CMMC Registered Practitioner candidate based in Connecticut, specializing in cybersecurity risk assessment and CMMC compliance consulting for defense contractors in the Connecticut defense industrial base — Electric Boat, Pratt & Whitney, Sikorsky, and their supply chains. With 15 years of enterprise technology and UX design experience and an MS in Information Systems, she brings a practitioner perspective that bridges technical security analysis and human-centered communication design. This analysis was produced independently as a contribution to the defense community's understanding of the CMMC supply chain compliance gap and its national security implications.