Why CMMC Matters: Protecting Defense IP from Cyber Theft

Key Takeaways

• Why CMMC Exists: The Pentagon launched CMMC after finding that self-attestation failed to protect Controlled Unclassified Information (CUI).
• Adversaries at Work: China, Russia, Iran, and North Korea have stolen U.S. jet, satellite, and weapons designs, eroding America’s military edge.
• High Cost of Theft: Intellectual property theft drains the U.S. economy by an estimated $500 billion annually while accelerating rival weapons programs.
• Cost of Compliance: Achieving CMMC Level 2 can be expensive, especially for smaller contractors, but most costs are one-time investments.
• Cost of Non-Compliance: The risk of continued cyber espionage far outweighs compliance costs, making CMMC critical to protecting U.S. defense innovation.

Defense contractors have long struggled with cyber espionage. In recent years it has become clear that simply “trusting” companies to secure their data isn’t enough: foreign hackers have repeatedly snatched blueprints and R&D secrets, eroding U.S. advantage. The Pentagon eventually created the Cybersecurity Maturity Model Certification (CMMC) program to verify that contractors meet basic security standards. Critics state that CMMC is costly and confusing – and it is. But recent history shows that the alternative is worse. Adversaries, like China, Iran, North Korea and Russia, have spent years siphoning off the strategically important data CMMC is meant to protect.

Why CMMC Exists

Under the old system, companies only self‑attested compliance. The Pentagon found that “contractors did not consistently implement mandated system security requirements” to safeguard sensitive data. In other words, Controlled Unclassified Information (CUI) and classified designs were left vulnerable on lax networks. The results were predictable: for example, Chinese hackers stole detailed F‑35 jet schematics from a Lockheed Martin supplier around 2007, helping China build its own J‑31 fighter. Pentagon cyber leaders note that such thefts are exactly why CMMC was born – it adds independent verification, eliminating the need to rely solely on a company’s claim of being secure.

That stolen F‑35 data is just one story. As one NSA cybersecurity chief puts it, “adversaries…seek to steal U.S. intellectual property in order to build their own military capabilities.” Strategic adversaries, like China, Russia, Iran, and North Korea, are all actively targeting the Defense Industrial Base (DIB). FBI and cybersecurity reports confirm DPRK groups target U.S. aerospace, satellite, and weapons designs; Iranian hackers have probed U.S. satellite and missile contractors; and Russian Advanced Persistent Threats (APTs) routinely scavenge avionics and space tech. Each breach means competitors avoid years of R&D. In one estimate, stolen IP costs the U.S. economy roughly half a trillion dollars annually, and even more importantly it lets rivals replicate cutting‑edge systems “without comparable investments in research and development.”

Adversaries on the Prowl: Examples of Major Thefts

• China: The most famous case is the F‑35 hack – Chinese spies exfiltrated weapons designs to help build their J‑31 fighter. Beijing’s cyber espionage units steal everything from missile diagrams to satellite blueprints.
• Russia: Russian hackers have targeted DoD contractors too, grabbing data on spacecraft, radar, and avionics.
• Iran: In 2020, the DOJ unsealed charges against IRGC‑affiliated hackers who ran years‑long campaigns against American satellite and aerospace firms, siphoning proprietary tech and communications designs.
• North Korea: A joint FBI/CISA advisory this summer warned that DPRK cyber units (like the infamous “Andariel”) are hunting “sensitive military information and intellectual property of defense, aerospace, [and] nuclear…” programs. North Korean thefts may be less publicized, but they target the same DIB supply chain.

Other nations also indulge in espionage (India, Turkey, and even Taiwan have had insiders sell tech secrets), but the four above are the biggest players in recent U.S. cases. Each successful theft not only incurs a financial cost, but also erodes America’s strategic edge – adversaries get U.S. plans and can undercut the U.S. lead.

The High Price of Compliance (and Non-Compliance)

It’s easy to sympathize with contractors’ concerns about CMMC: preparing for audits is expensive. Independent estimates suggest full CMMC Level 2 readiness can cost tens or even hundreds of thousands of dollars depending on company size. A big pain point is scope creep – systems previously outside DFARS 7012 rules can be pulled into scope under CMMC Level 2, driving up cost and frustration. Cloud migrations can come with extra fees, and small primes often lack in‑house security expertise.

Despite the trouble, DoD and industry agree the pain of setting up good cybersecurity is one time. Once a mature program is built, maintaining it is cheaper. The majority of the cost is the time that goes into building CMMC compliance, and once it’s built, maintaining it is relatively easy. The real expense of not complying is loss of critical data. As CMMC architect Katie Arrington puts it, firms “recognize that we can’t have another generation of Chinese weapon systems that look just like ours, because they stole all of our drawings.” CMMC’s goal is to stop that cycle – making each supplier harder to hack.

Ultimately, every standard and certification adds overhead, but when foreign powers are stealing billions of dollars’ worth of aerospace and weapons tech, it can be argued that the tradeoff is worth it. The hope is that these upfront pains – frustration, budget strains – will prevent the far bigger cost of having competitors build on America’s hard‑earned innovations.

To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Dave Hammarberg, Elaine Nissley, or Mike Murray regarding our services.

About the Author

Related Services