Shared Intel Q&A: Viewing CMMC as a blueprint for readiness across the defense supply chain
None
<div class="single-post post-37585 post type-post status-publish format-standard has-post-thumbnail hentry category-q-a category-top-stories" id="post-featured" morss_own_score="5.768595041322314" morss_score="11.151276605568125"> <h1>Shared Intel Q&A: Viewing CMMC as a blueprint for readiness across the defense supply chain</h1> <div class="entry" morss_own_score="5.76536312849162" morss_score="108.3659036901293"> <img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Exec-in-boat_boiling-sea-1850px-960x599.png"> <h5>By Byron V. Acohido</h5> <p>Small and mid-sized contractors play a vital role in the U.S. defense industrial base — but too often, they remain the weakest link in the cybersecurity chain.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <p><em><strong>Related:</strong> <a href="https://defensescoop.com/2025/11/10/cmmc-compliance-dod-enforcement-defense-industry-readiness-gaps/">Pentagon enforcing CMMC</a></em></p> <p>RADICL’s <a href="https://radicl.com/dib-cybersecurity-maturity-report-2025">2025 DIB Cybersecurity Maturity Report</a> reveals that 85% of these contractors still fall short of basic regulatory standards. And just 3% meet the threshold of “Advanced” maturity.</p> <p><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/Software-Supply-Chain-Risk-SQUR.png"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Software-Supply-Chain-Risk-SQUR-100x94.png"></a>This is no longer a theoretical problem. With the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework expected to become enforceable as early as November 2025, thousands of SMBs in the defense supply chain face a major inflection point. They’ll either demonstrate compliance — or risk being locked out of federal contracts.</p> <p>To unpack what this means, Last Watchdog sat down with <a href="https://www.linkedin.com/in/chrispetersen1/">Chris Petersen</a>, co-founder and CEO of <a href="https://radicl.com/">RADICL</a>, the threat-informed Cybersecurity-as-a-service (CSaaS) company behind the annual maturity study. Petersen explains why many firms are still dangerously exposed — and how the smartest ones are rethinking CMMC as a blueprint for long-term resilience.</p> <p><strong>LW: </strong>What’s the main takeaway from this year’s report?</p> <p morss_own_score="7.0" morss_score="9.0"><strong>Petersen:</strong> The gap is still huge. Most DIB contractors remain vulnerable, especially to nation-state actors focused on espionage. This isn’t just about ransomware or generic threats anymore. It’s about adversaries actively targeting sensitive data tied to national defense.</p> <p>That said, we are seeing a shift in mindset. A year ago, a lot of contractors were in wait-and-see mode. Now, leadership teams — CEOs, CIOs, COOs — are more engaged. They’re asking the right questions. But that urgency hasn’t translated into implementation yet. Many still lack basic controls, from documented policies to configured security tools. It’s not just a tech problem — it’s organizational.</p> <p><strong>LW: </strong>CMMC can seem overwhelming to SMBs. What’s a better way to look at it?</p> <p morss_own_score="7.0" morss_score="9.0"><strong>Petersen:</strong> Think of CMMC not as red tape but as a roadmap for operational maturity. For too long, contractors trying to “do the right thing” in cybersecurity were at a competitive disadvantage. Now, the enforcement mechanism levels the playing field. Everyone has to step up.</p> <p>Security isn’t just about avoiding fines or passing audits. It’s about avoiding costly business disruptions. Things like ransomware or phishing attacks aren’t just security issues — they’re operational risks that can cripple a company. And with compliance now tied to contract eligibility, doing nothing is no longer an option.</p> <p><strong>LW: </strong>Your report notes compliance and real-time risk management are starting to align. What does that mean in practice?</p> <p><strong>Petersen:</strong> Compliance used to mean, “Did we do the paperwork?” Now it’s moving toward, “Can we actually respond to threats?”</p> <div><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/ChrisPetersen-hdsht.jpg"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/ChrisPetersen-hdsht-100x118.jpg"></a> Petersen</div> <p>When organizations treat compliance as an ongoing readiness practice — when they operationalize it — they start doing the things that actually make them more secure. They monitor environments continuously. They develop playbooks for response. They test controls regularly. That’s the future.</p> <p><strong>LW: </strong>Where are most contractors still struggling?</p> <p morss_own_score="7.0" morss_score="9.0"><strong>Petersen:</strong> A lot of the gaps are foundational. Many contractors still don’t have documented policies or basic asset inventories. There are no consistent practices for access control, or patching, or logging.</p> <p>My advice is always: don’t try to boil the ocean. Focus on controls that reduce the most risk quickly. Get multi-factor authentication in place. Make sure your endpoints have enterprise-grade EDR and are being monitored 24/7. Have someone managing vulnerability remediation. Those three alone can significantly lower your risk profile.</p> <p>And while you’re maturing over time, that visibility layer — detection and response — is your safety net. It buys you time to fix what’s broken without leaving you exposed in the meantime.</p> <p><strong>LW: </strong>AI is everywhere. How is it changing the picture for SMBs?</p> <p morss_own_score="7.0" morss_score="9.0"><strong>Petersen:</strong> AI is lowering the barrier to entry for effective security. It allows us to deliver detection and response capabilities that used to be out of reach for SMBs. The economics have shifted.</p> <p>AI helps with noise reduction and faster triage. It doesn’t replace human analysts, but it lets those analysts focus on what matters. What AI can’t do yet is understand your specific business context — what matters to you, what’s acceptable risk. That’s where humans still play a key role.</p> <p>We’re integrating AI into every layer of our platform at RADICL, but we always pair it with expert oversight. That combination is what gives us scale <em>and</em> trust.</p> <p><strong>LW: </strong>Will CMMC raise the bar, or just become another checkbox?</p> <p morss_own_score="7.0" morss_score="9.0"><strong>Petersen:</strong> It comes down to intent. If companies treat CMMC like a box-checking exercise, they’ll end up just as vulnerable as before. But if they use it to guide real change, they’ll come out stronger.</p> <p morss_own_score="7.0" morss_score="9.0">The good news is that the best solutions today are built with security outcomes in mind. They’re affordable, scalable, and designed to help organizations both comply <em>and</em> defend. That’s a shift from the older generation of compliance-only tools that didn’t actually improve security.</p> <p><strong>LW: </strong>A midsize contractor comes to you and asks, “Where do we start?” What do you say?</p> <p><strong>Petersen:</strong> First, define what readiness means for your organization. It’s not just a document — it’s a plan with real action: who does what, when, and how.</p> <p>Second, get help on the hardest pieces. You likely don’t have in-house staff to run 24/7 detection or to manage a vulnerability program end-to-end. So partner up. But be selective — not all managed service providers (MSPs) or managed security service providers (MSSPs) are built for CMMC.</p> <p>And lastly, don’t assume a gap assessment is enough. You need to actually execute against it. That’s where we see companies stall.</p> <p><strong>LW: </strong>Do you think SMBs can ever get ahead of threats?</p> <p><strong>Petersen:</strong> I do. CMMC is creating the pressure to invest. At the same time, the tech has matured. Today, we can offer SMBs protection that rivals what the Fortune 500s have.</p> <p>At RADICL, our whole focus is on making enterprise-grade, robust defense-in-depth protection accessible. We take the capabilities that used to be out of reach and deliver them as a turn-key, tech-enabled service, purpose-built for SMBs and the DIB. That’s what makes me hopeful. The tools are here. The awareness is rising. The pressure is real. Now it’s about innovation and execution.</p> <p><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Byron-Acohido-BW-column-mug-100x123.png"></p> <p>Acohido</p> <p><em><a href="https://www.lastwatchdog.com/pulitzer-centennial-highlights-role-journalism/">Pulitzer Prize-winning </a>business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.</em></p> <hr> <p><em>(LW provides consulting services to the vendors we cover.)</em></p> <p> <a href="https://www.facebook.com/sharer.php?u=https://www.lastwatchdog.com/shared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/facebook.png" title="Facebook"></a><a href="https://plus.google.com/share?url=https://www.lastwatchdog.com/shared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/google.png" title="Google+"></a><a href="/cdn-cgi/l/email-protection#300f4345525a5553440d635851425554150200795e44555c15020061150206130003080b710a15020066595547595e57150200737d7d73150200514315020051150200525c45554042595e44150200565f4215020042555154595e5543431502005153425f4343150200445855150200545556555e4355150200434540405c49150200535851595e16515d400b525f54490d15020058444440430a1f1f4747471e5c5143444751445358545f571e535f5d1f4358514255541d595e44555c1d41511d46595547595e571d535d5d531d51431d511d525c45554042595e441d565f421d42555154595e5543431d5153425f43431d4458551d545556555e43551d434540405c491d535851595e1f"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/email.png" title="Email"></a></p> <p>November 17th, 2025 <span> | <a href="https://www.lastwatchdog.com/category/q-a/">Q & A</a> | <a href="https://www.lastwatchdog.com/category/top-stories/">Top Stories</a></span></p> <p> </p></div> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/shared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain/" data-a2a-title="Shared Intel Q&A: Viewing CMMC as a blueprint for readiness across the defense supply chain"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain%2F&linkname=Shared%20Intel%20Q%26A%3A%20Viewing%20CMMC%20as%20a%20blueprint%20for%20readiness%20across%20the%20defense%20supply%20chain" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain%2F&linkname=Shared%20Intel%20Q%26A%3A%20Viewing%20CMMC%20as%20a%20blueprint%20for%20readiness%20across%20the%20defense%20supply%20chain" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain%2F&linkname=Shared%20Intel%20Q%26A%3A%20Viewing%20CMMC%20as%20a%20blueprint%20for%20readiness%20across%20the%20defense%20supply%20chain" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain%2F&linkname=Shared%20Intel%20Q%26A%3A%20Viewing%20CMMC%20as%20a%20blueprint%20for%20readiness%20across%20the%20defense%20supply%20chain" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain%2F&linkname=Shared%20Intel%20Q%26A%3A%20Viewing%20CMMC%20as%20a%20blueprint%20for%20readiness%20across%20the%20defense%20supply%20chain" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.lastwatchdog.com">The Last Watchdog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by bacohido">bacohido</a>. Read the original post at: <a href="https://www.lastwatchdog.com/shared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain/">https://www.lastwatchdog.com/shared-intel-qa-viewing-cmmc-as-a-blueprint-for-readiness-across-the-defense-supply-chain/</a> </p>