CMMC is a National Security Imperative, DOD Official Says

The Cybersecurity Maturity Model Certification (CMMC) program is not only a compliance exercise but rather an imperative to secure sensitive information, protect innovation and safeguard warfighters as cyber espionage continues to rise, a key CMMC official said Tuesday at the Zscaler Public Sector Summit 2025 in Washington, D.C.

“It’s something we need to do as a nation. If we want to protect our lifestyle, we want to protect the way that we in this nation have grown to be the innovators and the leading edge for technology,” Defense Department’s Chief Defense Industrial Base Cybersecurity and Deputy Chief Information Officer for Cybersecurity Stacy Bostjanick said.

Adversaries are targeting intellectual property, not only threatening financial losses but also the nation’s competitive advantage.

“We are losing our intellectual property and sensitive data from the government by leaps and bounds. [Approximately] $200 to $600 billion a year in IP … is lost, and sadly, many of our citizens are unaware,” said Bostjanick.

According to national security experts, Chinese actors conducted cyberattacks to steal sensitive military information, including designs for the F-35 Lightning II and the F-22 Raptor to produce their own aircraft — the J-35A stealth fighter and the J-20 Mighty Dragon, respectively. These attacks targeted major defense industrial base (DIB) contractors like Lockheed Martin within the aircraft’s supply chains, as part of broader Chinese cyber espionage this century against the United States and the DIB.

“How many of you are aware that the Chinese have an aircraft that looks just like our F-35?” she asked the crowd. “Are you more aware that designs to our F-22 have been taken?”

Bostjanick explained that DOD initiated CMMC in response to significant cybersecurity challenges that plagued the defense industrial base. She explained that initial reviews of compliance in 2017 revealed stark gaps in contractors handling controlled unclassified information (CUI), with some contractors providing insufficient documentation.

“We found 50 percent of companies failing to meet basic compliance, leading us to develop CMMC to validate that contractors were actively fulfilling their cybersecurity commitments,” Bostjanick said.

Warfighters “depend on the integrity of” CUI, she explained. CMMC compliance, she said, supports the need for a robust cybersecurity framework in manufacturing and technology. She added that unsecured CUI could potentially compromise technological advantages, impacting frontline military capabilities.

Bostjanick said the necessary evolution of CMMC brings the potential for incorporating stronger zero-trust principles in the future. The slow regulatory process is also a challenge to firms working to comply with CMMC requirements, she added.

“CMMC is metamorphic,” she stated, emphasizing the need to stay relevant with emerging threats. “As soon as we close one gap, another one opens. We’re going to have to stay relevant with that.”

“I view CMMC as the toll before the crawl, before the walk, before the run,” she said.

Bostjanick added that the DOD is working on providing more accessible resources, including bite-sized YouTube videos, to help small and medium-sized businesses navigate the certification process.

“I’ve heard from a lot of the smalls, ‘I don’t have time to go into a two-day training. I got maybe 30 minutes,’” she said. “We’re going to try to produce some bite-size training videos for people to be able to use to navigate their way through CMMC safety.”