Here is an uncomfortable observation. The US Department of Defense just suspended CMMC Phase II — the cybersecurity maturity framework meant to force defense contractors to secure their networks — and called it burden reduction. I have sat on both sides of this fence. AS9100 audit findings as an aerospace quality leader on one side, a CEH and 30-plus security certifications as an ethical hacker on the other. I can tell you exactly what the burden was. Not the standard. The implementation.

The framework was a control plan for digital infrastructure

Strip away the acronyms and CMMC was doing something quality professionals should recognize on sight. Access control reviews, incident response readiness, system integrity verification, supply chain risk management — these are quality controls applied to digital infrastructure instead of physical product. The NIST 800-171 controls underlying CMMC map almost one-to-one with the process controls we audit under AS9100 or IATF 16949. You verify them because if you don't, you don't know whether the thing works until it fails spectacularly in front of a customer.

The DoD framed the suspension as a gift to contractors. The same week, agentic ransomware — autonomous malware that adapts, pivots, and propagates across OT networks without an operator — began appearing in manufacturing environments. The timing is darkly comic. The threat evolved into something faster and more autonomous than any human response team, and the regulatory response was to reduce visibility into whether suppliers can defend themselves.

The burden was the implementation, not the standard

I have heard contractors complain about CMMC the same way plant managers complain about EASA audit requirements. Same shape every time: it costs too much, it takes too long, the evidence collection is killing us. And every time I followed that complaint into the actual operation, I found the same root cause. No systematic way to generate evidence as a byproduct of daily work.

At Airbus, we cut EASA audit findings by 50 percent in a single cycle. We did not reduce scope. We did not negotiate away requirements. We embedded the evidence into daily operations — routing verification KPIs that lived in the line, not in a binder — so that when the auditor arrived, the artifacts were already there and the answers were already true. Internal lead time dropped 97 percent through the same mechanism: compliance stopped being a parallel process and became part of how the work got done.

The contractors who lobbied hardest against CMMC were admitting something structural, whether they knew it or not. They could not turn the controls into daily behavior. They were running a shadow process — spreadsheets, screenshots, last-minute remediation sprints — that existed solely to satisfy the auditor. That shadow process was the burden. Now the mandate is gone. The shadow process can stop. So can whatever genuine security it accidentally provided.

A standard you cannot operationalize is a standard you were never actually meeting.

What voluntary compliance does to a multi-tier supply chain

Supplier quality work across a 2,000-plus workforce, multiple sites — I can describe what happens when oversight relaxes at the lower tiers. I have watched it with product quality. The pattern transfers directly.

At SNOP, building the greenfield QA/QC department for over 900 employees from scratch, I learned that the tier you do not audit is the tier that drifts. We achieved 70 percent defect-cost reduction and 98 percent customer satisfaction not because our first-tier suppliers were excellent — they were adequate — but because we built visibility into what the sub-tiers were doing with our specifications before their deviations reached our dock. Without that visibility, quality reverts to assumption. You assume they follow the control plan. You assume the PFMEA is live. You assume a lot of things that show up as 8D reports three weeks too late.

Supply chain cybersecurity under a voluntary framework behaves the same way. The prime contractors — Lockheed, Raytheon, the names everyone knows — will maintain their posture because their customer is in the room. But the sub-tier machine shop that machines flight-critical brackets and connects its CNC controllers to a network for remote diagnostics? That shop was complying because the prime forced it to. Remove the mandate and the prime stops asking, the sub-tier stops doing, and the CNC controller stays on the network with a default password and a six-month-old firmware vulnerability. The GAO is already flagging production issues in hypersonic programs. Imagine what happens when supplier cyber posture becomes genuinely opaque.

Key takeaways

  • Audit your supplier cybersecurity posture now. Use the 60-day review window to map which suppliers were genuinely CMMC-compliant versus those running a shadow evidence process. The gap between those two groups is your real risk exposure.
  • Embed security evidence into daily operations. If your cyber controls require a sprint to produce evidence, they are a burden. If they generate evidence as a byproduct of working correctly, they are infrastructure. Same principle as AS9100 — the audit should confirm what you already know.
  • Assume the sub-tiers reverted this morning. The primes will hold their posture for reputational reasons. The tier nobody audited just got harder to see. Build your own visibility before someone else's breach provides it for you.
  • Treat the control plan as still active. The risk CMMC was managing — unauthorized access to controlled unclassified information in a defense supply chain — has not changed. The threat has demonstrably worsened. The only thing that disappeared is the structured early warning system.

The quality profession learned this the hard way with product safety. You do not wait for a field failure to discover your control plan was voluntary. Cybersecurity posture in a manufacturing supply chain is the same discipline with the same physics. Complex systems fail at the seams, and the seams are where oversight stops. The DoD suspended the framework. The risk did not get the memo. It is still in the network, still adapting, and the companies that treat this pause as permission rather than warning are the ones whose names will appear in the incident report.