By NHI Mgmt Group Editorial TeamPublished 2026-05-11Domain: Cyber SecuritySource: Secureframe

TL;DR: Stacy Bostjanick argued that CMMC was designed to correct weak self-attestation, raise the cost of stealing defense information, and push contractors toward real cybersecurity maturity, according to Secureframe. The practical message is that certification is a baseline control, while supply chain resilience depends on scoping data, limiting exposure, and closing gaps faster than adversaries can exploit them.


At a glance

What this is: Secureframe’s interview with former DoD CMMC director Stacy Bostjanick argues that CMMC is a floor, not a finish line, for defense industrial base cybersecurity.

Why it matters: For IAM and security teams, the article matters because CMMC control maturity depends on who can access sensitive data, how that access is limited, and whether contractor environments can prove continuous protection, not just one-time certification.

By the numbers:

👉 Read Secureframe's analysis of why CMMC is only the bare minimum for defense cybersecurity


Context

CMMC was created because self-attestation did not reliably protect controlled unclassified information in the defense supply chain. The article’s core point is not that the requirements are new, but that many organisations were treating compliance as a paperwork exercise rather than a control assurance problem. That distinction matters for IAM because access scope, identity lifecycle, and privileged exposure determine whether sensitive data is actually protected.

The identity angle is strongest where contractors receive more information than they need to do their jobs. In practice, that means access provisioning, third-party offboarding, and least privilege become supply chain controls, not just internal IAM hygiene. For teams managing human and non-human identities in regulated environments, the starting position described here is common, not exceptional.


Key questions

Q: What breaks when CMMC is treated as the finish line instead of the floor?

A: Programmes often stop at passing assessment rather than reducing real exposure. That leaves broad contractor access, weak offboarding, and over-privileged accounts in place. The result is compliance without containment, which gives adversaries room to move through the defence supply chain even when certification boxes are checked.

Q: Who is accountable when supplier access exposes defence information?

A: Accountability sits with the organisation that grants and governs the access, even when a supplier is involved. Contracts do not replace control ownership. Security, procurement, and programme leaders need defined approval, review, and revocation responsibilities so no one assumes the other team owns identity risk.

Q: What do security teams get wrong about CMMC readiness?

A: They often confuse evidence of compliance with evidence of operational control. A policy can exist while access remains too broad, offboarding is delayed, or the same credentials are reused across environments. Readiness requires proving that identities, privileges, and data paths are actually constrained.

Q: How should organisations reduce the blast radius of third-party access?

A: They should segment supplier access by function, data sensitivity, and environment, then remove standing privileges wherever possible. The goal is to make a single compromised account unable to reach the full engineering or CUI estate. That means tighter lifecycle control, shorter credential duration, and more granular approval.


Technical breakdown

Why CMMC moved from self-attestation to assessed controls

CMMC exists because the government found that self-attestation under DFARS 7012 did not consistently produce real security outcomes. The program shifts emphasis from stating that controls exist to proving that they operate in practice. That matters because auditability is not the same as control effectiveness. For IAM teams, the implication is that identity governance evidence must show actual access restriction, revocation, and scoping, not just policy language or annual review artifacts. Practical implication: treat identity evidence as operational proof, not compliance paperwork.

Practical implication: treat identity evidence as operational proof, not compliance paperwork.

How supplier access scope becomes a security control

The article highlights a common defense industrial base problem, which is over-sharing information with contractors who do not need all of it to perform their work. That creates an access governance issue, not just a data classification issue. Least privilege, compartmentalisation, and lifecycle offboarding determine how far an intrusion can move once a supplier account is compromised. In mixed human and machine environments, the same principle applies to service accounts and integration tokens that often inherit broader access than their use case justifies. Practical implication: scope contractor and NHI access to the narrowest data set and shortest required duration.

Practical implication: scope contractor and NHI access to the narrowest data set and shortest required duration.

Why NIST 800-171 is a baseline, not a resilience model

Bostjanick’s point that NIST 800-171 is only the ground floor is important because compliance minimums do not automatically create resistance to advanced adversaries. A control set can be sufficient for certification and still leave single points of failure, excessive privilege, and weak segmentation intact. For security architects, the real question is whether identity controls support containment under compromise, especially across supplier relationships and shared environments. That is where NIST SP 800-53 Rev 5 Security and Privacy Controls and Zero Trust patterns become relevant beyond the CMMC floor. Practical implication: use CMMC as a minimum bar and map it to stronger containment controls where exposure is high.

Practical implication: use CMMC as a minimum bar and map it to stronger containment controls where exposure is high.


Threat narrative

Attacker objective: The attacker aims to steal defense intellectual property and sensitive information from weaker suppliers, then use that access to damage the wider defence supply chain.

  1. Entry begins when an adversary targets a smaller supplier or subcontractor in the defense industrial base, where controls are often weaker than at the prime contractor level.
  2. Escalation occurs when over-shared data, broad account permissions, or poorly governed third-party access lets the attacker move from a foothold into sensitive CUI environments.
  3. Impact follows when stolen designs, specifications, or state-relevant information can be exfiltrated and reused to undermine the supply chain and the organisations that depend on it.

NHI Mgmt Group analysis

CMMC maturity debt is the real governance problem. The article shows that many organisations still treat certification as the endpoint, when the underlying threat is persistent access to valuable data through weakly governed supplier environments. That creates maturity debt: a backlog of access, segmentation, and revocation work that compliance alone does not clear. Practitioners should read CMMC as a forcing function for governance, not as a final destination.

Supplier access is an identity problem before it is a compliance problem. If a contractor or subcontractor can see data it does not need, the risk sits in identity scope, access review quality, and offboarding discipline. That is where NHI Mgmt Group’s lifecycle lens matters as well, because integrations, API keys, and service accounts often outlive the business need that created them. Practitioners should align supplier access with explicit lifecycle controls, not informal trust.

Defense supply chain resilience depends on containment, not broad eligibility. The article’s single-source supplier discussion shows how one exposed relationship can become a systemic failure mode. In identity terms, that means a poorly scoped account or token can become a supply-chain amplifier rather than a local issue. Practitioners should prioritise blast-radius reduction across privileged, third-party, and machine identities.

NIST 800-171 is a baseline control set, but advanced adversaries force stronger containment assumptions. Bostjanick’s distinction between CMMC Level 2 and Level 3 maps to a broader governance reality: minimum compliance does not equal resilient design. Organisations that handle sensitive defense data should use the baseline to justify stronger access segmentation, shorter credential lifetimes, and tighter third-party governance. Practitioners should plan for adversarial pressure, not just assessment success.

What this signals

Third-party access governance will increasingly be judged by containment, not certification alone. The CMMC debate is pushing contractors toward a more operational view of security, where access scope, identity lifecycle, and revocation speed matter as much as assessment outcomes. For identity teams, that means supplier access reviews need to be tied to business need and data sensitivity, not annual compliance cycles.

Standing privilege remains the easiest way for supplier risk to become enterprise risk. When contractors, integrations, or service accounts hold broad access, the organisation inherits a larger blast radius than the business case justifies. The control question is no longer whether access exists, but how quickly it can be reduced, isolated, or removed when scope changes.

One useful concept here is supplier access drift: the gradual expansion of third-party access beyond the work originally approved. It happens when projects change, credentials persist, and offboarding lags behind contract end dates. Teams should watch for drift in both human and non-human identities, because unattended access becomes a supply chain liability.


For practitioners

  • Scope contractor access by mission need Limit each supplier, subcontractor, and internal approver to the minimum data set required for the work. Tie access approval to a named business purpose, and review it whenever the contract, project, or environment changes.
  • Treat third-party offboarding as a control event Remove accounts, keys, and shared access the same day a supplier relationship ends or changes scope. Include API keys, service accounts, and collaboration access in the offboarding checklist so access does not persist after the business need ends.
  • Map supplier privilege to containment zones Separate high-value CUI, engineering, and operational systems so a compromised supplier account cannot move freely across environments. Use segmentation, step-up approval, and distinct roles for build, transfer, and review functions.
  • Evidence actual control operation for assessments Collect proof that access reviews, revocation, and configuration enforcement work in real environments, not just on paper. Keep logs, screenshots, tickets, and audit outputs that show who approved access, when it was removed, and what remained protected.
  • Plan beyond CMMC baseline requirements Use CMMC as the minimum standard and then identify where stronger controls are needed for supplier-heavy or high-impact programmes. Focus on identity lifecycle, privilege reduction, and monitoring where the business cannot absorb a prolonged compromise.

Key takeaways

  • CMMC is being framed as a minimum assurance baseline, not a complete defence supply chain security model.
  • The article’s evidence points to a persistent gap between formal compliance and actual control over third-party access, privilege, and data exposure.
  • Teams should use CMMC readiness to drive tighter identity lifecycle controls, narrower access scope, and faster revocation across supplier environments.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Supplier access scope and least privilege are central to the article.
NIST SP 800-53 Rev 5AC-6Least privilege is the core control behind limiting supplier blast radius.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle discipline is central to contractor offboarding and revocation.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe threat model involves credential abuse and movement through overexposed supplier environments.

Map supplier risk to credential access and lateral movement techniques when designing containment controls.


Key terms

  • CMMC: Cybersecurity Maturity Model Certification is a defence supply chain assurance framework used to verify that contractors handling sensitive government information implement defined security controls. It moves beyond self-attestation by requiring independent assessment of whether access, protection, and governance controls actually operate as intended.
  • Controlled Unclassified Information: Controlled Unclassified Information, or CUI, is government information that is not classified but still requires safeguarding because of its operational or national security value. In the defence supply chain, CUI often drives access, sharing, and segmentation decisions that must be enforced through identity and data controls.
  • Supplier Access Drift: Supplier access drift is the gradual expansion of third-party access beyond the originally approved business need. It happens when projects change, accounts persist, and offboarding lags behind contract end dates, leaving more data and systems exposed than the organisation intended.
  • Identity Lifecycle Control: Identity lifecycle control is the discipline of managing accounts, keys, and privileges from creation through review, rotation, and removal. In high-risk supply chain environments, it is the mechanism that prevents access from persisting after the business need has ended.

What's in the full article

Secureframe's full article covers the operational detail this post intentionally leaves for the source:

  • The discussion of CMMC cost ranges, assessor availability, and SMB accessibility.
  • The specific DoD context behind DFARS 7012, NIST 800-171, and why assessment requirements changed.
  • The program history from 2018 development through the final CMMC model.
  • The longer-term view of how other agencies and state buyers may adopt CMMC-style requirements.

👉 Secureframe's full post covers the CMMC cost debate, adoption outlook, and policy context in more detail

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It gives security and IAM practitioners a practical way to connect access control with real-world governance outcomes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org