TL;DR: Stacy Bostjanick argued that CMMC was designed to correct weak self-attestation, raise the cost of stealing defense information, and push contractors toward real cybersecurity maturity, according to Secureframe. The practical message is that certification is a baseline control, while supply chain resilience depends on scoping data, limiting exposure, and closing gaps faster than adversaries can exploit them.
NHIMG editorial — based on content published by Secureframe: Former DoD Director of CMMC Stacy Bostjanick says CMMC is just the bare minimum
By the numbers:
- Since the initial program was released in 2020, there have been over 1,000 organizations certified at CMMC Level 2, and roughly 50% are SMBs.
Questions worth separating out
Q: What breaks when CMMC is treated as the finish line instead of the floor?
A: Programmes often stop at passing assessment rather than reducing real exposure.
Q: Who is accountable when supplier access exposes defence information?
A: Accountability sits with the organisation that grants and governs the access, even when a supplier is involved.
Q: What do security teams get wrong about CMMC readiness?
A: They often confuse evidence of compliance with evidence of operational control.
Practitioner guidance
- Scope contractor access by mission need Limit each supplier, subcontractor, and internal approver to the minimum data set required for the work.
- Treat third-party offboarding as a control event Remove accounts, keys, and shared access the same day a supplier relationship ends or changes scope.
- Map supplier privilege to containment zones Separate high-value CUI, engineering, and operational systems so a compromised supplier account cannot move freely across environments.
What's in the full article
Secureframe's full article covers the operational detail this post intentionally leaves for the source:
- The discussion of CMMC cost ranges, assessor availability, and SMB accessibility.
- The specific DoD context behind DFARS 7012, NIST 800-171, and why assessment requirements changed.
- The program history from 2018 development through the final CMMC model.
- The longer-term view of how other agencies and state buyers may adopt CMMC-style requirements.
👉 Read Secureframe's analysis of why CMMC is only the bare minimum for defense cybersecurity →
CMMC maturity gaps: what defense contractors need to do now?
Explore further
CMMC maturity debt is the real governance problem. The article shows that many organisations still treat certification as the endpoint, when the underlying threat is persistent access to valuable data through weakly governed supplier environments. That creates maturity debt: a backlog of access, segmentation, and revocation work that compliance alone does not clear. Practitioners should read CMMC as a forcing function for governance, not as a final destination.
A question worth separating out:
Q: How should organisations reduce the blast radius of third-party access?
A: They should segment supplier access by function, data sensitivity, and environment, then remove standing privileges wherever possible. The goal is to make a single compromised account unable to reach the full engineering or CUI estate. That means tighter lifecycle control, shorter credential duration, and more granular approval.
👉 Read our full editorial: CMMC is only the floor for defense supply chain security