What Every Company Entering the Global Defense Supply Chain Needs to Know
This Isn’t Just an American Problem
A Philippine aerospace manufacturer supplying F-35 components. A Saudi firm maintaining Patriot systems. A Brazilian software company building military applications. A Singaporean logistics provider supporting DoD operations.
Different countries, different industries. One thing in common: if there’s a DFARS clause anywhere in their contract, CMMC applies. No exceptions.
CMMC 2.0 went into full enforcement in November 2025 — reaching not just prime contractors, but their subcontractors, and the subcontractors below them. More than 220,000 companies worldwide are directly in scope.
The stakes are straightforward. No certification, no contract. Analysts project 33,000 to 44,000 smaller suppliers will exit the defense market by 2027 because compliance costs outweigh the revenue. For companies that prepare, that’s market share left on the table. Readiness is becoming a competitive advantage.
What CMMC Level 2 Actually Requires
CMMC Level 2 is built on NIST SP 800-171: 14 domains, 110 security requirements. A Certified Third-Party Assessment Organization (C3PAO) verifies that controls are implemented and operational — not just documented. “We have a policy for that” doesn’t pass.
The domains requiring the most technical implementation:
| Domain | Core Requirement | Controls |
|---|---|---|
| Access Control (AC) | Restrict access to authorized users and devices | 22 |
| Audit & Accountability (AU) | Generate, protect, and review activity logs | 9 |
| Configuration Management (CM) | Establish baselines, control unauthorized software | 9 |
| Identification & Authentication (IA) | Authenticate users and devices, enforce MFA | 11 |
| System Integrity (SI) | Detect malware, monitor systems | 7 |
| Risk Assessment (RA) | Conduct periodic vulnerability scans | 3 |
Every domain shares the same starting point: knowing what’s on your network.
The First Question Every Assessor Asks
Before anything else, C3PAOs want to see your asset inventory. Employee laptops, phones, tablets, printers, PLCs on the manufacturing floor, contractor devices on the guest WiFi — if you can’t account for what’s connected, you can’t demonstrate that your CUI environment is controlled.
You cannot protect what you cannot see.
Most organizations discover their first CMMC gap not in their security tools, but in their visibility.
NAC: The Foundation Layer
Network Access Control identifies every device attempting to connect and enforces policy before access is granted. Genian NAC operates at Layer 2 — before an IP address is assigned — capturing device type, operating system, installed software, and patch status.
In CMMC terms:
- Access Control (AC): Unauthorized devices are blocked before reaching CUI environments. Directly addresses AC.L2-3.1.1 and AC.L2-3.1.3.
- Configuration Management (CM): Real-time asset inventory maintained automatically. Devices drifting from baseline are flagged. CM.L2-3.4.1 evidence generated without manual effort.
- Audit & Accountability (AU): Every connection logged — who, when, what device, which segment. Core evidence for AU.L2-3.3.1. Integrated with a SIEM, extends to AU.L2-3.3.5 anomaly detection.
ZTNA: VPN Wasn’t Built for This
Global defense supply chains run on remote access. Engineers in Singapore pulling documentation. Development teams in Brazil collaborating with U.S. partners. Maintenance personnel in the UAE supporting systems remotely.
VPN grants broad network access after a single authentication. One compromised credential exposes everything behind it. CMMC is explicit: AC.L2-3.1.12 requires monitoring, controlling, and encrypting remote sessions. AC.L2-3.1.14 restricts privileged command execution through remote access. Legacy VPN struggles with both.
Genian ZTNA evaluates every session — user identity, device posture, access context — and grants access only to the specific application needed. Integration with existing IdP solutions enforces MFA, satisfying IA.L2-3.5.3.
For organizations with distributed workforces and external partners, ZTNA is the practical replacement.
EDR: What’s Happening Inside the Devices
NAC tells you what’s on the network. EDR tells you what’s happening inside those devices.
Genian Insights E monitors endpoint behavior in real time — process activity, file changes, network communications — addressing SI.L2-3.14.2 and SI.L2-3.14.6.
The real value comes from combining both. NAC provides network-layer context. EDR provides endpoint-layer behavior. Together, fed into a SIEM, they enable threat correlation neither system achieves alone.
What Genians Covers — And What It Doesn’t
Any vendor claiming a single product satisfies all 110 CMMC requirements deserves scrutiny. CMMC requires technology, process, and people working together.
- Direct technical controls: AC, CM, IA (partial), AU, and SI — evidence generation and control enforcement.
- Extended through integration: SIEM for AU correlation. Vulnerability scanners for RA. IdP and MFA for IA. Next-generation firewalls (NGFW) for SC domain network protection. ITSM and GRC platforms to consolidate asset data, vulnerability findings, and incident history — automating evidence packages and POA&M tracking for C3PAO assessments. Genians provides standard APIs and pre-built connectors to support integration with existing security infrastructure.
- Outside Genians’ scope: FIPS 140-2 cryptographic modules, physical security systems (PE), security awareness training (AT), and personnel security processes (PS) require separate solutions.
CMMC as a Global Security Foundation
Preparing for CMMC isn’t only about U.S. contracts. NIST SP 800-171 is becoming a common reference across international frameworks — ISO 27001, Five Eyes standards, South Korea’s K-RMF, Saudi Arabia’s NCA ECC, Singapore’s MAS TRM. Controls built for CMMC compliance contribute to requirements across multiple jurisdictions simultaneously.
For companies in Southeast Asia, the Middle East, or Latin America entering the global defense supply chain, this isn’t investment in a single market. It’s infrastructure that travels.
A Practical Roadmap
- Step 1: Asset Identification: Know what’s connected. NAC is the technical foundation.
- Step 2: CUI Data Flow Mapping: Identify where CUI lives, how it moves, who touches it.
- Step 3: Gap Analysis: Evaluate current controls against all 110 requirements.
- Step 4: Technical Control Implementation: NAC, ZTNA, and EDR cover the network and endpoint layers.
- Step 5: Evidence Package Preparation: SSP, POA&M, audit logs, and supporting documentation for your C3PAO.
For official certification, engage a C3PAO or RPO authorized by the CMMC Accreditation Body (CyberAB).
If you are assessing your CMMC readiness or want to map your current security architecture against specific requirements, we would be glad to help.
