If you're an Australian SME in the defence supply chain and you still think CMMC is a future problem, you're already behind. The final rule took effect in November 2025. Phase 2 kicks in November 2026 with mandatory third-party assessments.
I've spent the better part of four years helping businesses across Australia navigate this challenge. We were the first organisation outside the United States (and NATO) to be endorsed as a Registered Practitioner Organisation (RPO) by the US Cyber Advisory Board. We built xClave specifically because we saw the gap between where companies were and where they needed to be. And I can tell you from the front line: the defence supply chain has a compliance problem, and it runs deeper than most people realise.
Most companies I speak to understand that CMMC matters. They've read the articles. They've sat through the briefings. They know that without certification, they're locked out of US Department of Defense work — and increasingly, AUKUS-related programs too.
The problem isn't that people don't know about CMMC. The problem is that their environments weren't built for it.
CMMC Level 2 maps directly to the 110 security controls in NIST SP 800-171 Revision 2. That's not a checklist you bolt onto an existing network over a long weekend. It requires a fundamental shift in how you handle Controlled Unclassified Information (CUI), where it lives, how it moves, who touches it, and what happens when something goes wrong.
For most SMEs in the supply chain, CUI is scattered across email threads, shared drives, collaboration platforms, and personal devices. There's no defined boundary. There's no enclave. And without that, you can't scope your assessment, which means you can't pass it.
Here's where it gets uncomfortable for everyone. CMMC requirements don't stop at your front door. They flow down through every subcontractor and supplier that handles FCI or CUI. If you're a prime contractor and your sub isn't compliant, that's your problem. Your contract. Your risk.
We're already seeing major primes audit their sub-tiers to protect their own positions. And fair enough — under DFARS 252.204-7021, a non-compliant link in the chain can jeopardise an entire contract award. The days of assuming your suppliers have it sorted are finished.
For the SMEs on the receiving end of those flow-down clauses, the pressure is real. Many of them are running lean operations. They don't have dedicated security teams. They're doing cybersecurity on top of everything else, and the gap between their current posture and CMMC Level 2 is significant.
Even if every organisation in the DIB started their compliance journey tomorrow, there's a structural problem the industry hasn't solved: there aren't enough assessors.
Certified CMMC Third-Party Assessor Organisations (C3PAO) need to complete a rigorous vetting process, and the bottleneck sits with the DoD itself. Unlike other certification pathways, there's no interim mechanism that allows assessors to operate while their tier-three clearance is being processed. The result is a supply-and-demand imbalance that's going to get worse before it gets better.
If you're planning to schedule a C3PAO assessment in late 2026, you'd better be in the queue now. Wait times are extending, costs are rising, and if you miss your window, you miss your contract.
After working with dozens of defence supply chain businesses on CMMC readiness, the failure points are remarkably consistent.
Scoping is too broad. Organisations try to certify their entire environment instead of isolating CUI into a defined enclave. The wider your scope, the more controls you need to implement, the more evidence you need to produce, and the more expensive the whole exercise becomes. Shrink the box. Isolate CUI. Reduce your attack surface and your compliance surface at the same time.
Documentation doesn't exist. You can have every technical control in place, but if your System Security Plan is incomplete, your policies are outdated, and your Plan of Action and Milestones is a placeholder document, you will fail the assessment. Assessors don't just look at what you've deployed, they look at what you've written down, how you maintain it, and whether your people actually follow it.
Cloud assumptions are wrong. Running your workloads in Microsoft 365 or AWS doesn't automatically make you compliant. Commercial cloud platforms struggle to meet the specific handling requirements for CUI and classified information simultaneously. The shared responsibility model means the provider covers their piece, but the configuration, access controls, data classification, and monitoring responsibilities sit squarely with you.
Legacy systems are in scope. If a CNC machine on your factory floor processes files containing CUI, that machine is in scope for your assessment. If it's running an end-of-life operating system, you've got a problem that no amount of policy documentation can paper over. This catches manufacturers off guard more than almost anything else.
For Australian companies, CMMC isn't just about accessing the US defence market. With AUKUS driving deeper integration between Australian, US, and UK defence industries, the compliance landscape is converging. You're not just dealing with CMMC, you're dealing with Australian classification requirements, UK MODII standards, ITAR, DISP, the ISM, the Essential Eight, and the PSPF, often simultaneously and on the same project.
That convergence is precisely why we built xClave, a sovereign cloud platform that meets the handling requirements across all three AUKUS partner nations in a single environment. Because asking an SME with 15 employees to stand up and maintain separate compliance environments for each framework is not realistic. It's not even reasonable.
The defence supply chain needs practical solutions that consolidate compliance, not multiply it.
If you handle CUI or FCI and you haven't started, here's the honest priority list.
Run a gap assessment against NIST SP 800-171 Rev 2. Not a high-level maturity review. A control-by-control assessment that tells you exactly where you stand and what's missing. If your SPRS score is based on assumptions rather than evidence, it's wrong, and a wrong score carries legal consequences under the False Claims Act.
Define your CUI boundary. Map every system, application, device, and person that touches CUI. Then ask yourself: can I reduce this footprint? An enclave strategy, isolating CUI into a controlled environment is the single most effective way to reduce both risk and compliance cost.
Build your SSP and POA&M properly. These aren't checkbox documents. They're the narrative of your security program. An assessor will read them, test against them, and hold you to what they say. If your SSP says you do something, you'd better actually be doing it.
Engage a Registered Practitioner Organisation early. Not to hand the problem off, but to get an honest read on where you are, what's realistic, and where to invest your limited resources for maximum effect. The average organisation needs six to twelve months to reach audit readiness. If you're targeting contracts in 2027, your remediation roadmap should already be active.
Talk to your primes. Understand exactly what's being flowed down to you, what classification of information you're handling, and what level of CMMC is expected.
The organisations that treat CMMC as a one-time certification exercise are the ones that will struggle the most. Controls drift. Threats evolve. People change roles. If you're not running continuous monitoring, periodic self-assessments, and regular training, your compliance posture degrades from the moment you receive your certificate.
The defence supply chain is being asked to meet a higher standard. That's not a bad thing. The threats targeting this sector are real, persistent, and sophisticated. The organisations that embrace this shift as a business capability rather than a regulatory burden will be the ones still standing when the contracts are awarded.
The gap between where the supply chain is today and where CMMC requires it to be is significant. But it's bridgeable. It takes honest assessment, practical architecture, proper documentation, and the discipline to maintain it.
Reach out to chat about your goals, challenges, or just to get a fresh perspective on your IT. Our team is ready to listen.
