It Takes the Whole Shop  ·  Chapter 5

It Takes the Whole Shop

Four people. Four moments. One pattern. Vanessa on the shop floor. Linda at her whiteboard. Mike in the glass-walled office. Sarah at her pushpin map. It takes the whole shop. And the whole shop already knows how.

Author's note: This book honors the cybersecurity professionals whose technical expertise is essential to information protection. The argument of this chapter — and this book — is not that cyber doesn't matter. It is that cyber is one essential input into a quality management system that the whole organization owns. The machinist, the quality manager, the shop owner, the IT professional — each has a role. It takes the whole shop.

Across the Defense Industrial Base, the same pattern repeats.

A machinist named Vanessa clocks in for second shift at a Tier 3 supplier in Ohio. She runs a CNC lathe, machines alloy parts to tolerance, and handles Federal Contract Information every day — delivery orders, technical drawings, shipping schedules — on a workstation her employer told the Department of Defense was protected. It is not. The boundary the company drew to define its compliance obligation was drawn to exclude her. No one told Vanessa she was part of the national defense.

A quality manager named Linda has run the AS9100 system at a sixty-person aerospace shop for fourteen years. She built the quality manual, designed the training program, manages internal audits, and maintains a corrective action process that has not missed a finding closure in a decade. When the CMMC requirement arrived, it went to IT — to Brian, who also manages the phone system and the badge readers. Linda watched Brian spend six months struggling with scoping, documentation, training plans, and evidence architecture. She does all of that in her sleep for the quality system. Nobody asked her. The word “cyber” routed it past the one person in the building most equipped to own it.

A shop owner named Mike runs a forty-person AS9100-certified machine shop in Grand Rapids. He can pull a calibration record for any tool in the shop in two minutes. His document control process has not missed a revision in eleven years. For three years, consultants have told him to “build a cybersecurity program” — at price tags ranging from $85,000 to $150,000 — using language he does not speak: enclaves, system security plans, security control baselines. Nobody told him that what he is being asked to build is what he already runs. His quality management system governs people, processes, and technology across his shop floor. It does everything the requirement demands. He just needs someone to tell him.

A prime supply chain director named Sarah manages over two hundred sub-tier suppliers from an office with a wall map full of red pushpins — one for every supplier not yet CMMC-certified. When she flows down a quality requirement, the sub-tier shops implement it within weeks. When she flows down a cybersecurity requirement using the same supply chain and the same people, it dies at every handoff. Then she re-encoded the same requirement as a quality discipline — and watched it get implemented in weeks.

Four people. Four moments. One pattern.

The pattern is this: the word “cybersecurity” has become a filter that routes the most important information protection requirement in the defense supply chain to the smallest, least-resourced function in the organization — while bypassing the operational infrastructure most capable of implementing and sustaining it.

The Cybersecurity Maturity Model Certification was created in response to real cyber threats. Nation-state actors — Volt Typhoon, APT10, and others — have pre-positioned inside U.S. critical infrastructure, including defense supply chain nodes.[1] The threat is not theoretical. It is operational. The program was built to address it, and the program is necessary.

But the framing of the program has created an adoption barrier that regulation alone cannot solve.

When contractors hear “CMMC,” they hear “cybersecurity.” When they hear “cybersecurity,” they hear “IT.” When they hear “110 controls,” they hear “overload that belongs in IT.” And the people who already run the management systems most capable of carrying this requirement — the quality managers, the shop owners, the plant leaders — never hear their names called.

What CMMC Actually Requires

The spirit of CMMC is not about IT. It is about protecting the critical information that forms America's and allied nations' technical edge — in service of warfighter readiness and national security. The technical drawings. The delivery schedules. The test results. The pricing structures. The logistics plans. The manufacturing processes. The information that, when it reaches an adversary, degrades the operational advantage the warfighter depends on.

That information lives on the shop floor, in the quality system, in the ERP, in the email server, in the filing cabinet, on the machinist's workstation. Protecting it is not an IT function. It is an operational discipline that touches people, processes, and systems — the same three things every quality management system is designed to govern.

“This framing is consistent with the program's intent and addresses the adoption barrier we've been unable to solve through regulation alone. The most successful early CMMC adopters integrated information protection into their existing quality and operational management systems rather than building a parallel cybersecurity program.”

— CMMC PMO Official, Program Alignment

The fourteen control families in NIST SP 800-171 are not alien disciplines imported from IT. They are operational quality disciplines that a QMS-native organization already practices in different contexts.

Access Control — who is authorized to touch what. Every quality system governs this for physical tooling, calibrated equipment, and controlled documents. Extending it to information systems is the same discipline, different asset.

Awareness and Training — role-based competency assurance. Every AS9100 shop trains operators on procedures and verifies competency. Extending it to information handling follows the same training management process.

Configuration Management — managing change so the operating baseline stays current. Every quality system has a change control process. Extending it to system configurations and software baselines is the same principle.

Media Protection — controlling how information is stored, transported, and destroyed. Every quality system governs controlled document handling. Extending it to digital media and CUI-bearing storage is the same discipline.

Personnel Security — screening, onboarding, and offboarding with security in mind. Every quality system governs who is authorized to perform what. Extending it to information access clearance follows the same logic.

Physical Protection — controlling who can physically access systems and information. Every manufacturing shop controls access to the production floor, the tool crib, the calibration lab. Extending it to server rooms and network infrastructure is the same principle.

Incident Response — knowing what to do when something goes wrong. Every quality system has a nonconformance process and a corrective action procedure. Extending it to cybersecurity incidents follows the same escalation and root-cause discipline.

The remaining families — Audit and Accountability, Identification and Authentication, Maintenance, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity — each have parallels in the operational quality world. Some require genuinely technical implementation: encryption, network segmentation, vulnerability scanning, intrusion detection. Those are the inputs from IT and cybersecurity professionals. Those inputs are essential. The technical expertise required to configure a firewall, segment a network, or manage an endpoint protection platform is real, specialized, and irreplaceable.

But those technical inputs operate inside the quality management system — not beside it, not above it.

Cyber is one essential input. The QMS is the operating envelope. It takes the whole shop.

What the Reframe Changes

This is not a cosmetic repositioning. It changes the fundamental dynamics of implementation:

Who owns it. Not the IT person who also manages facilities. The quality manager — the person who already runs the management system that governs people, processes, and technology across the shop floor. The IT professional provides the technical controls. The quality manager provides the system.

What budget it comes from. Not the IT budget, which at a forty-person shop is negligible. The operational quality budget — the infrastructure the company already funds because it is how they stay in business.

How it is implemented. Not as a parallel cybersecurity program bolted on from outside. As an extension of the quality management system the company already maintains — using the same operational disciplines it already applies to product quality.

How long it lasts. Not until the assessment is passed. Indefinitely — because a quality management system is an operating condition, not an event. The posture endures between assessments because that is what management systems do.

How the flowdown arrives. Not as a cybersecurity clause that dies at the handoff. As a quality requirement that the sub-tier implements within weeks — because the receiving end already has the infrastructure to carry it.

The Numbers Behind the Urgency

As of early 2026, the Defense Industrial Base comprises approximately 350,000 organizations. DOD estimates that approximately 80,000 of these will require CMMC Level 2 certification — the standard demanding implementation of all 110 NIST SP 800-171 security requirements, with independent third-party assessment required for the vast majority of contracts.[2] An additional 140,000 or more organizations handling Federal Contract Information will require Level 1 self-assessment. As of the October 2025 CyberAB Town Hall, only 431 organizations had achieved final Level 2 certification — leaving over 99% of those requiring it still uncertified.[3] Fewer than 100 authorized C3PAOs exist to conduct assessments, with under 800 certified assessors against a projected need of 2,000 to 3,000.[4] Assessment costs range from $34,000 to $112,000 per organization, and achieving readiness typically takes six to twelve months.[5]

An estimated 33,000 to 44,000 companies may exit the defense market by 2027 as compliance costs exceed the value of their defense work.[6]

These are not just numbers. They represent manufacturing capacity, institutional knowledge, qualified workforce, and supplier relationships that, once lost, cannot be rebuilt quickly. Every company that exits the defense supply chain because it could not navigate the cybersecurity framing of CMMC is a company that might have stayed — and thrived — if someone had said: “You already run a quality management system. Extend it.”

The Whole Shop

Vanessa Reyes on second shift needs to know that the delivery schedule she emails is part of the national defense — and that protecting it is part of her job. Linda Chen needs to know that this is her domain — that the management system she has run for fourteen years is the operating envelope for information protection. Mike Dalton needs to know that he is not starting from zero — that the system he already runs does most of what CMMC requires. Brian in IT needs to know that his technical expertise is essential — that encryption, network architecture, and endpoint protection are critical inputs — and that he is not carrying this alone.

It takes the whole shop.

The machinist. The quality manager. The IT professional. The shop foreman. The front office. The plant manager. The shipping clerk. Every person who touches information in the course of the work they do to support the warfighter.

The quality management system is the envelope that holds them all. It is scoped, documented, trained, maintained, and evidenced — the same way it has always been for product quality. Now it extends to cover the information that makes that product part of the national defense.

Cyber is one essential input. Quality is the operating discipline. The whole shop is the team.

It was never one person's job. It was never one department's problem. It was never something the shop needed to build from scratch.

It takes the whole shop. And the whole shop already knows how.

Endnotes

1. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), Joint Cybersecurity Advisory AA24-038A, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure” (February 2024). ← back

2. Department of Defense, “Cybersecurity Maturity Model Certification (CMMC) Program: Final Rule,” published in the Federal Register at 89 FR 83092 on October 15, 2024; codified at 32 CFR Part 170; effective December 16, 2024. DFARS final rule (48 CFR Part 204) published September 10, 2025; effective November 10, 2025. ← back

3. The Cyber AB, CMMC Marketplace statistics presented at the October 2025 CyberAB Town Hall. Figure represents approximately 0.5 percent of the 80,000 organizations the Department of Defense estimates will require CMMC Level 2 certification. ← back

4. The Cyber AB, Authorized C3PAO Marketplace and certified assessor counts as reported at the October and November 2025 CyberAB Town Halls (approximately 88 authorized C3PAOs and under 800 Certified CMMC Assessors as of the Phase 1 enforcement date). Projected assessor demand of 2,000–3,000 discussed in CMMC Program Management Office implementation briefings and industry analyses (2025–2026). ← back

5. Cost ranges synthesized from Department of Defense Regulatory Impact Analysis published in Federal Register notices for 32 CFR Part 170 and industry analyses. DoD estimates: Level 2 self-assessment $37,000–$49,000 over three years; Level 2 C3PAO third-party assessment $105,000–$118,000 over three years. Readiness timelines of six to twelve months are widely documented across industry sources. ← back

6. Industry analyst projections, including Strikegraph, “Five Predictions on CMMC's Impact to the Defense Industrial Base in 2026” (December 2025), which estimates between 33,000 and 44,000 companies (15–20% of the DIB) will exit the defense market between 2025 and 2027. Corroborating analyses, including Accorian industry briefings (January 2026), project a 15–20% DIB contraction driven by compliance economics. Figures are industry projections, not Department of Defense estimates. ← back

From It Takes the Whole Shop by David Kirubi. Published by Qualified Capacity Press.

The characters and organizations depicted in the narrative chapters are composites drawn from interviews, practitioner conversations, and industry experience across the Defense Industrial Base. They are representative of patterns observed across the sector and do not portray specific individuals, companies, or organizations.

If it's not qualified, it's not capacity.™