It Takes the Whole Shop  ·  Chapter 1

No One Told Her

Vanessa clocks in thirteen minutes early for second shift at a Tier 3 supplier in Ohio. She runs a CNC lathe, emails shipping schedules to the prime, and handles Federal Contract Information every day — on a workstation her employer told the Department of Defense was protected. It isn't. No one told her she was part of it.

Vanessa Reyes clocks in at 2:47 p.m. on a Tuesday, thirteen minutes before second shift starts. She hangs her jacket on the hook behind station six, sets her thermos of coffee on the shelf below the monitor, and pulls up the job ticket for the evening's run. The part is a bracket — alloy steel, five-axis work, tight tolerances on two critical surfaces. She has made this part, or parts like it, for nine years.

The CNC lathe behind her is already warm. First shift ran it until thirty minutes ago. Vanessa checks the tool offsets, verifies the program number against the job ticket, and pulls the delivery order from the folder on her desk. The delivery order tells her where this bracket goes: to a Tier 1 prime contractor in Connecticut, where it becomes part of an assembly that feeds a naval weapons program. She has never seen the assembly. She does not know the name of the program. She knows the part number, the tolerance, and the ship date.

She opens her email. There are three messages. One is from the shipping coordinator — a revised schedule for Friday's outbound. One is from the quality manager — a process change notice for a different part number. One is from the plant manager — a reminder about the company picnic. She reads all three, responds to the first, files the second, and deletes the third.

Vanessa does not think of herself as part of the national defense. She runs a CNC lathe. She machines alloy parts to tolerance. She is good at it. The delivery orders she processes, the technical drawings on her workstation, the shipping schedules she emails to the prime — all of it is Federal Contract Information. All of it is covered by FAR 52.204-21. And none of it is protected by the cybersecurity posture her company self-attested to last year — because that posture was never operationally real.

She is the first line of defense, and no one has told her.

The Mission the Controls Exist to Protect

The mission of the Defense Industrial Base is warfighter readiness. CMMC is not a procurement hurdle. It is the floor of a warfighting capability. Every one of the seventeen Level 1 practices exists because the data it protects — delivery schedules, pricing structures, technical specifications, logistics plans — has operational consequence when it reaches an adversary.

In February 2024, a joint advisory from CISA, NSA, and the FBI confirmed that PRC state-sponsored actors designated Volt Typhoon had pre-positioned inside U.S. critical infrastructure, including defense supply chain nodes.[1] This was operational preparation for conflict — patient actors using legitimate credentials and native tools to avoid detection, already inside the supplier tier.

Volt Typhoon did not target only the systems holding classified data. It targeted the infrastructure — the email servers, the file shares, the network segments — where contract information lives. That is Level 1 territory.

Vanessa does not know this. She has never been told that the delivery schedule she emails every afternoon is the kind of information a nation-state actor has spent years positioning to intercept. She has never been told that the technical drawings on her workstation — the tolerances, the materials, the geometries — are pieces of a larger picture that, when assembled by an adversary, degrades the operational advantage the warfighter depends on.

Last month, during a break, Vanessa asked her supervisor why the company had changed the Wi-Fi password. “IT thing,” he said, and went back to his clipboard. That was the closest Vanessa has come to a conversation about information security at this company. The actual conversation — the one about FCI scope, control boundaries, and self-attestation — happened in the IT department, which, at her company, is one person who also manages facilities.

The Three Components of the Trap

The self-attestation failure at Level 1 is three interlocking conditions.

The “only seventeen practices” minimization. CMMC Level 1 requires seventeen practices to protect FCI. Unlike Level 2, which demands third-party certification for the more sensitive CUI, Level 1 relies on self-assessment: a binary determination that all seventeen controls are MET, an annual affirmation filed in SPRS, and no external validation at any point. The mechanism provides no check on whether the posture reported matches the posture in operation.

Each of those seventeen practices requires real control implementation: configured access restrictions, active malware protection, verified media sanitization, monitored system boundaries. A self-attestation completed without operational evidence behind it is paperwork, not compliance.

Annual affirmation without continuous management. An annual cadence trains organizations to think about their posture once a year. In the interval, entropy operates on schedule. Management changes. Devices connect. Controls drift. Personnel depart and their access is not revoked for weeks. New systems come online without being scoped into the boundary. Software updates are deferred because production cannot afford the downtime.

Volt Typhoon does not operate on an annual cycle. The adversary is patient, persistent, and present. An annual compliance cadence is not a security posture. It is a scheduling decision.

Boundary misidentification. Suppliers draw their own FCI scope boundary without external methodology or validation. Systems that are expensive to secure get excluded. Workstations that touch both commercial and defense work are categorized as commercial because that classification avoids the obligation. The boundary reflects convenience, not reality. The mechanism does not require them to draw it correctly.

Vanessa's workstation is almost certainly outside the boundary her employer drew — not because it doesn't handle FCI, but because including it would have expanded the scope of the compliance obligation. She handles Federal Contract Information on a system the company told itself was out of scope. The controls don't apply to her because the boundary was drawn to exclude her.

The System That Sustains It

At Level 1, the self-assessment is binary — all seventeen practices MET, no Plans of Action and Milestones permitted. There is no numerical score to inflate. There is only a yes-or-no affirmation that every control is in place. The structural vulnerability is subtler than a fabricated number: it is the absence of any mechanism to test whether “yes” is true.

The enforcement environment around that affirmation has shifted. The Department of Justice's Civil Cyber-Fraud Initiative recovered $52 million across nine cybersecurity-related False Claims Act settlements in fiscal year 2025 — with recoveries more than tripling in each of the past two years.[2] To date, enforcement has focused on CUI obligations under DFARS 252.204-7012. But the FCA theory extends to any knowing misrepresentation — including the annual affirmation that all FAR 52.204-21 controls are MET. As Level 1 self-assessments enter SPRS at scale under Phase 1, the surface area for that theory expands.

A 2019 DOD Inspector General report found that DIB companies did not consistently implement cybersecurity requirements.[3] A March 2026 GAO report found that DOD still has not assessed the key external factors — including assessment capacity — that could impede the CMMC program's ability to close that gap.[4] At Level 1, where there is no external assessment at all, the gap between the program's design and the operating reality is widest.

The system is not broken because people are dishonest. It is broken because the structure rewards a rational response that produces an irrational outcome. The supplier self-attests because the mechanism requires only attestation. The supplier draws a narrow boundary because the mechanism permits it. The supplier thinks about compliance once a year because the mechanism asks for an annual affirmation. Every individual decision is rational. The aggregate result is a defense supply chain where the distance between the posture on file and the posture in operation grows wider with every passing quarter.

Who Carries the Consequence

The warfighter carries the operational consequence. When supplier control environments fail, adversary targeting improves. The intelligence picture sharpens. The technical edge erodes. The pilot flying into contested airspace depends on the assumption that the specifications of the aircraft — its radar signature, its countermeasures, its performance envelope — are not known to the adversary. That assumption rests, in part, on the control environment at a Tier 3 supplier in Ohio where a machinist on second shift handles the drawings.

The prime carries the contractual consequence under DFARS 252.204-7021 — flow-down and verification obligations that, at scale, outpace the mechanisms available to discharge them.

But the people who close the gap are not the executives who sign the affirmation. They are the people who handle FCI every day — and every one of them is either maintaining the control environment or eroding it, whether they know it or not.

Vanessa finishes her shift at 11:15 p.m. She logs out of the workstation — the one that is outside the boundary — and hangs her safety glasses on the hook. Tomorrow she will come back, clock in thirteen minutes early, and handle Federal Contract Information on a system that no one has told her is part of the national defense.

She will email the delivery schedule. She will open the technical drawings. She will send the shipping confirmation. She will do all of it on a workstation that her employer has told the Department of Defense is protected — and that is not.

No one told Vanessa she was part of it.

Someone should have.

Endnotes

1. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), Joint Cybersecurity Advisory AA24-038A, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure” (February 2024). ← back

2. U.S. Department of Justice, Civil Division, “False Claims Act Settlements and Judgments Exceed $6.8 Billion in Fiscal Year 2025” (January 16, 2026). Cybersecurity-related recoveries exceeded $52 million across nine FCA settlements under the Civil Cyber-Fraud Initiative. ← back

3. Department of Defense Inspector General, Report No. DODIG-2019-105, “Audit of Protection of DOD Controlled Unclassified Information on Contractor-Owned Networks and Systems” (2019). ← back

4. Government Accountability Office, GAO-26-107955, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation” (March 12, 2026). ← back

From It Takes the Whole Shop by David Kirubi. Published by Qualified Capacity Press.

The characters and organizations depicted in the narrative chapters are composites drawn from interviews, practitioner conversations, and industry experience across the Defense Industrial Base. They are representative of patterns observed across the sector and do not portray specific individuals, companies, or organizations.

If it's not qualified, it's not capacity.™