The Scale of Nation-state Threats the U.S. is Facing
The FBI’s Cyber Division runs investigations out of every field office in the country, coordinated from the top. In 2024 alone, the Bureau led 17 major joint cyber operations against adversaries tied to China, Russia, Iran, and transnational criminal networks. One of those operations – coordinated across 12 countries – dismantled more than 100 criminal servers and disrupted ransomware ecosystems that had been operating at scale.
The Bureau also played a direct role countering China’s Salt Typhoon and Volt Typhoon campaigns (both involving living-off-the-land tactics), which targeted U.S. telecommunications and critical infrastructure.
These aren’t isolated incidents. Nation-state actors are patient, methodical, and willing to exploit any part of the supply chain that gives them leverage – including contractors and subcontractors deep in the defense ecosystem.
Explore Living off the Land Tactics in this Video
Why This Matters if You Hold a DoD Contract
If you do business with the Department of Defense, you’re already in their realm – whether you think of yourself as a cybersecurity target or not.
Defense contractors regularly handle Controlled Unclassified Information (CUI). That alone makes them valuable to adversaries looking for access, intelligence, or lateral movement. Smaller subcontractors and vendors are frequently the entry point because their environments are easier to penetrate and less consistently governed than the organizations further up the chain.
The Department of Defense understands this reality. That’s why CMMC was created – to ensure that organizations entrusted with DoD data can demonstrate that their security controls hold up under scrutiny.
For contractors, this isn’t about best intentions or informal security maturity. Their contract eligibility – and therefore livelihood – is what’s on the line.
However, contractors who approach compliance proactively don’t just protect existing work – they turn it into a competitive differentiator, positioning themselves to pursue new contracts as CMMC enforcement expands across the DIB.
What It Takes to Protect Data and Defend Your Compliance Position
Meeting these requirements isn’t just a technical exercise. NIST SP 800-171, DFARS 252.204-7012, and CMMC introduce an ongoing compliance program – one that must be consistently implemented, documented, and defensible over time.
Working with an experienced managed IT services provider that has firsthand experience operating under these standards helps ensure security controls aren’t just in place, but aligned to how assessors evaluate them.
They can build a structured, defensible compliance program that:
- Protects the contracts you already hold.
- Positions you to pursue new work as enforcement expands.
- Reduces the legal and financial exposure associated with inaccurate compliance claims.
For executives who have seen what a poorly managed IT environment costs – in downtime, lost productivity, or emergency remediation – the same logic applies to compliance. The cost of ransomware recovery, FCA settlements, or a lost contract award typically exceeds the investment required to build and sustain compliance correctly.
