The aerospace and defense sector faces sustained campaigns from state-aligned actors who specialize in stealing research and exploiting supply chains.
Sophisticated intrusion sets still see this industry as one of the highest-value targets. Advanced persistent threat groups pursue overlapping goals: steal engineering work to cut their own research timelines, infer how to counter fielded systems, build competitive products for export, and harvest communications and program data that help them infiltrate other networks. That combination of motives makes the sector a magnet for patient, well-resourced adversaries.
Attackers go where the odds favor them, and that often means the vendor chain. Prime contractors may invest heavily in segmentation, identity controls, and continuous monitoring. Smaller design shops, testing labs, and niche manufacturers may not. The result is a perennial asymmetry: thousands of companies handling subsets of Controlled Unclassified Information (CUI) with uneven security maturity, any one of which can be the quiet door into a much larger enterprise. The Australian F-35 subcontractor compromise remains a cautionary example; investigators reported that internet-facing systems were reachable with default credentials and that roughly 30 gigabytes of sensitive project data was exfiltrated before anyone noticed link.
Supply-chain compromises are rarely isolated events; they are quiet staging grounds for broader campaigns.
Recent history underscores the range of consequences. Rheinmetall’s automotive division endured weeks of production disruption across plants in Brazil, Mexico, and the United States from a 2019 malware incident, with losses estimated in the millions of euros per week as systems were restored link. In Japan, Kobe Steel and geospatial firm Pasco disclosed breaches dating to 2016–2018; local reporting indicated that files with personally identifiable information and Ministry of Defense material were among the data taken from Kobe Steel, a submarine parts supplier link. In the United States, Boeing confirmed in 2023 that LockBit criminals stole and later leaked tens of gigabytes tied to parts and distribution systems, a reminder that ransomware operations have learned to target data with operational value, not just file servers link.
What adversaries are after has not changed so much as expanded. Budget and pricing models reveal negotiation strategies. Internal communications sketch roadmaps, staffing plans, and acquisition targets. Maintenance records, telemetry, and system logs expose failure modes and operational profiles. Blueprints and production methods compress the time it takes to produce a credible knock-off. Testing reports shortcut years of trial and error. And stores of personal data enable tailored social-engineering against engineers, project managers, and program leads. Any of it can be the seed crystal for a much larger breach.
NIST SP 800-171 Revision 3 is now the baseline for protecting CUI in nonfederal systems link.
The policy environment has finally caught up with the risk. NIST finalized Revision 3 of SP 800-171 in May 2024, modernizing the control language for protecting CUI in nonfederal systems. The Department of Defense then moved CMMC from proposal to binding rule. The final CMMC procurement rule was published in the Federal Register on September 10, 2025. It becomes effective November 10, 2025 and begins a three-year phased rollout across solicitations and contracts link.
CMMC 2.0 streamlines the program to three tiers. Level 1 applies to contractors that handle only Federal Contract Information and permits annual self-assessment. Level 2, aligned with the 110 controls in NIST SP 800-171, requires triennial third-party certification for “prioritized” acquisitions that involve CUI. Level 3 covers the small cohort of programs that demand enhanced protections mapped to elements of NIST SP 800-172 and calls for government-led assessments link.
-- CMMC is now a final rule with three levels; enforcement begins November 10, 2025, with a three-year phase-in link.
Even before CMMC’s effective date, DFARS has carried teeth. Clause 252.204-7012 has long required “adequate security” for covered defense information and rapid reporting of cyber incidents to DoD within 72 hours, with preservation of images and logs for potential forensics. The obligations flow down to subcontractors and consultants, not just primes link. Two companion clauses, 252.204-7019 and 252.204-7020, established the now-familiar NIST SP 800-171 assessment regime and allowed the Defense Contract Management Agency’s DIBCAC team to review or verify scores, a process that will continue to matter as CMMC clauses begin to appear in new awards link. Contractors should also be aware that incident reporting routes and portals are being modernized, with DC3’s DCISE program identified as DoD’s focal point for DIB incident intake and threat sharing link.
For security leaders inside A&D organizations, the operational takeaway is straightforward. Treat suppliers as part of your own attack surface and hold them to the same baseline. Map who touches what data, and when. Replace blanket network trust with identity-centric controls, strong multifactor authentication, and tight administrative boundaries. Keep build systems, test benches, and operational technology segmented and monitored. Close the loop with real incident response muscle memory and a reporting workflow that satisfies DFARS timelines.
DFARS 252.204-7012 requires reporting within 72 hours and applies to subcontractors as well link.
The strategic stakes are not theoretical. Law-enforcement pressure has dented high-profile ransomware crews, but it has not emptied the field. Operation Cronos disrupted LockBit’s infrastructure in 2024, yet offshoots and affiliates continue to probe large industrial targets, and criminal groups have adopted the same long-dwell tactics that once defined state-aligned activity link. That is one more reason the regulatory clock matters. With CMMC now effective and DFARS clauses refreshed, contracting officers have clearer authority to make cybersecurity performance a condition of award and a point of ongoing verification.
If your firm builds, tests, services, or supplies the systems that keep aircraft flying and defenses credible, the bar is no longer ambiguous. The combination of NIST SP 800-171 Rev. 3, DFARS 7012/7019/7020, and phased CMMC enforcement is the new floor. Meeting it consistently—and proving you meet it—will decide not only who wins contracts but who can be trusted with the data that keeps the sector competitive.