Skip to content
Close
SEARCH
Who We Are
Headquartered in Fort Worth, TX with locations all over the United States we are proud to be American made.
Our focus is to serve our customers.
Learn More
    What We Do
    At Elbit America, we know that mission success isn’t just about technology—it’s about having a trusted partner who works alongside you, understands your challenges, and delivers solutions that give you the advantage.
    Learn More

    Capabilities

     

     

    Careers
    We are always looking for unique talent to join our diverse family in helping protect and save lives. At Elbit America, our people develop personally and professionally through community engagement, leadership and ethical development programs, tuition assistance, and flexible work schedules.
    Learn More

    Engineering_2

    EA-culture

    EA-engineering

    early-career-thumb

    Elbit America Veterans

    ElbitAmerica_EmployeeGroup

    Sustainability
    At Elbit America, sustainability is core to our operations and is closely linked to the success of our business.
    Each day, our team proactively seeks new ways to leverage our capabilities and expertise to improve the world.
    Learn More

    CONNECT WITH US

    Contact Us

    News & Events

    Learn More

    Social Media

    Elbit America is committed to the Department of War's Cybersecurity Maturity Model Certification process, and we are now flowing down requirements to our supply chain.
    2/5/26 9:59 AM5 min read

    Cyber Security Maturity Model Certification: A Journey Every Defense Contractor Must Take

    Feb. 5, 2026Michael_Bo_Birdwell_Headshot_horizontal_edited

    By Michael “Bo” Birdwell, Elbit America Director of Supply Chain Business Excellence

    In 2021, an Elbit America Board member predicted cybersecurity would become “table stakes” and he was right. Today, it is the price of admission for all defense contractors to conduct business with the United States Department of War (DoW). Cybercrime and espionage have made the defense industrial base a prime target, and regulatory changes have formalized cybersecurity requirements through the DoW’s Cybersecurity Maturity Model Certification (CMMC) program. Through this newly established program, all contractors and subcontractors who support the DoW are now contractually required to maintain cybersecurity standards for nonfederal information systems that will process, store, or transmit Federal Contract Information or Controlled Unclassified Information during contract performance. Complying with the CMMC program is a requirement, not a request. Yet many businesses in the defense industrial base are not CMMC certified. This is a warning bell. 

    The State of the Defense Industrial Base: 99 Percent of Businesses Are Still Adjusting Internally
    Most businesses tackle CMMC compliance by looking inward first – and that’s where 99 percent of the industry remains today. The DoW published the final CMMC program rule on September 10, 2025, with the rules taking effect just two months later. Understanding the dramatic effect this program would have on the company’s supply chain, Elbit Systems of America (Elbit America) didn’t pause. We leaned in. We are now part of the one percent of defense companies addressing the flow-down requirements of CMMC, managing our supplier compliance. But it’s not easy.

    Implementing the security controls validated by CMMC are expensive and difficult to manage within the tight margins of the defense industry, but here are some lessons learned from Elbit America’s CMMC journey: Rely on trusted cybersecurity standards you may already have in place, don’t simply outsource your needs, and, whatever you do, get started now!

    Trusted Cybersecurity Standards 
    Elbit America achieved ISO 27001 certification through the International Organization for Standardization in November 2022 and has maintained it annually since. This international standard for information security management accelerated our company’s journey toward CMMC certification. The process is in-depth and includes audits and external assessments, helping a company validate what it says against what it does. It also ensures alignment within required standards. Policies written for ISO 27001 certification can often be adapted to include National Institute of Standards and Technology (NIST) cybersecurity requirements, too. Regardless of framework, your information security management program needs: A System Security Plan, documented policies and procedures, and a continuous monitoring plan. 

    Understanding the Factor Analysis of Information Risk (FAIR) framework is also very helpful. The FAIR framework provides a quantitative, financial-based approach to assessing cyber risk, while aligning security practices with business objectives. I share more about the FAIR framework and its utility in a three-part Down The Security Rabbit Hole podcast here. I am not the first to advocate for codifying risk into dollars, but I can attest to the power of this approach when communicating cybersecurity needs to leaders across a business.

    Outsourcing Isn’t the Answer
    Outsourcing the creation of your cybersecurity program is risky. Documentation that doesn’t reflect reality is worthless. Invest internally in at least one individual who can lead implementation efforts within your organization.

    Whether Information Technology (IT) is outsourced or insourced, someone must understand the cybersecurity requirements within your organization. I strongly recommend investing in the Certified CMMC Professional (CCP) course and certification for your internal lead.

    Getting comfortable with self-assessments is key, as they’re included in most existing frameworks. A well-trained, certified internal lead can stay on top of these assessments for your company. 

    Maintain a list of the 320 NIST SP 800-171A assessment objectives, which address the security requirements for Control Unclassified Information. This document is worth its weight in gold because it seamlessly maps the relationship between requirements, documentation, and implementation.  

    From Internal Compliance to Supplier Management
    Completing your internal CMMC assessment is a major milestone, but then the focus shifts to your company’s supply base. Every prime contractor has suppliers, and CMMC compliance is a shared responsibility.

    Start by filtering out Commercial-Off-The-Shelf (COTS) suppliers and those who don’t support DoW contracts. Then, prioritize your lists based on two factors:

    • How much revenue the sub-supplier earns from DoW-related work.

    • How critical the supplier is to your programs. For example, sole-source suppliers often top the list of critical suppliers.

    Suppliers deeply tied to DoW work are often further along in compliance. Friction arises when suppliers are critical to a prime’s revenue stream but have minimal DoW exposure themselves.  These sub-suppliers may choose to walk away from defense work.

    Options include:

    • Replace the supplier with a compliant alternative, if available

    • Partner with suppliers to accelerate their compliance journey

    • Hope DoW blinks first. The DoW may defer CMMC requirements to option periods, but that’s not guaranteed. There is a reason why “hope” isn’t included within the nine Principles of War.

    I advocate for partnership – this minimizes disruption and strengthens relationships. 

    I am very thankful to Elbit America for supporting my efforts to engage our supply base.  I join podcasts, support webinars, attend industry conferences, and work with individual suppliers to strengthen the security of the defense industrial base. In fact, I’ve already had suppliers reach out to me regarding insight on the path to CMMC certification.  This information has saved them time and allowed them to avoid pitfalls on their own CMMC journey. 

    Timelines and Expectations
    If you’re planning an enterprise-wide CMMC assessment, expect a 12-to-18-month timeline. Managing supplier compliance will likely take just as long.  I have said it before, but it bears repeating. If you invest in separate, isolated environments, you might create a solution that doesn’t fit your needs. Make sure you understand your use cases before choosing a virtual desktop setup.

    Elbit America completed our internal efforts to achieve CMMC Level 2 certification about nine months ago and we have implemented many of the processes discussed here. 

    The Road Ahead
    Cybersecurity Maturity Model Certification is a journey, not a checkbox. Collaboration across the defense industrial base is essential to protect our warfighters and maintain readiness. Whether you’re a prime contractor or twenty layers deep in the supply chain, your efforts matter.

    Elbit America believes a rising tide lifts all ships. We’re committed to working with CMMC Level 2 (C3PAO) compliant companies and helping others accelerate their journey.

    I invite readers to engage with me on LinkedIn or meet with me in person at CUI-CON, February 11-13, 2026 or CS5-West April 16-17, 2026. 

    Learn more: