Aerospace Manufacturers and DoD Subcontractors: The Pentagon Has a Message for You

Cybersecurity is no longer optional—and leadership can’t outsource the mindset.

At CEIC West 2025, Katie Arrington—CISO for the Department of Defense—didn’t deliver a policy update. She delivered a mission directive.

To aerospace manufacturers and DoD subcontractors, the message from the Pentagon is clear:

“We don’t want to lose contractors. But we need companies with a culture of cybersecurity.”

This wasn’t just a compliance update, it was a call for patriotism in the defense industrial base.

The Stakes Are Higher Than an Assessment

Today’s threats are digital. The adversaries aren’t just aiming at our weapons systems, they’re targeting our intellectual property, R&D, and supply chains.

That’s why the Trump administration isn’t pulling back. They’re doubling down on cyber and technology as a core tenet of national defense.

Just read Secretary Pete Hegseth’s directive:
“Directing Modern Software Acquisition to Maximize Lethality”

The message? Cyber = Lethality.

And Katie made it clear: cyber is no longer just a support function. It’s a non-kinetic capability that directly shapes the outcomes of kinetic operations.

A Wake-Up Call to Contractors and Manufacturers

Some contractors are still hoping CMMC will quietly go away. That some internal policy shift—DOGE, Elon, whoever—will kill the requirement.

But here’s the reality: Katie Arrington, DoD CISO, said even DOGE sees CMMC not as a burden, but as a way to protect the nation’s investment. The cost of compliance is small compared to the cost of losing the taxpayer investment we do every year through leaks and hacks.

Said simply, the real waste as they see it is in lost technology, soldiers and unsecured IP.

The Leadership Shift That Must Happen

If you’re a leader in aerospace or defense manufacturing, this is your inflection point.

Stop delegating compliance to IT.
Stop treating security as a sidecar project.
Start treating cybersecurity as core to your business continuity and national service.

Arrington’s challenge to industry was specific:

• Make cyber maturity a C-suite priority
• Fund it like any other core capability
• Include CMMC progress in executive reviews
• Create a culture where security is a shared responsibility—not just a policy

“A standard is only as good as those who apply it.” She says.
And that starts at the top.

Bottom Line

The Pentagon doesn’t want to shrink the defense supply base. But they’ve drawn a line: if you want to stay in the game, you have to play at today’s level.

You don’t need to be perfect. But you do need to show that you’re committed, accountable, and actively improving.