The defense industrial base has a systemic security problem. Not at the prime contractor level — Lockheed, Raytheon, Northrop — where security investment is substantial and visibility is high. The problem is in the supply chain behind those primes: the thousands of small and mid-size manufacturers, electronics suppliers, software vendors, and service providers that collectively hold significant volumes of Controlled Unclassified Information and, in some cases, access to classified program data.
A 2023 DoD assessment found that fewer than 1 in 10 defense industrial base suppliers had implemented all the security controls required under NIST SP 800-171. That's the baseline standard for handling CUI — not classified information, just controlled unclassified. The adversary penetration that has occurred through supply chain vectors over the last decade reflects that gap precisely.
What CMMC 2.0 Actually Changed
The Cybersecurity Maturity Model Certification program created a compliance requirement where there had only been a self-attestation regime. Under the original DFARS clause structure, contractors certified their own compliance without third-party verification. Predictably, many certified compliance they hadn't actually implemented.
CMMC 2.0 introduced third-party assessment organizations and required independent verification for contractors handling the most sensitive categories of CUI. That was the right structural change. But compliance frameworks are backward-looking by design — they codify known threats and known best practices into requirements that organizations must meet. The threat environment evolves faster than the standard can.
Zero-trust architecture addresses the forward-looking problem that compliance frameworks can't: what happens when a credentialed user, a verified device, or a trusted network segment is actually hostile? The traditional perimeter model assumes that anything inside the firewall can be trusted. Zero-trust assumes the opposite — verify everything, always, regardless of where it comes from or what credentials it presents.
Why the Supply Chain Is the Hardest Problem
Implementing zero-trust within a single organization is difficult. Implementing it across a defense supply chain involving thousands of organizations with different technology stacks, different security maturity levels, and different contractual relationships is an order of magnitude more difficult.
The challenge is particularly acute at the interfaces between organizations. A prime contractor may have excellent zero-trust implementation within its own environment. But when a Tier 1 sub shares technical data with a Tier 2 supplier, the security posture of the interaction defaults to the weakest link. If the Tier 2 is running unpatched systems and sharing credentials across teams — and many are — the zero-trust posture of the prime is partially bypassed.
Solving this at scale requires software that can enforce zero-trust policies across organizational boundaries, handle identity and access management for users who span multiple organizations, and provide audit trails that satisfy both internal security requirements and external oversight. That's a product category that doesn't fully exist yet.
The Investment Opportunity
There are three distinct product categories where we see genuine value creation opportunity in defense supply chain security.
- Cross-boundary identity fabric. Identity and access management solutions that can federate across defense contractors and their supply chains, enforce least-privilege access consistently, and integrate with existing DoD identity systems (CAC, DISA PKI). The existing solutions in this space were designed for enterprise IT, not for the federated, multi-contractor operational model of defense programs.
- Supply chain risk monitoring. Continuous monitoring of the security posture of supply chain partners — threat intelligence feeds, vulnerability tracking, anomaly detection in supplier network traffic. This is distinct from one-time assessment and requires persistent technical instrumentation.
- Secure collaboration platforms. Tools that allow controlled technical data sharing across organizational boundaries with enforcement of data handling policies, classification markings, and export control requirements. The existing secure collaboration market is dominated by systems designed for classified environments; the CUI gap is largely unserved.
David Ostrowski, our Partner for Cybersecurity, puts it directly: the compliance conversation gives us a market entry point. The actual capability gap — which is about managing trust across thousands of supply chain relationships — is where the durable business is built.
Contract Pathways
Defense supply chain cybersecurity has multiple revenue paths that reduce single-customer concentration risk. Contracts flow directly from prime contractors who need to assess and manage their supply chain security posture. They flow from DoD programs that need to demonstrate supply chain security as part of program protection plans. And they flow from CISA and NSA, which have mandates to improve defense industrial base security and funding to pursue that mandate.
Companies in this space can also capture commercial revenue from non-defense companies operating in regulated industries with similar supply chain security requirements. That dual-market potential compresses time to revenue relative to pure-play defense cybersecurity companies that depend entirely on government contract cycles.
The supply chain is where the next major defense cyber incident is most likely to originate. The investment case is that preventing that incident, at scale, requires software that doesn't adequately exist today. We're actively sourcing in this space.
