The U.S. Defense Department’s final rule on the Cybersecurity Maturity Model Certification, or CMMC, was issued in October last year and took effect on Nov. 10, 2025. Without CMMC certification, not only prime contractors that supply the Pentagon directly but also subcontractors providing parts and raw materials can be shut out of the U.S. defense market. As South Korea’s defense industry pushes to expand exports to the United States, CMMC has become a practical gatekeeper rather than a routine security requirement.
CMMC has three levels, from 1 to 3, based on the sensitivity of Federal Contract Information, or FCI, and Controlled Unclassified Information, or CUI. Level 2, which most defense companies effectively must prepare for, requires meeting all 110 security requirements set out in NIST SP 800-171. Companies handling critical CUI must undergo an assessment by a third-party assessor organization, or C3PAO, every three years. Preparation typically takes 12 to 18 months, and combined costs for infrastructure, consulting and certification can run about 260 million won to 400 million won per company.
The burden falls heavily on smaller suppliers. In a recent survey by the Korea Defense Industry Association, nearly 90% of the 29 respondents were mid-sized or small companies, and many lacked dedicated security staff. The most frequently cited difficulties were cost and a lack of information and training, at 52%. The 31% who said they had no intention to invest for CMMC certification underscored a gap between interest in entering the U.S. market and the ability to comply on their own.
Technical hurdles are also significant. Level 2 requires cryptographic modules validated under FIPS 140-2/140-3, but products verified under South Korea’s K-CMVP are not automatically accepted because there is no mutual recognition agreement with the U.S. CMVP. Requirements such as multi-factor authentication, zero-trust-based network segmentation and preparing CUI data flow diagrams can force a full redesign for firms accustomed to perimeter-based security. In addition, 61 of the 110 requirements do not allow even a Plan of Action and Milestones, or POA&M, meaning they must be fully implemented before a contract is signed. South Korea also has no accredited C3PAO, requiring companies to bring in overseas assessors, adding cost and raising concerns about technology leakage and language barriers.
In this environment, government action is essential. First, the legal basis for support should be clarified. Beyond assistance for system-building and consulting costs under Article 14 of the Defense Industry Technology Protection Act, revisions are needed to the Defense Industry Development Act and its enforcement decree to explicitly list “certifications and qualifications required for exports of defense materials” as grounds for subsidies. Second, the government should revamp existing integrated compliance inspections by mapping them to CMMC requirements so companies can respond to both systems without duplicative work. It should also consider exempting firms that complete CMMC self-assessments or certification from overlapping portions of the integrated inspection.
Third, building a domestic CMMC ecosystem is critical. The government should strongly back the Defense Agency for Technology and Quality’s Defense Industry Technology Protection Center as it seeks C3PAO accreditation. The Defense Acquisition Program Administration should directly consult with the U.S. Defense Department and Cyber AB on obstacles cited in the process, including Foreign Ownership, Control or Influence, or FOCI, requirements and Tier 3 background checks. Pursuing a mutual recognition agreement on identity assurance between South Korea and the United States is also an urgent task. Fourth, funding must increase. Current programs — 800 million won for supporting defense technology protection systems and 750 million won for consulting support for small defense firms — fall short of demand. Policymakers should consider both expanding individual programs and creating a dedicated “CMMC support fund” to manage resources consistently. With a recently passed amendment to the Defense Industry Technology Protection Act establishing a legal basis to support hiring security professionals at small and mid-sized firms, budgets should follow.
Fifth, rules should be adjusted so security investment can be reflected more predictably in defense costs. Today, security spending is treated as indirect cost and must be justified case by case to be recognized, discouraging proactive investment. Clearer cost categories in DAPA directives could improve predictability. At the local-government level, separate support efforts can be inefficient; a division of labor in which the Korea Defense Industry Association standardizes training and consulting through memorandums of understanding, while local governments focus on administrative support such as budgets and space, would be more effective.
CMMC is not a requirement companies can adopt quickly, but it is difficult to avoid if they intend to stay in the U.S. market. Competing defense exporters are already treating CMMC readiness as a national task and supporting their companies systematically. If South Korea leaves smaller defense suppliers to struggle alone, positions in the U.S. defense supply chain may be taken by competitors. The government, the association, local governments and industry should build integrated governance and move quickly to launch a cross-ministerial consultative body centered on DAPA. The next decade for South Korea’s defense industry will depend on how it clears this gate.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.