Boeing's 43GB LockBit leak. SolarWinds SUNBURST inside defense contractor networks for 12+ months. RTX DFARS 7012 violations. Lockheed F-35 subcontractor breach chains. Nation-state adversaries — China's PLA, Russia's SVR, North Korea's Lazarus — target defense primes and subs specifically because CMMC compliance deadlines force CUI onto systems that weren't built for nation-state attackers. Live expert training from $150.
Nation-state adversaries — China's PLA Unit 61398, Russia's SVR, and North Korea's Lazarus Group — systematically target tier-2 and tier-3 defense subcontractors as the path of least resistance to prime contractor networks. CMMC 2.0's flow-down requirements exist precisely because small subs often handle CUI without the security posture of a Lockheed or Boeing. SolarWinds demonstrated that trusted software update pipelines are as vulnerable as email phishing.
Cleared personnel are high-value targets precisely because they have legitimate access to CUI. Chinese and North Korean APT groups create fake LinkedIn recruiter profiles, spoof program security officer (PSO) emails, and craft phishing lures referencing real programs (reconstructed from open-source research on contract awards). The goal isn't always financial — it's intelligence collection about program status, personnel, and technical specifications.
LockBit, BlackCat, and Cl0p have all targeted defense contractors and aerospace manufacturers. Boeing's October 2023 LockBit incident resulted in 43GB of proprietary data being published when Boeing refused payment. Defense contractors are high-value ransomware targets because: (1) business disruption creates supply chain pressure on DoD programs; (2) the threat to publish stolen CUI creates regulatory pressure beyond operational impact; (3) many defense subs operate with thin IT margins that limit incident response capacity.
A successful phishing attack that exfiltrates ITAR-controlled technical data is simultaneously a cybersecurity incident and a potential ITAR violation requiring self-disclosure to the State Department's DDTC. The penalties compound: the cyber incident triggers DFARS 72-hour reporting and the ITAR breach triggers a separate State Department voluntary disclosure process. Employees who share controlled technical data — even inadvertently via a compromised email account — may expose the company to criminal liability.
LockBit ransomware group compromised Boeing's parts and distribution business. Boeing refused to pay the ransom, and LockBit published approximately 43GB of sensitive data — including internal IT files, supplier lists, and parts catalog data. The breach disrupted supply chain operations and exposed internal systems data that could inform future social engineering or targeted attacks against Boeing's supplier network. LockBit identified Boeing as a target specifically because of its defense program footprint and ability to pay.
43 GB sensitive data leaked after ransom refusedRussian SVR (APT29) inserted malicious code (SUNBURST) into SolarWinds' Orion platform via a compromised build pipeline. The trojanized update was digitally signed with SolarWinds' legitimate certificate and distributed to approximately 18,000 customers — including multiple DoD agencies and defense prime contractors. The implant provided remote access, blended with legitimate Orion traffic, and persisted for 12+ months before detection. CISA Emergency Directive 21-01 required federal agencies to immediately disconnect or power down SolarWinds Orion products.
18,000+ organizations compromised, 12+ month dwell timeMultiple incidents across the F-35 Joint Strike Fighter supply chain involved Chinese APT actors targeting tier-2 and tier-3 subcontractors to exfiltrate F-35 technical data — including radar cross-section specifications, exhaust system designs, and ALIS (Autonomic Logistics Information System) data. The breach pattern: subcontractors with weaker security than Lockheed were compromised, then used as pivot points to reach controlled technical data. DoJ indictments named PLA hackers in related defense contractor intrusions targeting similar data categories.
Multi-year systematic F-35 IP exfiltration campaignMultiple major defense contractors — including Raytheon and affiliated entities — have faced DoD audit findings and Civil Investigative Demands related to DFARS 252.204-7012 compliance gaps. Self-certified NIST SP 800-171 compliance scores that don't match actual implementation create False Claims Act exposure. In 2021, the DoJ Civil Cyber-Fraud Initiative specifically named contractor cybersecurity misrepresentation as an FCA target — contractors who certify CMMC/DFARS compliance while not implementing required controls face treble damages and debarment.
Treble damages FCA exposure for false CMMC/DFARS certificationsDefense primes and subs face a layered compliance environment that combines acquisition regulations, export controls, national security requirements, and NIST technical controls. Training must address the human element of every layer — because a cleared employee clicking a spearphishing link can trigger simultaneous DFARS, ITAR, and CMMC compliance failures.
| Regulation | Agency / Authority | Applies When | Training Requirement | Non-Compliance |
|---|---|---|---|---|
| CMMC 2.0 — Level 1 | DoD / OUSD(A&S) | Any DoD contract involving Federal Contract Information (FCI); annual self-assessment required | 17 basic cyber hygiene practices; access control, incident response, and media protection awareness | Contract ineligibility / loss of award |
| CMMC 2.0 — Level 2 | DoD / C3PAO assessment | Contracts involving Controlled Unclassified Information (CUI); 110 NIST SP 800-171 practices; C3PAO third-party assessment or self-assessment depending on program criticality | AT.L2-3.2.1 and AT.L2-3.2.2: security awareness and role-based training for all users who access CUI; training documentation required for audit | C3PAO failure → contract loss; FCA exposure if self-certified |
| DFARS 252.204-7012 | DoD / DCSA | All contracts involving Covered Defense Information (CDI) or operationally critical support; flows down to subcontractors at all tiers | 72-hour cyber incident reporting; 90-day forensic image preservation; cloud provider FedRAMP Moderate equivalence; employee awareness of CDI handling and incident reporting obligations | Termination for default; False Claims Act; debarment |
| NIST SP 800-171 | NIST / DoD enforcement | Protecting CUI in nonfederal systems (all CMMC L2 contractors); 110 security requirements across 14 families including Awareness & Training (AT), Incident Response (IR), Access Control (AC) | 3.2.1: Ensure all personnel are aware of the security risk associated with their activities; 3.2.2: Ensure personnel are trained to carry out assigned information security responsibilities | CMMC L2 failure → contract ineligibility; SPRS score impact |
| ITAR / EAR | State Dept (DDTC) / Commerce (BIS) | Defense articles and services on the USML (ITAR); dual-use items on the CCL (EAR); applies to all employees who handle controlled technical data | Deemed export awareness; email and cloud storage handling of ITAR/EAR-controlled data; voluntary self-disclosure process; foreign national access controls; data breach = potential ITAR violation requiring DDTC notification | Up to $1M/violation + 20 yrs (criminal); $1.35M/violation (civil) |
| Section 889 (NDAA FY2019) | DoD / GSA / FAR Council | All federal contractors — prohibits use of covered Chinese telecommunications equipment (Huawei, ZTE, Hytera, Hikvision, Dahua) anywhere in contractor operations while holding a federal contract | Procurement awareness: how to identify covered equipment in camera systems, network gear, and supply chain; IT audit protocol; flow-down to subcontractors | Contract termination; suspension / debarment |
Every SecurEveryone session is live, interactive, and tailored to your role, clearance context, and program environment. These three scenarios represent our highest-impact aerospace and defense training formats — each built around the actual attack patterns nation-state adversaries use against defense industrial base targets.
Walk cleared employees through the specific spearphishing and social engineering patterns used by Chinese APT groups, Russian SVR, and North Korean Lazarus against defense sector targets. Scenarios include: a spoofed program security officer email referencing a real program, a fake LinkedIn recruiter profile from a defense contractor "hiring manager," and a vishing call impersonating a DCSA security officer requesting FSO contact confirmation. Covers NISPOM foreign contact reporting obligations and how to handle suspected nation-state targeting. Best for: cleared personnel at all levels, FSOs, PSOs, program security staff.
60 min · All Cleared PersonnelTrain your procurement, contracts, and subcontract management teams on the CMMC 2.0 flow-down requirements and the specific social engineering attacks used to compromise tier-2 and tier-3 subcontractor access. Scenarios include: a spoofed email from a "DoD audit team" requesting immediate system access credentials, a mock vendor onboarding call that probes for CUI system access details, and a supply chain vendor compromise simulation where a sub's email account is hijacked to approve wire transfers. Covers DFARS 7012 flow-down, subcontractor vetting obligations, and CUI marking and handling. Best for: contracts, subcontract management, procurement, supply chain, and IT teams.
60 min · Contracts / Procurement / ITRun your IR team, legal, and program leadership through a simulated ransomware or intrusion incident on systems that process CUI. Walk through: the DFARS 252.204-7012 72-hour reporting clock and what goes in the DIBNet cyber incident report, the 90-day system image preservation requirement, simultaneous ITAR breach assessment (does the intrusion constitute a deemed export?), CUI containment vs. operational continuity decisions, and the internal chain of command from first detection through contracting officer notification. Includes the specific questions a CO or DCSA investigator will ask. Best for: CISO, FSO, General Counsel, IR Coordinator, Program Managers.
90 min · IR Team / Legal / Program LeadershipDownload our most relevant playbooks and toolkits for aerospace & defense teams — no fluff, all practical.
No per-seat pricing, no seat minimums. Business tier includes audit-ready completion records for CMMC AT.L2 compliance documentation. Train cleared personnel, supply chain teams, finance, and IT — all under one flat rate.