Texas Defense Contractor Threat Brief 2026

Section 1 • Executive Summary

Four messages for a defense
contractor CEO

01

CMMC Level 2 becomes contract-gating in ~5 months. Phase 2 (Nov 10, 2026): C3PAO assessment required for contracts above $10M involving CUI. C3PAOs are booked 6–9 months out. If you're not in assessment today, you're already behind the enforcement date.

02

SPRS scores are a False Claims Act trap — $23M+ in DOJ settlements. Aerojet ($9M), MORSECORP ($4.6M), Raytheon ($8.4M), Guidehouse ($11.3M). These weren't breaches. They were inflated compliance scores. The CEO who signed the CMMC affirmation certifies personal FCA liability.

03

China-linked threat actors are already inside DIB networks. VOLT TYPHOON uses living-off-the-land techniques with no custom malware — your EDR signatures won't catch them. APT40 (Hainan MSS) is exfiltrating technical data from aerospace primes and their sub-tier. The FBI Director called VOLT TYPHOON "the defining threat of our generation."

04

Texas DIB supply chain density = cascade risk. Fort Worth (F-35 Plant 4), Greenville (L3Harris ISR), McKinney (Raytheon Missiles & Defense), Austin (BAE Systems). One breach at a Fort Worth or McKinney prime cascades through hundreds of subs in 72 hours — through DFARS flow-down obligations, SPRS score requirements, and CMMC L2 sub-certification mandates.

Section 2 • TX Defense Ecosystem

Texas primes. TX sub-tier.
Supply chain density map

Prime	Location	Programs	CUI Exposure
Lockheed Martin Aeronautics Air Force Plant 4, Fort Worth	Fort Worth, TX	F-35 JSF (primary), F-16, F-22, C-130	EXTREME
L3Harris Technologies Greenville, TX (ex-Aerojet facility)	Greenville, TX	C-130 avionics, ISR payloads, classified comms	HIGH
Raytheon Missiles & Defense (RTX)	McKinney, TX	Patriot GEM-T, SM-6, precision fire systems	HIGH
BAE Systems	Austin, TX	M109A7 Paladin howitzer, electronic warfare	HIGH
Bell Textron Hurst, TX campus	Fort Worth area, TX	V-22 Osprey, UH-1Y, AH-1Z	MEDIUM-HIGH
Boeing Defense	Dallas-Fort Worth corridor	T-7 Red Hawk, F-15/F-18 sustainment	MEDIUM

TX Sub-Tier

~3,500+ Texas DIB companies

The DFW Aerospace Corridor alone has 800+ F-35 subcontractors within a ~100-mile radius. Every engineering drawing from Lockheed, every technical spec from a prime, every SOW with program data is CUI — protected under NIST 800-171 and CMMC Level 2.

Wave 1 Prospect Profile: InterConnect Wiring (Joshua Bryant, President, Fort Worth TX) is sole Lockheed Martin F-16 electrical products licensee — one of 5 companies contracted to build wiring harnesses for the entire USAF F-16 fleet. SSLP MOU with Lockheed Martin signed 2025. Program data (wiring diagrams, config management, mission data files) = exactly what APT40 and VOLT TYPHOON target.

Section 3 • Verified Incidents

10 DIB incidents.
$34M+ in FCA penalties.

Verified incidents from DoJ, Maine AG disclosures, CISA advisories, and security vendor research. Sources cited in Section 10.

#	Date	Company	Attack Vector	Data Exposed	Threat Actor	Downstream Prime Impact
1	2024–2025	Extant Aerospace / Symetrics Industries LLC FL; DoD programs	Not disclosed	SSNs 3,012; defense electronics data	Unknown	DoD military/commercial programs
2	2013–2015 (settled July 2022)	Aerojet Rocketdyne CA; NASA, MDA, Army, AF	Nation-state intrusion	FCA misrepresentation of controls	China-linked (per DOJ)	NASA, Missile Defense Agency, Army, Air Force
3	~2023 (settled Mar 2025)	MORSECORP Inc. MA; DoD CUI subcontracts	NIST 800-171 gaps + unapproved cloud	Compliance misrepresentation in SPRS	Whistleblower-initiated	DoD CUI subcontracts
4	~2024 (settled May 2025)	Raytheon Missiles & Defense (RTX) Patriot, SM-6 programs	Undisclosed	Failed DoD cybersecurity obligations	Unknown	Patriot GEM-T, SM-6
5	2022–2023 ($11.3M, 2023)	Guidehouse / Nan McKay Government consulting	Undisclosed	Failed cybersecurity requirements	Unknown	Government consulting contracts
6	2023–2025	Multiple DIB companies TX/National DIB	Fortinet FortiGate CVE exploitation	Pre-compromised network edge devices	The Gentlemen (pre-exploited FortiGate chain)	Undisclosed TX/National DIB
7	2023–2024	Lockheed/Boeing/Honeywell employees Military personnel, contractor data	Infostealer malware via pirated software, fake job postings	Military data, clearance info, geolocation ($10/computer on criminal marketplaces)	Criminal marketplaces (RacStealer, RedLine)	Military personnel, contractor data
8	2024	Unnamed DIB supply chain (VOLT TYPHOON pattern) Undisclosed	Living-off-the-land via SOHO devices, valid account abuse	Network persistence, CUI-adjacent exfil	VOLT TYPHOON (PRC)	Undisclosed DIB programs
9	2024–2025	L3Harris / associated DIB Defense comms, ISR	Not fully disclosed	Classified-level corporate/personnel data	Unknown	Defense comms, ISR
10	2023–2024	Commercial Spy Tracker breach — US Army US Army, defense contractor networks	Commercial spyware vendor compromise	Military personnel geolocation, emails, browsing	Commercial surveillance firms (sold to state actors)	US Army, defense contractor networks

Threat Category	Median Dwell Time	Source
DIB overall median	26 days	Mandiant M-Trends 2025
Nation-state (VOLT TYPHOON / APT40)	18–24 months	CISA AA23-144A / Mandiant
Criminal RaaS (LockBit / BlackSuit)	5–14 days before encryption	CISA / IBM X-Force 2025

Note: Dwell time is the median — nation-state actors have been inside some DIB networks for years before detection. The 26-day DIB median masks longer dwell in more sophisticated intrusions.

Section 4 • Threat Actor Profiles

Five actors targeting
TX DIB sub-tier

● Active • PRC State Actor • FBI Director Wray: "the defining threat of our generation"

VOLT TYPHOON

aka Insidious Taurus, Vanguard Panda, DEV-0391, Voltzite

FBI Director Wray, January 31, 2024: "the defining threat of our generation." Pre-positioning in U.S. critical infrastructure for potential destructive/disruptive ops in a Taiwan/SoChinaSea conflict scenario. Uses living-off-the-land (LOLBins) — no custom malware. EDR signatures miss them entirely.

Assessed Intent

Pre-positioning for sabotage capability, not data theft. Critical infrastructure + DIB OT/ICS targeting.

TTPs (MITRE ATT&CK)

Valid Account Use (T1078.002), Living Off the Land (T1064/T1059), System Network Configuration Discovery (T1016), Remote System Discovery (T1018), Data from Local System (T1005), Encrypted Channel (T1573)

DIB Relevance to TX

Targets IT/OT convergence — manufacturing SCADA/MES systems connected to business networks. TX defense manufacturers with connected OT are directly in crosshairs. VOLTZITE cluster: Dragos identifies targeting O/G, electric utilities; CISA confirmed DIB exposure.

Tactic	Technique
Initial Access	T1078.002 — Valid Accounts: Domain
Persistence	T1053.005 — Scheduled Task/Job: MSSQL agent jobs
Defense Evasion	T1064/T1059 — LOLBins: wmic, netsh, certutil
Discovery	T1016 — System Network Configuration Discovery
Collection	T1005 — Data from Local System
C2	T1573.002 — Encrypted Channel: RC4 in TCP

Living-off-the-land OT/ICS targeting Long-dwell persistence PRC MSS Sabotage prep

● Active • PRC MSS • Hainan State Security Department

APT40

aka Leviathan, Kryptonite Panda, BRONZE MOHAWK, Gingham Typhoon

Attributed by Five Eyes MSS to Hainan State Security Department. Cyber-espionage mission: stealing naval/weapons design data, aerospace research, defense technology. Conducts reconnaissance of defense contractors BEFORE intrusions — researched LinkedIn, trade publications, defense conference attendee lists to identify targets.

Assessed Intent

Cyber espionage: naval/weapons design, aerospace research, defense technology theft. Cyber-espionage complement to China's naval modernization program.

TTPs (MITRE ATT&CK)

Spear Phishing — Persona Impersonation (T1566.002): poses as journalist/trade publication/defense conference speaker, Exploit Public-Facing App (T1190), Hardware Additions (T1200), Valid Accounts (T1078), Collecting from Removable Media (T1052), Cloud-Based Techniques (T1078.004/T1090.003)

DIB Relevance to TX

TX primes (F-35, F-16, V-22, Patriot) and sub-tier are in targeting pattern. Person-impersonation phishing (fake journalists) has targeted defense contractor employees. Hardware additions = physical device implants during vendor visits.

Tactic	Technique
Initial Access	T1566.002 — Spear Phishing: Persona Impersonation
Initial Access	T1190 — Exploit Public-Facing App
Initial Access	T1200 — Hardware Additions
Persistence	T1078 — Valid Accounts (on-prem + cloud)
Collection	T1052 — Collecting from Removable Media
C2	T1090.003 — Proxy: Multi-hop Proxy

Persona-impersonation phishing Hardware implants Aerospace targeting Hainan SSD Naval espionage

● Partially Disrupted • Russian RaaS • Affiliates rebuilt post-Cronos

LockBit

aka LockBit 3.0, LockBit Black

Operation Cronos (Feb 2024) took down infrastructure — key affiliates dismantled. But affiliates rebuilt, rebranded, and LockBit remains active as of 2026. Opportunistic: targets unpatched VPNs, exposed RDP, FortiGate CVEs. TX sub-tier with no SOC is a Monday morning target.

Assessed Intent

Financially motivated ransomware. Opportunistic targeting of vulnerable perimeter devices.

TTPs

Exploit Public-Facing App (T1190), Drive-by Compromise (T1189), Pass-the-hash/LDAP relay (T1078.002), Data Encrypted for Impact (T1486), Exfiltration to Own Infrastructure (T1567.003)

DIB Relevance to TX

TX sub-tier: Fort Worth-area defense manufacturers with unpatched FortiGate, exposed VPN, no MFA = immediate target. LockBit affiliates scan for CVE-2022-42475 (FortiGate) and exploit at scale. Supply chain disruption at one sub cascades to prime delivery timelines.

Opportunistic RaaS FortiGate targeting VPN exploitation Data exfiltration Supply chain disruption

● Active • Russian RaaS • Evolved from Royal, recruiting ALPHV/LockBit affiliates

BlackSuit

Rebranded from Royal ransomware, May 2023

Russian RaaS actively recruiting affiliates from ALPHV and LockBit ecosystem. Evolved from Royal ransomware with improved code. Actively targeting U.S. critical infrastructure including manufacturing and defense-adjacent sectors.

Assessed Intent

Financial extortion. Actively recruiting from ALPHV/LockBit affiliate pool to expand reach.

TTPs

Phishing as Initial Access (T1566), RDP Exploitation (T1021.001), Custom Ransomware (T1486), Data Destruction (T1485) — wipes backup systems before encryption, Exfiltration to MEGAZONE/cloud (T1567)

DIB Relevance to TX

Backup destruction TTP eliminates recovery options. Defense subs without immutable/offline backups face total data loss risk. BlackSuit affiliates use legitimate tools (Cobalt Strike, Mimikatz) — blended into normal traffic.

Backup destruction RDP exploitation Data wiping MEGAZONE exfil Affiliate recruiting

● Active • DPRK • Reconnaissance General Bureau

Lazarus Group

aka Hidden Cobra, Zinc, Appleworm, HiddenCobra

DPRK state-sponsored. Financially motivated — crypto heists fund state cyber operations. Uses supply chain compromise (trojanized software updates), fake job postings to target defense contractor employees, and shell company infiltration of DoD supply chains.

Assessed Intent

Financial: crypto theft funds state operations. Espionage: fake company scheme to win defense subcontracts and gain program access.

TTPs

Supply Chain Compromise (T1195), False Updates/Trojanized Apps (T1195.001/T1074.001), Fake Job Postings (T1566.002/T1074.002) targeting defense contractor employees, Fake Companies/Front Organizations (T1584) — shell companies to win defense subcontracts

DIB Relevance to TX

TX defense subs targeted as espionage victims AND as unwitting pawns in DPRK fake company infiltration of DoD supply chains. Fake job posting campaign actively targeting Lockheed, Boeing, Raytheon employees (2023–2024 infostealer campaign already documented in Incident #7).

Fake job postings Supply chain compromise Shell company infiltration DPRK RGB Trojanized updates

Section 5 • Regulatory Exposure

The compliance stack.
DoD contract loss + FCA exposure.

5A — CMMC Level 2 Phase Timeline

November 2026 is not a suggestion.

CMMC Level 2 assessment is contract-gating. The enforcement timeline is real.

Phase	Date Range	What Happens
Phase 1	Nov 10, 2025 – Nov 9, 2026 NOW	CMMC clauses appear in new contracts; self-assessment scores required in SPRS. Self-assessment pathway only during this phase.
Phase 2	Nov 10, 2026 – Nov 9, 2027	Level 2 C3PAO assessment required for contracts above $10M involving CUI. Scoped assessment pathway opens. C3PAOs booked 6–9 months out. If you start today, you're scheduling for Q1 2027 at the earliest.
Phase 3	Nov 10, 2027 – Oct 31, 2028	Full rollout — Level 2 required on all CUI contracts above $10M.
Phase 4	Oct 31, 2028+	100% of DoD contracts with CMMC requirements.

Texas CMMC reality: Fewer than 500 DIB companies nationwide have achieved Level 2. C3PAO reporting indicates approximately a 50% pass rate on first C3PAO assessment. Sub-tier companies starting their assessment journey today face a Nov 2026 Phase 2 deadline that has already begun.

5B — DFARS 252.204-7012: 72-Hour Reporting Clock

72 hours. Not business hours. Hours.

Safeguard CDI/CUI per NIST SP 800-171. Identify CDI in your SSP.
Report cyber incidents within 72 hours to DC3 at dibnet.dc3.mil.
Flow down 7012 requirements to all subcontractors handling CUI.

The 72-hour clock runs continuously. Breach Friday afternoon → DC3 report due Monday morning. DFARS 252.204-7021 (CMMC clause) sits alongside 7012 — it is NOT a replacement. Both apply simultaneously.

5C — NIST 800-171 Rev 3 Transition

Rev 3 is coming. It will expand the control set.

Current: Rev 2 (110 controls). Rev 3: Draft version, expected final rule 2025–2026 — will expand control set beyond the current 110. CoreRecon Fortress and Command tier clients receive Rev 2 assessment plus preliminary Rev 3 gap analysis included at no additional billing.

5D — ITAR / EAR Export Control Overlap

ITAR violation through cyber breach: up to $1M per incident + criminal prosecution + debarment.

ITAR (22 CFR Parts 120–130): Controls export of USML defense articles/technical data. ITAR-controlled data in a DoD contract = CUI under NIST 800-171/CMMC. A CMMC assessment reviews ITAR data handling controls. ITAR violations through cyber breach also trigger State Dept DDTC notification.

Microsoft GCC High is the standard environment for ITAR + CMMC L2 compliance. DoD contractors handling ITAR data need GCC High, not standard commercial GCC.

5E — FCI vs. CUI: The Distinction That Costs Contracts

Every engineering drawing from Lockheed IS CUI.

FCI (Level 1): Government information not intended for public release. 15 controls, annual self-assessment only.

CUI (Level 2): Government information requiring safeguarding per law/regulation/policy. 110 controls, C3PAO assessment required.

Warning: Every engineering drawing from Lockheed, every technical spec from a prime, every SOW with program data IS CUI. If your contract has DFARS 252.204-7012, you are handling CUI. Level 1 is not an option for defense subcontractors.

Scenario	DoD Contract Exposure	FCA Exposure
No SPRS score	Ineligible to bid on CMMC contracts	N/A — no misrepresentation
Accurate but low score (45/110)	May lose bids; Level 2 required	No FCA — "honest score with POA&M" is the right path
Inflated score (claimed 95, actual 45)	Contract eligibility at risk if audit	FCA liability — treble damages + $10K+ per violation
C3PAO assessment failed	Cannot bid until passed	Not a false claim — failed assessment alone is not fraud
CEO signed CMMC affirmation with inaccurate score	Contract eligibility at risk	Personal FCA liability for executive who signed
Missed 72-hr DFARS report	Contract non-compliance, prime sanctions	DOJ Civil Cyber-Fraud enforcement target
False CMMC representations	Contract termination, debarment	DOJ criminal referral

The Aerojet Pattern: Brian Markus, former Aerojet senior cybersecurity director, filed qui tam in 2015 after internal warnings were ignored. DOJ alleged Aerojet certified DFARS 7012/NASA FAR cybersecurity compliance while knowing controls were not implemented. No breach required. Relator share: $2.61M (29% of $9M settlement). Anyone who knows about a compliance gap and does nothing is a potential FCA relator target.

Section 6 • SPRS Reality Check

SPRS scoring.
The gap most TX subs don't know they have.

Metric	Value	Source
SPRS score range	−203 to +110	DoD SPRS
Required for CMMC L2	+88 minimum (110 preferred)	32 CFR §170
Estimated unprepared sub score	−110 to −150	Celerium DIB Strategy 2024
Current DIB median	~+32	PTAC 2025; multiple compliance consultants
C3PAO pass rate (first attempt)	~50%	C3PAO reporting 2024–2025

The Gap You Need to Close

Current ~−110

↓ 198 points ↓

Target +88

Estimated 3–9 months to close: gap assessment (2mo) + implementation (3–4mo) + pre-assessment (2mo) + C3PAO (1mo)

Typical score breakdown by family:

Access Control

−20 to −30

System & Communications Protection

Sys & Comms Protection

−20 to −30

Configuration Management

Config Management

−15 to −20

Identification & Authentication

ID & Authentication

−15 to −20

System & Information Integrity

Sys & Info Integrity

−15 to −20

Audit & Accountability

−10 to −15

Incident Response

−10 to −15

Why scores are bad: SPRS scoring misunderstood (intending vs. having), CUI boundaries misdefined, POA&Ms untracked, SSP incomplete. "Started today, you're assessing by August, implementing through December, scheduling C3PAO for Q1 2027. The November 2026 Phase 2 deadline is in the rearview mirror for anyone not already in progress."

Run Your Free SPRS Score Calculation →

Section 7 • TX DIB Exposure

Why Texas defense subs
can't afford to wait

7A — Supply Chain Density

One Fort Worth audit directive cascades through 800+ subcontractors in 72 hours.

DFW Aerospace Corridor: F-35, F-16, V-22, C-130 subcontractors within ~100-mile radius. Primes are already requiring SPRS disclosure pre-award, flowing CMMC L2 flow-down to Tier 2/3, and conducting pre-award cybersecurity questionnaires. No SPRS score + no SSP = no job.

7B — F-35/F-16 Program Concentration

InterConnect Wiring: 1 of 5 companies worldwide contracted for F-16 wiring harnesses.

Cyber incident at any of the 5 = program-level impact. Lockheed SSLP (InterConnect joined 2025) = direct response to supply chain threat awareness. Program data (engineering drawings, mission data, config management records) = exactly what APT40 and VOLT TYPHOON target. A breach at a sub-tier F-16 wiring supplier = program data exfiltration.

7C — Prime Audit Cascade 2026

How a single DoD contract requirement becomes a supply chain deadline.

DoD issues Level 2 C3PAO contract requirement (Phase 2 starts Nov 2026)
Prime must verify sub-tier CMMC certification before award
Prime issues RFI/RFP requiring SPRS score + CMMC status
Subs without score or with expired score get excluded from award
Subs with inflated scores face FCA exposure if challenged by DOJ or whistleblower

NAVAIR solicitations already excluding contractors without current CMMC status. Raytheon already issuing L2 flow-down to sub-tier.

7D — In-State C3PAO Capacity

Fewer than 30 authorized C3PAOs nationally. Assessment slots booked 6–9 months out.

Texas sub starting CMMC L2 assessment process in Q3 2026 → earliest C3PAO slot Q1–Q2 2027 (after Nov 2026 Phase 2 enforcement date). The enforcement deadline has already passed for anyone who hasn't started. The queue is real and it's long.

Section 8 • Why CoreRecon

Built for DIB subcontractors
navigating CMMC Level 2.

Capability	Why It Matters to TX DIB Subs
SDVOSB Certified	Primes receive SDVOSB credit on subcontractor diversity scores (VSA score). CoreRecon clients help the prime's vendor sustainability assessment score — making you a more valuable subcontract.
C3PAO-Ready Methodology	Clients assessed against the same framework they'll face in official certification. Our assessment is not a checklist — it is the methodology C3PAOs use. No gap between "we passed the CoreRecon check" and "we passed the C3PAO."
30-Minute IR SLA	DFARS 7012 requires 72-hour incident reporting to DC3. Most subs don't discover incidents for days — by then the 72-hour window is gone. CoreRecon is on the phone in 30 minutes. We manage the DC3 report while you manage the incident.
SPRS Score Accuracy First	We don't help inflate scores. We help get an accurate score, build the POA&M, implement controls, and get to +88 with documentation that survives C3PAO assessment. "Honest score with a documented POA&M" is the legally defensible path.
Gap-to-POAM Workflow	/tools/sprs-calculator → /tools/cmmc-poam-generator: "I don't know my score" to "I have a prioritized, documented remediation roadmap" in under 60 minutes. C3PAOs want evidence-backed POA&Ms, not blank templates.

Section 9 • Next Steps

Where do you go from here?

Option 1 — Free SPRS Score Calculation

Run Your Free SPRS Score Calculation

Our calculator walks you through NIST 800-171 self-evaluation and produces a defensible SPRS score with a prioritized POA&M. "I don't know my score" → "I have documentation."

Run Your SPRS Score →

Option 2 — Generate CMMC POA&M

Turn Your Gap Assessment Into a Prioritized POA&M

110 controls across 14 NIST 800-171 families. Auto-populated DoD weakness descriptions, remediation steps, and resource estimates. Evidence-backed POA&Ms that C3PAOs accept.

Generate Your POA&M → See DIB hub

Option 3 — CMMC Readiness Quiz

3 Minutes. Are You at Risk of Missing the November 2026 Deadline?

Quick quiz across the 14 CMMC Level 2 control families. Get your readiness score and find out what you need to do before Phase 2 enforcement kicks in.

Take the CMMC Quiz → Full defense contractor assessment

Option 4 — Full Security Posture Assessment

Defense Contractor Assessment

Full cybersecurity posture assessment for DIB subcontractors. Includes SPRS scoring, CUI boundary scoping, written report for your prime's pre-award questionnaire.

Book Your Assessment →

Section 10 • Sources

32 citations.
Verifiable.

DOJ Aerojet Rocketdyne $9M Settlement (July 8, 2022): justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million
DOJ MORSECORP $4.6M Settlement (March 2025): justice.gov/opa/pr/morsecorp-4-6-million
DOJ Raytheon $8.4M Settlement (May 2025): Coalfire Federal reporting
DOJ Guidehouse/Nan McKay $11.3M Settlement (2023): justice.gov/opa/pr/consulting-companies-113m
CISA/Multi-Agency — Volt Typhoon Joint Advisory (CISA AA23-144A): cisa.gov/news-events/cybersecurity-advisories/aa23-144a
FBI Director Wray — Volt Typhoon Congressional Testimony (January 31, 2024)
MITRE ATT&CK — Volt Typhoon (G1017): attack.mitre.org/groups/G1017/
MITRE ATT&CK — APT40: malpedia.caad.fkie.fraunhofer.de/actor/apt40
Dragos — 2025 OT Threat Landscape / VOLTZITE, AZURITE, SYLVANITE: dragos.com/blog/oil-gas-cybersecurity-threats-2026
GAO Report GAO-23-106305 (2023): 90% of defense contractors had implementation gaps
DoD CMMC Program Office — 32 CFR Part 170: dodcio.defense.gov/CMMC/
DFARS 252.204-7012: acquisition.gov/dfars/252.204-7012
DFARS 252.204-7021: acquisition.gov/dfars/252.204-7021
NIST SP 800-171 Rev 2: csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
DoD SPRS: dibnet.dc3.mil
DoD Cyber Crime Center (DC3): dc3.mil
InterConnect Wiring — Lockheed Martin SSLP MOU (2025): interconnect-wiring.com
InterConnect Wiring About: interconnect-wiring.com
Lockheed Martin Fort Worth / F-35 production (Fort Worth-area defense concentration)
PreVeil — DFARS 7012 vs CMMC / Feb 2026 DFARS update: preveil.com/blog/dfars-252-204-7020
Coalfire Federal — CMMC Phase 1 Nov 10, 2025: coalfirefederal.com/resource/cmmc-phase-1
NR Labs — SPRS 101: nrlabs.com/blog-posts/sprs-101
NR Labs — Aerojet Rocketdyne CMMC Case: nrlabs.com/blog-posts/aerojet-rocketdyne-cmmc-case
Cybersheath — CMMC FCA Liability: cybersheath.com/resources/blog/cmmc-era
Celerium — DIB Cybersecurity Strategy 2024: celerium.com/intelligence
Malpedia — Volt Typhoon, APT40: malpedia.caad.fkie.fraunhofer.de/actor/volt_typhoon
Unit 42 — Volt Typhoon Threat Brief: unit42.paloaltonetworks.com/volt-typhoon-threat-brief/
FortiGuard — Volt Typhoon Threat Actor: fortiguard.com/threat-actor/5564/volt-typhoon
LayerLogix — Fort Worth CMMC 2.0: layerlogix.com/locations/fort-worth/cmmc-compliance
Extant Aerospace data breach (2024–2025): Maine AG disclosure; Claim Depot
Infostealer campaigns targeting defense contractor employees (2023–2024): Malware News / CySecurity News
Check Point — State of Ransomware Q1 2026

Related Resources

Texas DefenseContractor Threat Brief

Four messages for a defensecontractor CEO

Texas primes. TX sub-tier.Supply chain density map

10 DIB incidents.$34M+ in FCA penalties.

Five actors targetingTX DIB sub-tier

The compliance stack.DoD contract loss + FCA exposure.

SPRS scoring.The gap most TX subs don't know they have.

Why Texas defense subscan't afford to wait

Built for DIB subcontractorsnavigating CMMC Level 2.

Where do you go from here?

32 citations.Verifiable.

Texas Defense
Contractor Threat Brief

Four messages for a defense
contractor CEO

Texas primes. TX sub-tier.
Supply chain density map

10 DIB incidents.
$34M+ in FCA penalties.

Five actors targeting
TX DIB sub-tier

The compliance stack.
DoD contract loss + FCA exposure.

SPRS scoring.
The gap most TX subs don't know they have.

Why Texas defense subs
can't afford to wait

Built for DIB subcontractors
navigating CMMC Level 2.

32 citations.
Verifiable.