IN Brief:
- Tanium has achieved CMMC Level 2, aligning its platform to requirements for protecting Controlled Unclassified Information in defence supply chains.
- The timing matters: CMMC is being phased into contracting, pushing primes and suppliers to validate security controls, not self-assert them indefinitely.
- For manufacturers, compliance lands on the shop floor — where engineering data, test systems, and endpoints intersect with operational technology.
Tanium has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2, a milestone aimed at supporting defence contractors and subcontractors that handle Controlled Unclassified Information across the Defense Industrial Base. The certification confirms the company has completed a third-party assessment validating implementation of required security controls at Level 2.
Chris Hallenbeck, chief information security officer at Tanium, said: “Achieving CMMC Level 2 demonstrates Tanium’s deep commitment to securing the confidentiality of government data used by organizations that support the nation’s defense mission.” He added: “Defense contractors need technology partners that meet the same high standards they themselves are required to maintain.”
CMMC is not a paperwork exercise; it is a contracting gate. The US Department of Defense has begun phased implementation of CMMC requirements, with early phases focused on Level 1 and Level 2 assessments and associated affirmations. The practical consequence is that primes are increasingly unwilling to carry suppliers that cannot demonstrate compliance, because the requirement flows down through subcontracting chains and service providers.
Tanium is positioning its platform in the space where compliance and operations collide: endpoint visibility, configuration enforcement, vulnerability remediation, and audit readiness across large device estates. The company also points to Tanium Cloud for US Government being authorised at the FedRAMP moderate impact level, an accreditation that matters for defence-adjacent deployments where cloud services and controlled data coexist.
CMMC Level 2 maps to environments that store, process, or transmit Controlled Unclassified Information, which in manufacturing terms includes technical data packages, work instructions, test procedures, and configuration baselines that can expose capability details if mishandled. Once certification becomes a bid condition, security controls are no longer an internal preference; they become an externally priced requirement that shapes supplier selection.
That shift is already changing how industrial programmes are structured. Larger contractors are tightening vendor onboarding, demanding clearer scoping of CUI environments, and pushing suppliers toward tools that can produce evidence — asset inventories, patch status, and control enforcement — at audit pace, not at annual-review pace.
Defence manufacturing is rarely, if ever, a clean IT estate. Programmes run across engineering workstations, lab rigs, test stands, and factory endpoints, often with legacy systems that cannot be patched like a modern laptop. The security task becomes segregation, monitoring, and controlled change — particularly where production networks interface with enterprise systems for scheduling, quality records, or digital twins.
Endpoint management platforms sit in the middle of that reality, but they have to be deployed without disrupting throughput. For manufacturers, the immediate pressure is operational: keeping devices compliant while maintaining uptime, and doing it across multiple sites and tiers of subcontractors. CMMC has made that a production problem in everything but name.
