The small defense contractor manufacturing precision components in a converted warehouse outside Raleigh has one thing in common with Lockheed Martin: they both touch controlled unclassified information that the People's Republic of China wants. The difference is that Lockheed has a security operations center. The small manufacturer has a firewall they haven't logged into since 2019.
This is the gap that Chinese cyber operations have systematically exploited for two decades. Not through novel zero days or sophisticated malware — through patience, persistence, and the reliable availability of soft targets in the defense supply chain. CMMC Level 2 is a necessary response to this reality. It is not a sufficient one.
What follows is a map of the attack surface CMMC does not address. It has five layers. They are mutually reinforcing. And they go all the way down.
PSYCHE
The Innermost Target
When the pandemic hit, Americans didn't panic about hospitals first. They panicked about toilet paper. Within 48 hours of the first lockdown announcements, shelves were empty from Raleigh to Redding — not because supply chains had actually failed, but because enough people believed they might. The attack wasn't on the supply chain. It was on the psychology of the supply chain. And it worked perfectly.
Down the street from where you're reading this, there's probably a boba tea shop. It opened quietly, priced accessibly, and became a neighborhood fixture before anyone thought much about it. The drink originated in Taiwan. The aesthetic arrived pre-stripped of that inconvenient geography, packaged as vaguely Asian, universally appealing, politically inert. The shop is probably fine. The pattern it represents is not.
In September 2024, TikTok taught Americans to commit bank fraud. The infinite money glitch — deposit a fake check, withdraw cash before it clears, film yourself doing it, post it as a life hack — spread across the platform like gospel. Nobody breached Chase's firewall. Nobody wrote malware. Nobody got on a plane. The vulnerability wasn't in the code. It was in a population that had been quietly taught to distrust its institutions, and an algorithm owned by a Chinese company that knew exactly which users to show it to. The people who participated got felony charges. TikTok got the data. ByteDance got the behavioral profile. Nobody on that side of the Pacific faced consequences.
The most sophisticated cyber operation of 2024 required no code. It required an algorithm, a camera, and a population that had been methodically prepared to receive it.
This is Layer 5. The psyche layer. The innermost ring of the target. Every layer of the attack stack described in this document exists to reach this one. The router in your wall, the crane at the port, the drone above your factory floor — they are all, ultimately, in service of this: the ability to reach inside the mind of an adversary population and pull a lever at a moment of strategic choosing.
Welcome to the Internet of Psyche. You've been connected for years. Nobody asked your permission.
CULTURE
The Aesthetic of Harmlessness
The memecoins arrived wearing animal faces. DOGE, SHIB, PEPE, BONK, and hundreds of iterations before and after — pump cycles driven by manufactured virality, coordinated retail participation, and influencer amplification that always seemed to find its biggest audiences in Western retail investing communities. Someone is on the other side of those trades. The meme is the exploit. Manufactured virality creates the vulnerability, retail participation is the execution, wealth transfer is the payload.
Shein generates roughly $30 billion in annual revenue, most of it from Western consumers who experience the platform as a dopamine machine. New styles appear faster than cognition can process them. Users don't respond to it rationally — they respond to it emotionally. The dopamine of novelty, the anxiety of missing out, the identity construction of personal style. Shein doesn't sell clothes. It sells a behavioral loop. What it harvests is attention, purchasing pattern data, body measurement data, and the demonstrated proof that American consumers will trade privacy for the feeling of abundance.
The cultural layer is the layer that makes Layer 5 possible. You cannot manipulate the psyche of a population that doesn't trust you. Culture builds trust before politics arrives. The boba tea shop opens. The meme spreads. The app downloads. The router installs. By the time the technical layers become relevant, the cultural work is already done.
The most dangerous sentence in national security is: I've seen that brand before. It must be fine.
Security professionals call this the unintentional insider threat — not a malicious actor, but a workforce whose judgment about foreign platforms has been normalized by years of cultural exposure. The DoD Insider Threat program monitors for anomalous behavior. It was not designed to detect the absence of suspicion. A population that genuinely doesn't believe it's being exploited generates no alerts.
APPLICATION
The Camera Has Been On This Whole Time
Pull out your phone. Not metaphorically. Actually do it. Look at your installed apps. Now ask yourself, for each one — who owns the server that receives its data? Where is that server? Under whose legal jurisdiction? Subject to whose national security laws?
You probably don't know. Nobody does. That's not an accident.
TikTok has 170 million American users. That's more than half the country. Each one has granted it access to their camera, microphone, location, clipboard, contact list, and behavioral pattern data. In that time the app builds a model of you — your political anxieties, your financial situation, your relationship status, your physical location patterns, your emotional triggers, the exact frame at which you stop scrolling. That model is more accurate than anything your therapist knows about you. It updates in real time. It never forgets. And it lives on servers subject to the Chinese National Intelligence Law of 2017, which requires any Chinese company to cooperate with state intelligence operations upon request, without the ability to disclose that cooperation publicly.
ByteDance doesn't have to want to spy on you. It doesn't matter what ByteDance wants. The law already decided.
CMMC Level 2 will verify your network segmentation, your access controls, your incident response plan. It will not ask which apps are installed on the phones that enter your facility, under whose legal jurisdiction their cloud infrastructure operates, or where their data goes at 3am.
A Chinese-manufactured camera can be fully CMMC compliant and still be watching everything. The compliance framework was not designed to prevent it. That gap is not an oversight. It is the next thing that needs to be addressed.
DEVICE
The Things That Are Already There
In 2023 the United States Navy discovered something unusual inside the Chinese-manufactured cranes operating at American ports. Not malware. Not a software vulnerability. Not a phishing email or a compromised credential or any of the things the cybersecurity industry has built a trillion dollar apparatus to detect.
Cellular modems. Physical radio transmitters, installed in the crane control systems, with no documented purpose, no entry in any maintenance manual, no explanation from the manufacturer. Just radios. Quietly present. Capable of transmitting data to wherever a cellular signal reaches — which is to say, anywhere.
ZPMC — Shanghai Zhenhua Heavy Industries — manufactures approximately 80% of the ship-to-shore cranes operating at American ports. The cranes that unload the container ships. The cranes that handle the cargo. The cranes that sit at the physical chokepoint between global supply chains and American soil. Eighty percent of them were built by a Chinese state-owned company and delivered with undocumented radios inside their control systems.
The question of whether a vulnerability was intentional or accidental becomes somewhat harder to sustain when the vulnerability is a physical radio transmitter that somebody had to order, manufacture, install, and wire into a power supply. Accidents don't usually require soldering.
DJI manufactures approximately 70% of the consumer and commercial drone market globally. Their drones fly over American military installations, industrial facilities, pipeline infrastructure, and agricultural operations daily. The Defense Department banned DJI equipment for internal use in 2017. The ban applies to the US military. It does not apply to the defense contractor's facilities manager who bought a DJI Mavic to inspect the roof of the building where classified work happens. The drone sees what it sees regardless of who owns the building underneath it.
TP-Link manufactures approximately 65% of the routers sold in the American small business and consumer market. In 2024 the Justice Department, Commerce Department, and Defense Department all opened investigations into TP-Link over national security concerns. Microsoft identified TP-Link firmware as a vector for a Chinese state-sponsored hacking group called Volt Typhoon.
The router in your office probably isn't a TP-Link. But the one in the office next door might be. And the one in the small accounting firm that handles your payroll. And the one in the telecom provider that routes your internet connection before it ever reaches your building.
Your factory floor almost certainly contains Chinese-manufactured IoT devices. Sensors, cameras, environmental monitors, HVAC controllers, production line instrumentation. Most of them arrived as part of equipment packages from vendors who never thought to ask who made the embedded components. Most of them have default credentials that were never changed. Most of them phone home to cloud infrastructure on servers you've never audited in jurisdictions you've never considered. Most of them have been there long enough that nobody remembers installing them.
That's not a vulnerability. That's tenancy. And tenants who've been in the building long enough start to feel like they belong there.
NETWORK
The Walls Were Already Built
In 2009, Vodafone discovered backdoors in Huawei equipment running the fixed-line network infrastructure serving millions of Italian homes and businesses. They asked Huawei to remove them. Huawei provided assurances. Further testing revealed the backdoors were still there. This was fifteen years ago.
In the years that followed, Huawei became the dominant supplier of telecommunications infrastructure across the developing world, across rural America, and across the backbone of what would become 5G networks globally. They did it the same way Chinese manufacturers cornered gallium and solar panels and rare earth processing — by being cheaper than the competition by a margin that no Western company could match without losing money, sustained over a period long enough to drive alternatives out of the market. The price was subsidized. The market share was strategic. The equipment is still in the walls.
In 2019 the United States FCC designated Huawei as a national security threat and banned the use of FCC funds to purchase their equipment. In 2020 Congress passed the Secure and Trusted Communications Networks Act, allocating $1.9 billion to rip out and replace Huawei and ZTE equipment from American networks — specifically targeting small and rural carriers who had built their entire infrastructure on subsidized Chinese hardware.
The rip and replace program ran out of money.
Congress allocated $1.9 billion. The FCC estimated the actual cost of removal at $4.98 billion. The gap — $3.08 billion — remains unfunded. As of 2025, hundreds of small American carriers, many of them serving rural communities in states like North Carolina, still have Huawei equipment operating in their networks. Not because they want it there. Because the money to remove it never arrived.
The adversary's infrastructure investment paid off twice. Once when the equipment was installed and began its intelligence function. And again when the cost of removal exceeded American political will to complete it. That is patient strategy. That is the long game made physical.
The network layer is cold and slow and almost invisible. It routes packets. It does exactly what telecommunications equipment is supposed to do, reliably, cheaply, without incident — right up until the moment that changes. The strategists who installed this layer are not in a hurry.
CMMC secures the door. Nobody checked who built the walls.
THE MANUFACTURER IN THE MIDDLE
Every layer of this architecture was built to reach the operations manager at the precision machining shop. The facilities admin who segmented the forklifts onto their own VLAN and then forgot about them. The owner who bought a DJI drone to inspect the roof and thought nothing of it. The engineer whose teenager has TikTok on the family iPad that occasionally comes to work.
These are not negligent people. They are normal people operating in an environment that was deliberately designed to make the threat invisible. The cultural layer made the devices feel familiar. The application layer made the data collection feel like convenience. The device layer made the hardware feel like cost savings. The network layer made the infrastructure feel like someone else's problem. The psyche layer made the whole thing feel like paranoia when someone finally pointed it out.
CMMC Level 2 addresses the technical hygiene that an organization can control directly — access controls, incident response, configuration management, audit logging. It is necessary. It is genuinely useful. It will meaningfully reduce the attack surface for commodity threats and opportunistic actors.
It does not address a patient adversary who has spent twenty years pre-positioning across all five layers simultaneously. It cannot name the adversary by design — it's a compliance framework, not an intelligence product. The threat intelligence CMMC implies but cannot say is what this document attempts to make explicit.
The layers are mutually reinforcing in defense too. You can't just fix the network layer and declare victory. You need visibility into what's happening, detection capability for what compliance doesn't cover, and an analyst who understands which adversary is actually targeting your specific sector and why.
Most security consultants see one or two layers. Network and endpoint. Maybe application if they're current. The cultural and psychological layers are almost never part of a security engagement — they feel like someone else's problem, too soft, too speculative, too far outside the NIST control families.
They are not someone else's problem. They are the attack surface your adversary has been investing in for longer than most of your employees have been in the workforce.
The small manufacturer outside Raleigh with the 2019 firewall is not a negligent actor. They are a soft target in the middle of a stack that goes all the way down. CMMC will help them harden the door. What they need alongside it is someone who can see the walls.
// Standalone Network Defense LLC · Raleigh, NC · standalonedefense.com