| Rolls-Royce

Global
- China
- Japan
- Germany
- North America
- South East Asia
- United Kingdom
- India
- Korea
- Arabic
- Brazil
- Global contacts

We develop and deliver complex power and propulsion solutions.

For more than 100 years we have been at the forefront of innovation. Helping to power, protect and connect the modern world.

About

Create your future with us

Help us deliver better power for our changing world.

We develop and deliver complex power and propulsion solutions for safety-critical applications in the air, at sea and on land.

Our products and service packages enable our customers to connect people, societies, cultures and economies together.

Products & Services

Doing more with less

We have a fundamental role in meeting the environmental and societal opportunities and challenges that the world faces.

Sustainability

Rolls-Royce 2025 Half Year Results

Rolls-Royce announced 2025 Half Year Results on Thursday 31 July 2025

View webcast and materials

News centre

Updates and news from around the Rolls-Royce businesses.

Home

Sustainability

Cyber Security

Must-Read Cyber Security News

Haven’t Started on CMMC? ‘You’re Late and It’s Coming.’

An Interview with Amit Chaudhary, Rolls-Royce vice president and head of Cyber Security for North America and Defense.

Suppliers not yet working on their Cybersecurity Maturity Model Certification (CMMC) compliance need to move fast.

“You’re late and it’s coming,” said Amit Chaudhary, Rolls-Royce vice president and head of Cyber Security for North America and Defense.

The long-anticipated Department of Defense (DoD) ) program was to take effect Dec. 16, and by mid-2025 suppliers can expect to see its requirements in DoD contracts.

As the clock ticks down, Chaudhary reminded Rolls-Royce suppliers working on DoD contracts to pay attention to the latest developments.

“It will be painful, but it's moving us in the right direction,” Chaudhary said. “And it’s not just about controlled unclassified information (CUI) and classified data. This is going to help all of us protect our intellectual property. Suppliers don't want to lose the edge that they have spent all of their time and money building and protecting.”

(The interview has been condensed.)

Q: If a supplier has not started on CMMC, what is a good first step?

A.C.: Explore the resources that DoD and other agencies provide. The DoD can even take care of some things small and mid-sized (SMM) companies do not have or cannot afford, such as monitoring for vulnerabilities. These are good resources to utilize. They include:

DIB Cybersecurity Services
The DIB Cybersecurity Portal (look under “DoD DIB Cybersecurity-as-a-Service [CSaaS] Services and Support”).
CMMC Resources and Documentation
CMMC Marketplace

Also, be in touch with your primary contractor and start asking questions rather than thinking somebody will come to you. You have to be proactive; if you are not compliant, it's on you. And don't think you cannot be replaced if you are not compliant. You will be replaced because this is the DoD requirement.

Q: Does the DoD recognize how difficult this will be?

A.C.: DoD does understand. But on the flip side, this is not new. The DoD has been asking for this for more than five years. They had left it on contractors to do self-assessments but saw many false compliance reports and saw CUI being stolen nearly every day. Now, they're saying everybody needs an outside assessment. DoD, however, is phasing in CMMC over three years. Not everybody will need an outside assessment the first year.

Q: Will Rolls-Royce supplier reporting requirements change?

A.C.: It's an individual company's responsibility to report compliance to the DoD. And if they report that they're not compliant, they have to tell us, too. And, as a reminder, CMMC will be worldwide, not just a U.S. requirement. If a supplier working on a DoD contract has a subsidiary outside of the United States, that subsidiary needs to be CMMC-compliant.

Q: Could the arrival of a new U.S. government rescue procrastinators?

A.C.: There are a few folks in the industry saying that a new government might make changes. But I don't believe that it's going to be backtracked. The DoD has been pushing CMMC for nearly five years now, and they have spent a lot of money. I don't believe it's going away. It’s here to stay.

Watch for CMMC news on the Rolls-Royce Global Supplier Portal.