The Great Heist and the “Self-Attestation Gap”: Why CMMC Isn’t Random Bureaucracy

David R. Shedd didn’t come to the conversation as a commentator. He came as a former Deputy Director and Acting Director of the Defense Intelligence Agency, someone who spent a career watching adversaries play the long game.

In a recent virtual discussion with CSIS’s Dr. Seth G. Jones, Shedd walked through the core argument of his new book, The Great Heist: China’s Epic Campaign to Steal America’s Secrets: over the last few decades, China has executed a structured campaign to extract American (and Western) intellectual property, technology, and data at scale, not as a side hustle, but as a national strategy.

The takeaway wasn’t subtle: there’s a plan, and they’re working it.

So what does a national-security book about Chinese espionage have to do with CMMC?

More than you might think — and it doesn’t require a forced leap.

The Heist Isn’t Just Blueprints. It’s Data — and Leverage.

Shedd makes the point that the theft story isn’t confined to “designs and plans.” It includes massive data theft: personnel files, credit data, health records — information that can be exploited for targeting, coercion, identity fraud, pattern-of-life analysis, and, increasingly, AI-driven advantage.

That matters because modern espionage doesn’t always look like a dramatic “break-in.” Sometimes it looks like:

• recruiting insiders,

• compromising vendors,

• embedding into infrastructure,

• and slowly extracting what’s valuable over time.

That’s where defense contractors live: in the real world of networks, partners, subcontractors, SaaS tools, and shared environments.

The Supply Chain Is the Battlefield

A key theme in the conversation is that China’s intelligence apparatus is designed to operate at scale with a “whole-of-society” posture, and without the legal constraints that apply in the U.S.

Whether you agree with every framing choice in the book or not, the practical implication for the

Defense Industrial Base is hard to dispute:

If a prime contractor is hardened but its subs are not, the mission data is still exposed.

Attackers don’t need to break the front door. They look for the side entrance with the broken lock.

That’s the logic behind treating cybersecurity as a supply-chain requirement instead of a company-by-company preference.

NIST 800-171 Is the Baseline. CMMC Is the Proof.

For years, DoD contractors have been required to implement NIST SP 800-171 to protect Controlled Unclassified Information (CUI). The problem hasn’t been the concept of the controls. The problem has been the gap between:

“We comply”and“We can demonstrate compliance with evidence.”

This is the “self-attestation gap.”

Self-attestation isn’t inherently dishonest — but it’s structurally fragile:

• optimism creeps into scoring,

• policies exist without technical enforcement,

• documentation exists without operational reality,

• and leadership signs affirmations based on incomplete visibility.

CMMC is DoD adding a verification layer so “trust” is not the control.

Not perfect. Not painless. But rational in a threat environment where long-term espionage thrives on inconsistent implementation across thousands of suppliers.

The Practical CMMC Path: Start with NIST, Fix Scope, Then Certify

A reasonable case for CMMC isn’t “CMMC stops espionage.”

That’s a marketing claim, not a strategy.

A reasonable case is this:

In the context of threats like those described in The Great Heist, systemic IP theft via supply-chain vulnerabilities, CMMC strengthens NIST SP 800-171 by reducing the self-attestation gap and raising the overall security floor across the DIB.

If you’re a DoD contractor, the most defensible path looks like:

1) Implement NIST SP 800-171 the way an assessor will evaluate it

That means:

• controls are implemented,

• evidence exists,

• processes are repeatable,

• and exceptions are tracked and justified.

2) Scope correctly (or you’ll build the wrong “secure bubble”)

A recurring real-world failure is protecting an environment that doesn’t actually contain the CUI it was designed to protect.

That “empty enclave” outcome is expensive and dangerous:

• expensive because you paid for controls in the wrong place,

• dangerous because your CUI is still living outside the boundary.

3) Pursue the appropriate CMMC level for certification

Many organizations that have implemented NIST 800-171 with real evidence discover they’re already most of the way there.

CMMC doesn’t replace NIST, it pressures the ecosystem to implement NIST in a way that holds up under scrutiny.

Why This Matters to Leadership

One of the best lines in the discussion is the implicit boardroom tension: security competes with quarterly earnings until the breach (or investigation) makes the decision for you.

And espionage doesn’t announce itself. It compounds quietly, until you discover your advantage (or your customer’s trust) is gone.

CMMC is not a guarantee. But it is a rational attempt to reduce a predictable failure mode:inconsistent, uneven security across a supply chain that adversaries are actively targeting.

The Bottom Line

The Great Heist is a reminder that economic and defense theft at scale isn’t random, it’s strategic.

CMMC is DoD responding to that reality by adding verification to an existing baseline (NIST 800-171), so supply-chain security becomes measurable instead of assumed.

If you’re in the DIB, the question isn’t whether espionage is happening.

It’s whether you’re making it easy.