Recently, Confidee attended the FAR/DFARS & CMMC event in Stockholm, hosted by SOFF (Säkerhets- och Försvarsföretagen) – a gathering where the Nordic defence industry explored what it truly takes to align with U.S. Department of Defense (DoD) requirements. 

We joined experts and industry peers discussing how FAR, DFARS, and CMMC shape the future of international defence cooperation. From cybersecurity readiness to regulatory “flow-down” clauses, the message was clear: Compliance is no longer “self-assessment” – it’s third-party qualification and verification. 

At Confidee, we ensure that the PCB supply chain is compliant and according to the specifications and frameworks our partners request, as AS9120 – Quality Management Systems – Aerospace Requirements for Distributors, ISO 27001 – Information Security Management System (ISMS), to the Swedish Inspectorate of Strategic Products (ISP) in order to ensure every step is prepared for tomorrow’s compliance demands. 

The event brought together experts from both sides of the Atlantic, including legal advisors, prime contractors, and compliance professionals. We were humble to present, invited to share our experience, knowledge and perspectives on how one can work towards preparing the implementation of the new U.S. DoD Cybersecurity Maturity Model Certification (CMMC) framework and certification program. 

Making U.S. Regulations Understandable – and Actionable
Throughout the day, speakers unpacked the complexity of FAR (Federal Acquisition Regulation) and DFARS (Defense Federal Acquisition Regulation Supplement), highlighting how these frameworks extend far beyond U.S. borders through flow-down clauses. 

Later sessions turned to CMMC (Cybersecurity Maturity Model Certification) – the evolving framework that will soon define who can (and who cannot) deliver to the U.S. DoD. 

We presented our take on CMMC to explain how a structured compliance approach, with system integration, internal procedures, certifications and organizational structure can turn regulatory requirements into a genuine competitive advantage. 

“Compliance isn’t just about passing audits”. 

“It’s about building the trust and traceability the defence industry demand, whether the contract starts in Washington, Stockholm, or Oslo. And it’s about fostering a culture of compliance. Compliance in, is compliance out”, says Communications Manager Guro Krossen. 

Know-How Section: Understanding FAR and DFARS
FAR (Federal Acquisition Regulation) sets the general procurement rules for all U.S. federal agencies. It defines how contracts are bid, awarded, and executed – including mandatory ethics, data, and quality provisions. 

DFARS (Defense Federal Acquisition Regulation Supplement) adds DoD-specific clauses – such as DFARS 252.204-7012, requiring contractors to safeguard Controlled Unclassified Information (CUI) and to implement the NIST SP 800-171 controls. 

Also, European subcontractors may face FAR/DFARS obligations when participating in a defence supply chain connected to U.S. programs. 

Key takeaways: 

• Review all contract clauses for potential flow-downs. 

• Conduct gap analyses to compare current practices with DFARS cybersecurity mandates. 

• Maintain strong documentation and audit trails to demonstrate ongoing compliance. 

Know-How Section: CMMC – Cybersecurity Becomes Qualification
CMMC (Cybersecurity Maturity Model Certification) formalises how the DoD verifies contractors’ cybersecurity readiness. It defines three levels of maturity, from basic hygiene to advanced, proactive security. 

For many, in the defence supply chain, Level 2 or 3 will be required to qualify for defence contracts. Certification to these levels is granted by accredited C3PAOs following an external assessment. 

Where to start? 

• Define your scope – determine which systems and processes handle CUI. 

• Map existing certifications such as ISO 27001 or NIST 800-171 to CMMC controls. 

• Perform a readiness assessment and create a clear, risk-based roadmap. 

• Document and institutionalise cybersecurity practices – not just implement them. 

• Plan for maintenance and recertification – CMMC is an ongoing commitment. 

• Put compliance on the map and build a culture that fosters it, this is not done over weeks. 

From regulations to relationships
For Confidee, participating and contributing ay events like this is about more than sharing compliance expertise. It’s about building bridges between actors in the supply chain, connecting, and sharing experience.  

The discussions in Stockholm reaffirmed that the level of knowledge and readiness for the requirement vary. You might think, it’s only applicable for products ordered by U.S. DoD and I don’t sell to US. You might not be at the current stage, but who knows who will purchase your products in the future?  

“The companies that embrace compliance early are the ones likely to win future contracts,” says Vidar Olsen, CEO of Confidee. 

“CMMC, FAR, and DFARS are not barriers – they are quality frameworks that reward those who can prove control and accountability.”   

If your company is preparing for U.S. DoD contracts, is a sub-supplier to the US or needs to understand how FAR, DFARS, or CMMC affect your PCB supply chain, we’re here to help. Feel free to reach out.