FN Herstal’s attainment of a high-level US cybersecurity certification highlights the increasing convergence between industrial capability and digital resilience. As defence supply chains become prime cyber targets, the achievement reflects both regulatory alignment and a broader shift in how security is defined across allied ecosystems.
The Belgian firearms manufacturer FN Herstal has obtained Cybersecurity Maturity Model Certification Level 2, a demanding standard required by the United States Department of Defense for companies handling sensitive but unclassified defence information. The certification places the company among a limited number of European firms able to meet stringent American cybersecurity expectations, reinforcing its position within the global defence supply chain.
The milestone follows a multi-year transformation effort across the FN Browning Group, aimed at strengthening governance, technological infrastructure and organisational awareness. The process points to how cybersecurity has become an operational requirement rather than a supporting function in defence manufacturing.
A demanding certification in a tightening regulatory landscape
The Cybersecurity Maturity Model Certification, known as CMMC, was introduced by the US Department of Defense to address vulnerabilities across its vast network of contractors and subcontractors. The model is structured in three levels, each corresponding to the sensitivity of data handled and the associated risk exposure.
Level 2, which FN Herstal has achieved, is designed for organisations managing Controlled Unclassified Information. This category includes technical documentation, engineering data and programme details that, while not classified, could pose a risk to national security if compromised. To meet this level, companies must implement 110 security controls derived from the NIST SP 800-171 framework.
The certification process is both rigorous and resource-intensive. It typically requires 12 to 18 months of sustained effort, involving technical upgrades, policy development and cultural change across the organisation. In FN Herstal’s case, the effort extended over approximately two and a half years and encompassed the entire group.

Beyond the technical requirements, the certification also reflects a broader regulatory shift. The US Department of Defense has been progressively integrating CMMC into its contracting framework, with full implementation expected by 2028. This evolution effectively makes cybersecurity compliance a prerequisite for participation in defence programmes, reshaping competitive dynamics across the sector.
FN Herstal and the evolution of defence manufacturing
Founded in 1889, FN Herstal has long been a key supplier of small arms and weapon systems to military and law enforcement agencies worldwide. As part of the FN Browning Group, the company operates across multiple markets, combining legacy manufacturing expertise with modern technological capabilities.
The transition towards enhanced cybersecurity reflects the changing nature of defence production. Manufacturing environments are increasingly interconnected, relying on digital systems for design, production and logistics. This connectivity introduces new vulnerabilities, particularly as adversaries target supply chains to gain indirect access to sensitive information.
In response, FN Herstal has invested in a comprehensive cybersecurity strategy. According to company information, this has included the deployment of advanced security tools, the reinforcement of internal policies and the implementation of large-scale employee awareness programmes. Such initiatives indicate a shift towards embedding cybersecurity within organisational culture, rather than treating it as a standalone function.
The achievement also underscores the importance of interoperability between allied defence ecosystems. By aligning with US cybersecurity standards, FN Herstal enhances its ability to participate in joint programmes and contracts. This alignment is particularly significant given the scale of the US defence market and its influence on global procurement practices.
Implications for the global defence supply chain
The certification highlights a broader trend affecting defence suppliers worldwide. As cyber threats become more sophisticated, governments are placing greater emphasis on securing not only their own systems but also those of their partners. Supply chain security has emerged as a critical concern, with attackers increasingly targeting smaller or less protected entities to gain access to larger networks.
CMMC Level 2 is specifically designed to address this challenge. It provides assurance that contractors can adequately protect sensitive information and maintain secure data flows across complex, multi-tiered supply chains. The requirement for third-party assessments further strengthens this assurance, introducing an additional layer of accountability.

For European defence companies, achieving such certification represents both an opportunity and a challenge. On one hand, it opens access to lucrative US contracts and reinforces credibility in international markets. On the other, it demands significant investment in cybersecurity capabilities, which may be particularly burdensome for smaller organisations.
FN Herstal’s success may therefore serve as a benchmark for others in the sector. It demonstrates that compliance is achievable, but also that it requires long-term commitment and strategic prioritisation. As more companies seek to align with CMMC requirements, the overall cybersecurity posture of the defence industry is likely to improve.
At the same time, the certification reflects the growing integration of cyber considerations into traditional security domains. The distinction between physical and digital security is increasingly blurred, with both aspects contributing to operational readiness and resilience.
The achievement by FN Herstal illustrates how defence and homeland security manufacturers are adapting to this new reality. By investing in cybersecurity and aligning with international standards, the company positions itself at the intersection of industrial capability and digital trust.
As global defence networks continue to evolve, such developments are expected to feature in industry discussions and exhibitions. Events such as Milipol Paris provide a platform for showcasing these advancements and fostering dialogue on the future of security technologies.
Image credits:
FN Herstal
Markus Spiske - Unsplash
Nasa - Unsplash
