Cybersecurity Maturity Model Certification (CMMC): What Manufacturers Need to Know


In late 2020, the US Department of Defense is transitioning to a new certification program for all contractors working with Controlled Unclassified Information (CUI). Compliance is mandatory for all manufacturers and will require an assessment from a CMMC third-party assessment organization (C3PAO).

The good news is the new certification program will ensure your business meets all of its security protocols and that no cybersecurity measures slip through the cracks. But don’t wait to get started. It is a long and involved process, and you should begin preparing your business for your assessment as soon as possible.

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a new certification program for all DoD manufacturing contractors that work with CUI. It comprises several different levels that gauge your business’s cybersecurity hygiene from Basic to Advanced.

Why is CMMC DoD compliance important?

Mandatory compliance

Compliance with the previous Defense Federal Acquisition Regulations System (DFARS) was a self-assessment process, which meant your business was responsible for maintaining the required security protocols. This resulted in a lot of confusion and poorly managed compliance. The new program has mandatory third-party certification; the consequence of noncompliance is being unable to work with the DoD as a contractor. You must complete your certification before you can even bid on contracts. This means it’s vitally important to prepare well in advance for CMMC to ensure you avoid costly delays.

Increase in cybercrimes

Cybercrimes have been on a steady rise for as long as the internet has existed, and 2019 showed the largest number of complaints ever reported and the highest amount of money stolen, according to the FBI’s Internet Crime Report. What’s more, data shows that the 2020 COVID-19 crisis has only urged cybercriminals forward as they take advantage of the fear and uncertainty the pandemic has caused.

Controlled Unclassified Information (CUI) is a distinction given to information that’s not quite top secret—but only just. The US government cannot risk CUI falling into hostile hands. With the increase in cybercrimes, coupled with many contractors’ lack of compliance, the government determined the risks were too high to let companies continue to self-regulate.

Who needs to be certified and how does it apply to manufacturers?

Any manufacturer that is contracted by the DoD and handles CUI in any capacity is already required to conform with the National Institute of Standards and Technology (NIST) 800-171 regulations that were laid out in DFARS. So, your business should already be well on its way to complying with at least the lower levels of CMMC.

DFARS contained three levels of security clearance; CMMC has five, with the first three equivalent to DFARS. This means if your business is small and your handling of CUI negligible, the lower levels of CMMC will be similar to your DFARS obligations and you may not need to meet any new security requirements to pass compliance. On the other hand, if your business is larger, you will likely need to comply with more stringent cybersecurity requirements than were previously outlined in DFARS.

CMMC levels

CMMC consists of five levels. Levels 1-2 contain fewer requirements than are outlined in NIST SP 800-171/DFARS, while Level 3 encompasses all 110 security requirements defined in NIST 800-171/DFARS. Note that CMMC contains two new levels above the previous cybersecurity requirements.

The Level of required certification corresponds with the size of your business as well as the type of manufacturing work you are contracted to perform.

Level 1: Basic Cyber Hygiene (17 security requirements)

Level 2: Intermediate Cyber Hygiene (63 security requirements)

Level 3: Good Cyber Hygiene (110 security requirements—equal to NIST SP 800-171)

Level 4: Proactive (136 security requirements)

Level 5: Advanced (140 security requirements)

CMMC timeline: When will compliance become a requirement?

Exact dates are unknown at this time, and the rollout of CMMC may be delayed. That being said, as of September 2020, CMMC is planned to take effect in the fall of this year, which means you should begin the process as soon as possible. CMMC will appear in Requests for Proposal starting in 2021 and already appears in Requests for Information.

CMMC news and updates can be found on the CMMC AB website.

How to obtain the CMMC certification for your organization

CMMC compliance is through assessment by an accredited CMMC third-party assessment organization (C3PAO). You need to begin preparing as soon as possible. Depending on your current cybersecurity status, it could take many months to make your business compliant. We recommend manufacturers begin preparing six months in advance.

Registered Provider Organizations

In its efforts to help contractors meet the new compliance obligations, and raise the cybersecurity-hygiene bar, the DoD authorizes organizations to provide CMMC consulting and support. Known as Registered Provider Organizations (RPOs), they must be staffed by registered CMMC practitioners who are trained in CMMC methodologies and trusted by the DoD to provide CMMC assessment preparation. Partnering with an RPO will greatly simplify and accelerate your compliance, because they are able to identify your organization’s cybersecurity gaps and the quickest ways to fill them.

When you and your RPO feel your business is ready to be assessed, visit the CMMC Marketplace to find an accredited C3PAO. Schedule an audit, and they will perform an assessment of your cybersecurity protocols. If your business meets each of the required security controls, you will earn the applicable level of CMMC certification and the right to bid on DoD contracts.

CMMC compliance with a COUPLE of GURUS

a COUPLE of GURUS is a CMMC Registered Provider Organization. As an RPO, we can ensure your organization is ready to pass the CMMC audit, whether you are applying for Level 1 or Level 5.

As an excellent first step to achieving CMMC compliance, we recommend getting an S2Score. This free assessment measures your current ability to handle secure information, and evaluates your risk of a security breach. Most importantly, it identifies where your cybersecurity is strong, where it is lacking, and how to improve. Click here to learn more about the S2Score.

a COUPLE of GURUS offers managed IT services that proactively care for your technology needs. We have over 18 years of experience helping businesses like yours with IT projects, cybersecurity and compliance, cloud services, and managed IT services.

Contact a COUPLE of GURUS with your questions about achieving CMMC compliance. We can clarify the new regulations and prepare your business for any level of CMMC audit.