As a subcontractor in the Defense Industrial Base (DIB), you’ve undoubtedly heard about critical updates in the Cybersecurity Maturity Model Certification (CMMC), designed to safeguard sensitive federal information. Understanding and implementing these cybersecurity requirements may seem daunting, but the effort is worth it. In this guide, I’ll break down the key changes and help you navigate the path forward.
The revised framework, commonly referred to as “CMMC 2.0”, represents a significant shift in how the Department of Defense (DoD) ensures the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Understanding these changes is not just a matter of compliance for your business – it's essential for securing future contracts and maintaining your role within the DoD supply chain.
CMMC 2.0 streamlines the original CMMC model published in 2020, which is based on the security requirements in NIST SP 800-171 and SP 800-172. 2.0 simplifies requirements and focuses on the most critical cybersecurity standards and establishes three distinct maturity levels. This tiered approach aims to provide a clear pathway for manufacturers to achieve compliance, whether dealing with basic FCI or highly sensitive CUI. However, recent policy guidance indicates a strong emphasis on third-party assessments, particularly at Level 2, signaling a move away from reliance on self-assessments for many subcontractors.
This article aims to provide practical insights into CMMC 2.0, demystifying the requirements, and offering strategies for achieving compliance. We'll delve into the specifics of the CMMC levels, explore how these requirements impact manufacturing and production processes, and discuss how to leverage existing Quality Management Systems (QMS) to streamline your certification efforts. By understanding these updates and taking proactive steps, your manufacturing business can effectively meet the evolving cybersecurity demands of the DoD.
Understanding the 3 CMMC Levels and Requirements
The CMMC framework is designed to enhance the protection of CUI and FCI within the DoD supply chain. CMMC 2.0 is currently being implemented through rulemaking, which finalizes the specific timeline and full implementation details.
Manufacturers and other businesses must determine their required CMMC levels based on the types and sensitivity of information they work with. You can begin preparing by understanding the three levels of CMMC 2.0 and how your operations align with the relevant requirements. Each CMMC level corresponds to different types of covered data and a set of verification procedures:
Level 1: Basic cyber hygiene for protecting FCI that encompasses 15 requirements aligned with FAR 52.204-21.
Level 2: Intermediate cyber hygiene for protecting CUI that may require a third-party assessment for certification. It has 110 requirements aligned with NIST SP 800-171 r2.
Level 3: Advanced cyber hygiene for protecting CUI that will require a third-party assessment for certification, encompassing. It has 134 requirements (110 from NIST SP 800-171 r2 plus 24 from 800-172).
Your required level of CMMC certification will depend on the contracts you pursue. The key factors in this evaluation include:
Type of information handled: Level 1 may be sufficient if you only handle FCI. If you handle CUI, you will most likely need at least Level 2.
Contractual obligations: Carefully examine current and prospective contracts for specific cybersecurity requirements, most often in DFARS clause 252.204-7012. The DoD most likely will begin inserting CMMC requirements in contracts in the second half of 2025. If you are a subcontractor, communicate with your prime contractor to understand the CMMC level they require for your participation in upcoming contracts.
This is where it can be a little confusing because DoD contracts require one of four CMMC “statuses,” depending on many factors.
Level 1 allows certification via a self-assessment.
Level 2 (Self-Assessment) allows some manufacturers to certify via a self-assessment if they handle less sensitive CUI. Specifically, the CUI categories other than those in the Defense Organizational Index Grouping in the “CUI Registry”.
Level 2 (C3PAO) will require many manufacturers to achieve certification via a CMMC Third Party Assessor Organization (C3PAO).
Level 3 requires certification via the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Recent policy guidelines from the DoD suggest if you are working on DoD-related contracts or subcontracts, you should not count on Level 2 self-assessments being adequate. Don’t assume unnecessary risks with your future contracts, as the odds of avoiding third-party assessment are too high to gamble on. If your prime contractor needs Level 2 (C3PAO) status, you will too. We suggest you consult an expert for your CMMC compliance and certification strategies.
How CMMC Impacts Manufacturing and Production Processes
In many cases, CMMC will introduce additional layers of cybersecurity rigor into your production and overall operation to protect sensitive information. This can lead to process adjustments, technological upgrades, and increased administrative burdens. Let’s look at each.
Process adjustments
CMMC requires a higher level of precaution related to equipment, procedures, access, and reporting. This includes implementing role-based access control (RBAC) to segment CUI data, which could involve creating separate virtual LANs or physical networks. Only employees with specific security clearances and job roles would have access to that server through multi-factor authentication. Formal incident response plans are also required, shifting from informal fixes to documented reporting procedures. Before, if a computer was acting strangely, an employee would restart it. Now, the employee must fill out an incident report and notify the IT department, which has a documented process to follow to determine if a security incident has occurred.
Technological updates
CMMC technology upgrades vary based on your security posture and level. Common needs include: sophisticated endpoint protection (EDR, advanced malware detection), multi-factor authentication (MFA) for secure CUI access, and security information and event management (SIEM) systems to aggregate security logs. Ensure all new technology is properly configured and that employees are trained in its use.
Administrative Burdens
CUI tracking and documentation pose a significant challenge, especially for smaller companies. CMMC mandates detailed records of security policies, system configurations, incident responses, and employee training. This includes rigorous tracking of CUI, such as detailed logs for all software and firmware updates. For example, you might informally track software updates. Now, you must maintain detailed logs of all software and firmware updates, including dates, versions, and the personnel responsible for the updates.
Cost of CMMC Compliance for Manufacturers is a Worthy Investment
The cost of a CMMC initiative will vary greatly. It’s not unusual for a small manufacturer to make an initial investment of more than $150,000 with annual costs of about $100,000 for hardware, software, and labor. Although CMMC requires investment and adaptation, the resulting enhanced security is a valuable long-term asset for any company.
Three key factors drive the cost of a CMMC initiative: the scope of your implementation, cyber contract clauses, and the CMMC assessment. Scoping, in particular, demands careful attention.
But before you begin the scoping process, the first step is to establish a Supplier Performance Risk System (SPRS) score. You will need to register your score in the SPRS database. The score measures your current cybersecurity compliance with NIST SP 800-171 requirements, which serve as a guideline on how you control, protect, and handle sensitive information.
Consider Hiring an Expert to Establish a Cyber Baseline SPRS Score
You can establish an SPRS score through a self-assessment, but you might consider hiring an external expert to help you get a more accurate score of your current state. Many business leaders tend to think they are taking more cybersecurity precautions than the company really is, or the leaders may not be aware that some protocols are not being followed throughout the company. A proper assessment makes the entire certification more efficient.
The complexity of the CMMC framework can also be challenging for manufacturers to navigate on their own, so you will have to determine the resources you need, both internal and external. According to a recently released report commissioned by the DoD, most defense contractors do not have the people, processes, and technologies in place to meet the minimum CMMC requirements. To ensure systems are safe, secure, and compliant with CMMC, manufacturers may need to upgrade from a typical MSP to an MSSP and consider adding cyber insurance.
A key consideration is whether you must engage a C3PAO to conduct an audit to complete your official certification. CMMC has an official accreditation platform, CyberAB, that provides information regarding all qualified assessors.
Planning is critical to every facet of your business's business functions within the CMMC ecosystem. Implementing CMMC will involve costs, such as physical or technological system upgrades, training, consultant fees, and certification audits.
Subcontractors Anticipate Level 2 Compliance for CMMC
CMMC requirements are not limited to prime contractors; they extend throughout the entire DoD supply chain to all subcontractors who handle, store, or transmit FCI or CUI on their information systems. This means that if a subcontractor touches sensitive DoD data, they must adhere to the relevant CMMC level. Recent policy guidance strongly indicates that achieving Level 2 certification through a C3PAO will be the standard practice for subcontractors. Relying on self-assessments for Level 2 compliance is becoming increasingly unlikely for those in the subcontracting tier.
The DoD has explicitly emphasized that company size is irrelevant when determining CMMC applicability. As stated, “The size of the company with access to the CUI is not a basis for this determination. The value of information and impact of its loss does not diminish when the information moves to contractors of smaller size.”
This underscores the DoD's commitment to securing sensitive data regardless of the
entity handling it, making CMMC a critical requirement for all subcontractors within the defense industrial base.
Leveraging Quality Management Systems for CMMC Certification
One potential efficiency in achieving CMMC certification is that your quality manager may already be managing many areas, often in the same scope, to ensure quality, reliability, and safety to meet ISO 9001 and AS9100 requirements. This includes the flow-down of initial contractual requirements and change control for managing modifications and the evolution of requirements, designs, or implementations.
You often can leverage your quality management system (QMS) procedures to streamline CMMC certification by:
Adapting existing QMS documentation
Utilizing process control and risk management practices
Employing internal audits for pre-assessments
Strengthening information control. Your QMS scope aligns with your CMMC environment, particularly for CTI.
The same data that establishes the scope of your QMS also establishes the scope of your CMMC environment. For example, any engineering drawings, configuration documentation, or instructions that qualify as controlled technical information (CTI) will be subject to controls on their access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Resources to Navigate CMMC 2.0
As we've explored, CMMC 2.0 represents a crucial evolution in cybersecurity standards for the DIB, with a clear emphasis on third-party assessments, particularly at Level 2.
Proactive preparation and a strategic approach are key to successful compliance. To ensure your business is well-positioned for the 2025 updates and beyond, reach out for a consultation. A tailored CMMC compliance strategy can help you navigate these complex requirements and secure your place in the DoD supply chain.
CMMC Third-Party Assessor Organization (C3PAO) To complete your official CMMC certification, you may need to engage a C3PAO to conduct an audit. Visit CyberAB, the official accreditation platform, to find qualified assessors and up-to-date information.
Your Local MEP Center Can Help
The Manufacturing Extension Partnership (MEP) National Network is a public-private partnership that helps small and medium-sized manufacturers grow, make operational improvements, and reduce risk. MEP Centers have cybersecurity experts who can guide you through CMMC 2.0 requirements and connect you with trusted resources.
