CMMC Certification for Manufacturers

What is CMMC?
CMMC, or the Cybersecurity Maturity Model Certification, is a standard for cybersecurity implementation within the Defense Industrial Base (DIB). This framework is responsible for ensuring that Controlled Unclassified Information (CUI) is protected.

The CMMC framework is mandatory for any organization that contracts with the Department of Defense (DoD). CMMC compliance began in 2020, but the DoD will continue to add new standards into new contracts until all entities are covered by 2025.

What are the five CMMC levels of maturity?
Organizations looking to become CMMC compliant are assessed on five maturity levels:

  • Level 1: Basic Cyber Hygiene
    • This maturity level is structured around protecting Federal Contract Information (FCI), or government information not intended for public release.
    • These practices are considered foundational and are required for all higher CMMC maturity levels.
    • This level includes 17 basic practices.
  • Level 2: Intermediate Cyber Hygiene
    • At this level, organizations are required to have documented policies and procedures for CMMC compliance.
    • This level helps organizations bridge the gap from level 1 to level 3.
    • This level includes 55 additional cyber hygiene practices.
  • Level 3: Good Cyber Hygiene
    • Certification at this level indicates that an organization possesses the basic capabilities to protect CUI and has effectively implemented the security requirements of NIST SP 800-171, another security framework.
    • A level 3 CMMC certification signifies that an organization adequately maintains security activities, policies, and procedures, and demonstrates proper planning to manage certain activities.
    • This level requires an additional 59 security requirements from NIST SP 800-171.
  • Level 4: Proactive
    • At this level, organizations have advanced cybersecurity practices that can defend CUI from advanced persistent threats (APTs) or malicious long-term attacks.
    • Organizations that meet Level 4 CMMC compliance must review and document all cybersecurity activities for effectiveness and report any issues to upper management.
    • This level requires an additional 26 NIST SP 800-171 cybersecurity practices.
  • Level 5: Advanced/Progressive
    • Organizations that meet level 5 CMMC requirements are hyper-focused on protecting CUI from APTs through optimized cybersecurity capabilities.
    • Organizations at this level are required to continually improve and standardize their cyber hygiene practices across the entirety of their infrastructure.
    • This level includes 15 more security activities, bringing the total to 171 practices.
Who assesses CMMC compliance?

CMMC compliance is assessed by CMMC Third Party Assessment Organizations (C3PAOs). Many organizations work with cybersecurity or CMMC consultants to prepare for their assessment with a C3PAO.

What is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) is an amendment to a series of rules that regulate the DoD and other government agencies’ purchasing of goods and services.

Defense contractors must be DFARS compliant to conduct business with the DoD.

How Can an Organization Become DFARS Compliant

Organizations must complete and submit self-assessments to the DoD annually. These assessments must include the following:

  • A System Security Plan (SSP)
  • A Plan of Action and Milestones (POAM)
  • A CUI Environment Management Team (CEMT)
How are DFARS and CMMC related?
Both DFARs and CMMC have the same goals: protecting CUI. CMMC builds on what was started with DFARs, and the documentation developed while becoming DFARS compliant is essential to advancing through CMMC levels. While there’s some overlap between the two, it’s possible to be DFARS compliant without being CMMC compliant and vice versa.
What’s the Difference Between CMMC and NIST SP 800-171?
CMMC is the vehicle that determines NIST SP 800-171 compliance. CMMC is a third-party assessment required to be certified as NIST SP 800-171 compliant.
Who Will Perform My CMMC Assessment?
CMMC assessments must be performed by an authorized and accredited C3PAO listed on the CMMC-AB marketplace. While IT consultants, Registered Practitioners and other parties can help you prepare for your CMMC assessment, only authorized and accredited C3PAOs can conduct the assessment itself.
How Often Does My Organization Need to Be Reassessed?
A CMMC certification will be valid for 3 years.
What CMMC level Is required for a contract?
The required CMMC level varies. The DoD will tell you what CMMC level is required in Requests for Information (RFIs) and Requests for Proposals (RFPs).
Can a Managed Service Provider (MSP) Help With CMMC Certification?
The short answer is – Yes! CMMC compliance preparation is tedious and resource-intensive, and it can be pricey if key resources like compliance officers and full-time IT staff are not involved. Managed service providers familiar with CMMC and IT in the manufacturing industry can provide strategic and reliable audit preparation. Working with an MSP can help ensure you submit a strong risk score to the DoD, which will help you continue your contract and position your organization favorably for future contracts.

Peters & Associates is well-versed in CMMC requirements, the manufacturing industry and cybersecurity best practices. We have achieved CompTIA Security Trustmark+ designation based on the NIST Cybersecurity Framework, and we were named a Pioneer 250 provider in CRN’s list of top 500 managed service providers and consultants for 2021.

Contact us today to learn more about our CMMC audit preparation services and how we can help your organization submit a strong risk score with the DoD.

free trials

Off-board your IT management to industry experts to keep your business tech secure and optimized so your teams can get back to business initiatives. Contact one of our IT consultants in Chicago to find out what secure, scalable, and optimized solutions are right for you.