• eNewsletter Subscription
  • Great Question Podcast
  • IW Best Plants Awards
    • 67cefa17c742c6c81cda93a7 Adobestock 351682719
    1. Technology and IIoT
    2. Cybersecurity

    What Small and Medium-Sized Manufacturers Need to Know About Implementing CMMC

    March 14, 2025
    This article will look at what manufacturers need to know about CMMC 2.0, what it will take to achieve certification, and how to get started.
    Related To: MEP National Network

    As a small or medium-sized manufacturer, you may have recently received a memorandum or communication from a customer regarding compliance with the new Cybersecurity Maturity Model Certification (CMMC). Maybe you have received a contract or supplier survey that included language asking how you handle Controlled Unclassified Information (CUI), or whether your organization has implemented a process to become compliant with CMMC requirements.

    Essentially, if your company works with the federal government, even as a subcontractor several tiers down in the supply chain, you likely fall under the CMMC purview. It establishes a set of cybersecurity requirements that companies must meet to handle Federal Contract Information (FCI) and/or CUI. Think of it as a verification of your commitment to data security, similar to other certifications you might hold. 

    Understanding CMMC and its implications is crucial for maintaining existing government contracts and competing for future ones. This article will look at what manufacturers need to know about CMMC 2.0, what it will take to achieve certification, and how to get started.

    Understanding the CMMC Framework

    The CMMC framework is designed to enhance the protection of sensitive information within businesses working with the Department of Defense (DoD). It was finalized in October 2024 and will be a requirement for all contractors and subcontractors working within the Defense Industrial Base (DIB).

    It’s not clear how many DIB contractors are expected to need Level 2 CMMC certification. In 2022, the DoD estimated 80,000 contractors would need a third-party assessment to reach Level 2 compliance. Industry experts suggest the number could be significantly higher. 

    Businesses must determine the required certification level based on how they handle and process FCI and/or CUI. Organizations can get started by learning how they might fit into the three levels of CMMC 2.0:

         Level 1: Basic cyber hygiene that encompasses 17 practices for protecting FCI.

         Level 2: Intermediate cyber hygiene encompassing 110 practices and a third-party assessment for certification.

         Level 3 Expert: Advanced cyber hygiene encompassing 130 practices and a third-party assessment for certification.

    You can determine the required level for your business based on the contracts you pursue. The key factors in this evaluation include:

         Type of information handled: If you only handle FCI, Level 1 may be sufficient. If you handle CUI, you will need at least Level 2 (Intermediate).

         Contractual obligations: Carefully examine current and prospective contracts for specific CMMC requirements. If you are a subcontractor, communicate with your prime contractor to understand the CMMC level they require for your participation in the contract.

         Criticality of role: If your role in the DIB is less critical and you handle less sensitive CUI, Level 2 with a self-assessment might be sufficient.

    Determine the Resources You Will Need for the CMMC Journey

    CMMC implementation is a journey that will require a team effort. Top management is responsible for your system, but every facet of your business has functions within the CMMC ecosystem, so planning is critical. CMMC will have costs associated with implementation, such as physical or technological system upgrades, training, consultant fees, and certification audits.

    The complexity of the CMMC framework can also be challenging for small businesses to navigate on their own, so you will need to determine the resources you need, internal and external. The majority of defense contractors do not have the people, processes and technologies in place to meet the minimum CMMC requirements for doing business with the DoD, according to a recently released report commissioned by the DoD.

    While many manufacturers employ a Managed Service Provider (MSP) for their IT systems, they may need a Managed Security Service Provider (MSSP) to ensure systems are safe, secure, and compliant. You may need cyber insurance.

    Start With a Self Analysis to Identify Gaps and Document SPRS Score

    The first step in your CMMC journey is to conduct a self-assessment to understand your current cyber hygiene and identify gaps. The self-assessment will produce a Supplier Performance Risk System (SPRS) score ranging from minus-120 to 110. You will need to register your score in the SPRS database.

    The score measures your current cybersecurity compliance with CMMC/NIST 800-171 controls, which serve as a guideline on how you control, protect, and handle sensitive information. Establishing an SPRS score is done through a self-assessment, but you might want to consider enlisting an external expert to help you get a more accurate score of the current state.

    Many business leaders tend to think they are taking more cybersecurity precautions than the company really is, or the leaders may not be aware that some protocols are not being followed throughout the company. 

    Your local MEP Center has experts who can help you through this process.

    Develop Your Plan to Implement, Monitor, and Certify

    Cyber threats are always evolving, and changes to systems or how they operate can also introduce new risks. CMMC requires a Plan of Action and Milestones (POAM), a living document to manage and track all actions needed for compliance.

    You will need to develop a System Security Plan (SSP). The SSP:

         Provides a system overview and its boundaries.

         Details security controls within your system.

         Defines roles and responsibilities for implementing, accessing, monitoring, and maintaining security controls.

         Contains information on the interactions and security between systems and how cyber incidents are handled within your business.

    Another key area is prioritizing the controls you will need to implement. Whether you need compliance to Level 1 with 17 controls or Level 2 with 110 controls, some controls are less technical in nature and can be completed with internal resources. For example, CMMC controls include a section on Physical Protection, which includes how you limit physical access to CUI, secure your facility, maintain visitor logs, and control access to your facility.

    The CMMC control requirements are too comprehensive and complex to cover here. Below are some key processes to plan and implement.

         Establish and publish all required policies and procedures.

         Train all your employees in cyber security best practices.

         Provide additional training for all employees who have contact with CUI.

         Implement technical protection controls.

         Monitor and measure your compliance, which includes conducting regular audits to ensure ongoing alignment with CMMC requirements.

         Obtain certification by a third-party assessor.

    You may need to engage a CMMC Third-Party Assessor Organization (C3PAO) to conduct an audit in order to complete your official CMMC certification. CMMC has an official accreditation platform, CyberAB, that provides information regarding all qualified assessors.

    Your Local MEP Center Has Experts to Help You Gain CMMC Certification

    CMMC 2.0 is a critical cybersecurity standard for manufacturers working with the DIB. Achieving compliance can be costly and time consuming. Contact your local MEP Center to get started.

    About the Author

    Margo Barr-Kosier, Technical Specialist

    Margo is a Technical Specialist at the Illinois Manufacturing Excellence Center (IMEC), which is part of the MEP National Network™. She specializes in Quality, Safety, and Operational compliance.

    Sponsored by:

    mep_logo

    Continue Reading

    Sponsored Recommendations

    Voice your opinion!

    To join the conversation, and become an exclusive member of IndustryWeek, create an account today!

    New

    IndustryWeek
    prodpulsescreengrabfeb626

    Bazooka Candy
    new_game_019_screenshot
    Kubota's Agri Concept 2.0 EV tractor also features autonomous operation..
    Courtesy of Conceptual Innovations
    tyler

    Most Read

    Sponsored