Home / CMMC

Cybersecurity Maturity Model Certification

Understanding the Cybersecurity Maturity Model Certification (CMMC)

What is CMMC?

Those responsible for IT and information security in the manufacturing industry are confronted with an ever-increasing number of applications to manage — the typical large enterprise has over 3,400 applications. With all those connected technologies comes greater risks and vulnerabilities.

The Cybersecurity Maturity Model Certification (CMMC) is a new standard being developed by the Department of Defense to ensure that manufacturers in the Defense Industrial Base (DIB) have adequate cybersecurity measures in place to address those risks. The rules are still being finalized, but once approved, the CMMC will be required for all defense contractors and their subcontractors.

CMMC has two (2) key features:

  • Tiered Model: CMMC requires that companies entrusted with government information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The more information you are trusted with, the more security verifications you required to provide.
  • Assessment Requirement: As part of obtaining the certification a third party must conduct an independent assessment of the manufacturer’s cybersecurity readiness. CMMC requires that companies be assessed by Certified Third Party Assessment Organizations), accredited by the CMMC Accreditation Board, to verify the implementation of the cybersecurity requirements set by the standard. This process takes time to complete so it is recommended that you start assessments even before the final standards have been released.

To Whom Does CMMC Apply?

CMMC applies to any company of any size that wishes to secure and work on defense contracts. It will be required throughout the DIB. Even small businesses not working directly with the DoD but who may provide a product or service to DoD contract(s) will need to comply with CMMC. An easy identifier of whether CMMC is applicable to an organization is if said entity receives any income for a defense-related contract whether as a prime contractor or subcontractor at any “level” of the supply chain. As such, it is imperative for companies to carefully read their contracts to understand if and how they play a role in the whole defense supply chain.

When Does CMMC go into effect?

The CMMC rules are currently in development and are expected to be finalized in May 2023. Once the rules are finalized, they will go into effect for all federal contractors who work with controlled unclassified information (CUI). The DoD is requiring all of its contractors to be CMMC certified by 2026, but for some, the rules will take effect as soon as 2024. The CMMC rules are a significant change for federal contractors, and it is important to start planning for compliance now! Preparing for CMMC can take anywhere from 10 – 18 months even for the most sophisticated organizations. The Cybersecurity Team at Clark Schaefer Consulting is ready to help you wherever you are in your process. Don’t wait until it is too late!

Why does CMMC matter?

It is estimated that cybercrime drains over $600 Billion annually from the global Gross Domestic Product (GDP). While the threat landscape continues to grow at an exponential rate as the years go by, security is unsuccessfully trying to keep up. As such, companies (regardless of whether or not they work with the DoD) are encouraged to employ good cybersecurity practices along with a “defense-in-depth” strategy. CMMC was created with such a goal in mind.

What if an organization does not work with the government?

Not working with the government does not necessarily mean that an organization does not need CMMC compliance. The basic principles of CMMC compliance relate to proactive and consistent security best practices. In the next few years, it is speculated that CMMC will become the cybersecurity standard for various industries (with the most pressing one today being Cybersecurity Insurance). As such, every organization must strive to or should at least be thinking about achieving CMMC compliance, if only for their own peace of mind.

Helpful Links from the Department of Defense

Request a Consultation

The team of experts at Clark Schaefer Consulting are here to help you stay on top of all the latest CMMC developments. 
Complete the form below and an expert will be in touch shortly. 


Get in Touch.

What service are you looking for? We'll match you with an experienced advisor, who will help you find an effective and sustainable solution.

  • Hidden
  • This field is for validation purposes and should be left unchanged.