Close this search box.
Home / CMMC

Cybersecurity Maturity Model Certification

Understanding the Cybersecurity Maturity Model Certification (CMMC)

What is CMMC?

Those responsible for IT and information security in the manufacturing industry are confronted with an ever-increasing number of applications to manage — the typical large enterprise has over 3,400 applications. With all those connected technologies comes greater risks and vulnerabilities. 

The Cybersecurity Maturity Model Certification (CMMC) is the new standard developed by the Department of Defense to ensure that manufacturers in the Defense Industrial Base (DIB) have adequate cybersecurity measures in place to address those risks.  

CMMC has two (2) key features a tiered model and an assessment requirement. 

Tiered Model  

CMMC requires that companies entrusted with government information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The more information you are trusted with, the more security verifications you required to provide.  

What Level of CMMC Applies to Your Organization? 

If you cannot answer that question, you are not alone. Many manufacturers are unaware of how CMMC will affect them. Assessing your readiness to comply with this new standard may require several steps depending on the sensitivity of the information that you process, transmit or store. The assessment requirements also increase with each level.  

A close-up of several different colored squares Description automatically generated

Assessment Requirement 

Once you understand your level of CMMC compliance it is time to start preparing for your assessment. As companies plan for CMMC implementation, Clark Schaefer Consulting assists Organizations Seeking Certification (OSC) by providing expert guidance every step of the way. Our team of experienced professionals, including CMMC Registered Practitioners (RPs and RPAs), works closely with OSCs to evaluate your current posture and ensure you understand what will need to be done to achieve your CMMC certification. 


Clark Schaefer Consulting is proud to be a Registered Practitioner Organization (RPO). Our Cybersecurity consultants also have Registered Practitioner (RP) and Registered Practitioner, Advanced certifications. This positions us as a qualified partner to guide you through every step of your CMMC preparation process.

To Whom Does CMMC Apply?

CMMC applies to any company of any size that wishes to secure and work on defense contracts. It will be required throughout the DIB. Even small businesses not working directly with the DoD but who may provide a product or service to DoD contract(s) will need to comply with CMMC. An easy identifier of whether CMMC is applicable to an organization is if said entity receives any income for a defense-related contract whether as a prime contractor or subcontractor at any “level” of the supply chain. As such, it is imperative for companies to carefully read their contracts to understand if and how they play a role in the whole defense supply chain.

When Does CMMC go into effect?

The CMMC rules are currently in development and are expected to be finalized in May 2023. Once the rules are finalized, they will go into effect for all federal contractors who work with controlled unclassified information (CUI). The DoD is requiring all of its contractors to be CMMC certified by 2026, but for some, the rules will take effect as soon as 2024. The CMMC rules are a significant change for federal contractors, and it is important to start planning for compliance now! Preparing for CMMC can take anywhere from 10 – 18 months even for the most sophisticated organizations. The Cybersecurity Team at Clark Schaefer Consulting is ready to help you wherever you are in your process. Don’t wait until it is too late!

Why does CMMC matter?

It is estimated that cybercrime drains over $600 Billion annually from the global Gross Domestic Product (GDP). While the threat landscape continues to grow at an exponential rate as the years go by, security is unsuccessfully trying to keep up. As such, companies (regardless of whether or not they work with the DoD) are encouraged to employ good cybersecurity practices along with a “defense-in-depth” strategy. CMMC was created with such a goal in mind.

What if an organization does not work with the government?

Not working with the government does not necessarily mean that an organization does not need CMMC compliance. The basic principles of CMMC compliance relate to proactive and consistent security best practices. In the next few years, it is speculated that CMMC will become the cybersecurity standard for various industries (with the most pressing one today being Cybersecurity Insurance). As such, every organization must strive to or should at least be thinking about achieving CMMC compliance, if only for their own peace of mind.

Helpful Links from the Department of Defense

Request a Consultation

The team of experts at Clark Schaefer Consulting are here to help you stay on top of the latest CMMC developments. 
Complete the form below and an expert will be in touch shortly. 


Get in Touch.

What service are you looking for? We'll match you with an experienced advisor, who will help you find an effective and sustainable solution.

  • Hidden
  • This field is for validation purposes and should be left unchanged.