Understanding the nuances of Cybersecurity Maturity Model Certification (CMMC) compliance is critical for manufacturers aiming to secure and maintain DoD contracts. To offer a deeper look into CMMC’s complexities, we spoke with Dr. Ron McFarland. Dr. Ron’s extensive credentials cover in-depth security assessments, cybersecurity awareness, and compliance solutions for DoD contractors.
Here’s what manufacturers should know about the evolving CMMC framework. And, when in doubt, connect with your SoCal NTMA community to find out more about the journey to compliance.
What Is CMMC? An Overview
CMMC is a cybersecurity framework required by the DoD to help contractors protect sensitive information. In other words, it’s designed to ensure that companies handling government data follow cybersecurity best practices. CMMC is still evolving, but the goal remains the same: to protect valuable data from cyber threats. As it stands, CMMC compliance is based on the NIST SP 800-171, which outlines 110 controls that contractors need to meet.
Common Pitfalls in Self-Attestation
Right now, compliance is self-attested, meaning businesses evaluate themselves to determine whether or not they are meeting each standard. However, companies are held accountable under the False Claims Act, so any inaccuracies can lead to hefty fines if they claim full compliance without actually meeting the standards.
Dr. Ron has worked alongside business owners who believed they were fully compliant but fell short upon closer inspection. In some cases, companies that rated themselves as 100% compliant actually only met about 15-20% of the requirements when audited.
Why exactly is it common for businesses to unintentionally oversell their compliance?
- CEOs and business leaders tend to be confident and optimistic individuals. These are inherently positive personality traits, but they might lead them to believe their organization is more compliant than they actually are.
- Cybersecurity is a highly complicated matter. Subject matter experts dedicate years of their lives to understanding this topic, and even then, it requires ongoing research as it is constantly evolving.
Getting Started with CMMC Compliance
For new companies new to the CMMC framework, Dr. McFarland recommends beginning with Level 1, covering 17 essential controls. Start small and master the basics before treading into the more complicated, higher levels to avoid feeling overwhelmed with this process. Here are some keys to getting started on your CMMC journey:
Engage a Third-Party Expert
Partnering with an unbiased advisor, such as California’s Manufacturing Extension Partnership (MEP), can ensure a smooth and thorough assessment. Supported by NIST and the DoD, MEPs do not work on commission, ensuring impartial guidance through the compliance process.
Treat CMMC as a Company-Wide Initiative
CMMC isn’t just about technical controls—it requires policies, procedures, and coordination across all departments. Dr. McFarland suggests approaching it like AS9100 or ISO certification, where every team is engaged. Rather than relying solely on the IT professionals in your organization, treat it as a cross-functional effort to build a more balanced, effective cybersecurity framework.
Preparing for the Future: What’s Coming in 2025?
The latest CMMC report, released in October 2024, hints at some significant changes. By mid-2025 (even as soon as March), government contracts may start specifying a minimum CMMC level requirement, with manufacturers expected to achieve a certain percentage of compliance by contract dates. This means manufacturers should begin preparing to avoid being caught off-guard by new requirements.
What can manufacturers do to prepare? Dr. McFarland advises companies to keep an updated Plan of Action and Milestones (POAM). This document should be regularly updated to reflect any progress or changes in your compliance status. “A POAM should be an active, living document, not something you did three years ago and forgot about,” Dr. McFarland explains. He advises companies to review and update their POAM at least once a month to avoid outdated or irrelevant information. That way, you’re prepared if you get audited or asked by a prime to show your compliance status.
For a More Secure Environment, Pursue CMMC Compliance
While CMMC primarily protects Controlled Unclassified Information (CUI) and Federal Contract Information (FCU), it also allows manufacturers to safeguard all their valuable data, including personal and proprietary information. By building cybersecurity into the company’s day-to-day operations, manufacturers not only meet compliance requirements but also create a more secure environment for their intellectual property.
With the right strategy and regular updates, compliance can be a natural part of protecting your business and supporting your role as a DoD contractor. If you have any questions about getting started with CMMC, reach out to your SoCal NTMA manufacturing network for support.
Are you interested in engaging with your Southern California manufacturing community? Become a member!
