CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
Smithers Summarizes: What You Need to Know About CMMC
Key Takeaways
- The Cybersecurity Maturity Model Certification (CMMC) establishes a unified security standard for the Defense Industrial Base to protect sensitive government data.
- Phased implementation began in November 2025 after the finalization of the 48CFR rule.
- Organizations must identify if they handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to determine their required certification level.
- Achieving certification requires an independent assessment conducted by an authorized CMMC Third-Party Assessor Organization (C3PAO).
For organizations operating within the aerospace and defense supply chains, navigating cybersecurity compliance is a complex but necessary process. The Department of War (DoW) relies on a vast network of contractors and subcontractors, and securing the data shared across this network is a critical priority. The Cybersecurity Maturity Model Certification provides the framework for ensuring that security.
Understanding the CMMC framework, its timelines, and its specific requirements will dictate how your organization approaches government contracts moving forward. This guide breaks down the core components of the certification and outlines the actionable steps manufacturers must take to achieve compliance.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a verification mechanism designed to ensure that defense contractors implement adequate cybersecurity practices. Previously, the DoD allowed organizations to self-attest their compliance with security standards. CMMC shifts this paradigm by requiring third-party validation for contractors handling specific types of sensitive information.
At its core, the program focuses on protecting two categories of data. The first is Federal Contract Information (FCI), which includes data provided by or generated for the government under a contract that is not intended for public release. The second, more sensitive category is Controlled Unclassified Information (CUI). This includes information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies.
The current iteration, CMMC 2.0, streamlined the original model from five levels down to three. The most common requirement for organizations handling CUI is Level 2, which requires full implementation of the 110 security controls detailed in NIST SP 800-171. Rather than checking a box on a self-assessment form, companies must now undergo a rigorous evaluation by an authorized C3PAO to prove these controls are actively functioning.
Why Should You Invest in CMMC?
A strong cybersecurity posture is no longer just a best practice for defense contractors. It is a strict barrier to entry. Companies that fail to achieve CMMC compliance will lose the ability to bid on, win, or retain DoW contracts.
The regulatory groundwork is already formalized. The 32CFR rule established the program's requirements, while the 48CFR rule integrated these requirements into the Defense Federal Acquisition Regulation Supplement (DFARS) contracting process. With the effective date of Phase 1 implementation beginning on November 10, 2025, the timeline for compliance is actively advancing.
For manufacturers, the implications extend throughout the entire supply chain. Prime contractors are responsible for ensuring that their subcontractors also meet the necessary security standards. If your organization supplies components, materials, or services to a prime contractor, you will be expected to demonstrate compliance before receiving any technical data or engineering drawings classified as CUI. Delaying your preparation could result in immediate business disruption as primes consolidate their approved vendor lists to include only certified suppliers.
How to Prepare for Your CMMC 2.0 Assessment
Achieving certification requires a structured and deliberate approach. Organizations should treat this as a strategic project requiring leadership support and dedicated resources.
Identify your data
Your first step is determining exactly what information you possess. Work with your prime contractors or DoW contracting officers to clearly identify any CUI or FCI entering your systems.
Define and limit your scope
You do not necessarily need to apply CUI-level security controls to your entire company network. Segmenting your network allows you to isolate the systems, people, and facilities that process, store, or transmit sensitive data. By keeping specific manufacturing equipment, such as CNC machines or assembly robots, air-gapped and disconnected from external networks, you can classify them as out-of-scope and significantly reduce your assessment footprint.
Implement NIST SP 800-171r2 controls
Once your scope is defined, you must implement the required security controls. This involves deploying technical solutions like encryption and multi-factor authentication, as well as establishing formal administrative policies.
Document your system security plan
Auditors require documented evidence of your compliance. You must create a comprehensive System Security Plan (SSP) that details how your organization meets each control. If any gaps exist, document them in a Plan of Actions and Milestones (POAM) detailing your remediation strategy.
Engage a C3PAO
Do not wait until a contract depends on your certification to schedule an audit. Assessment schedules fill quickly. Reach out to an authorized C3PAO, such as Smithers, to discuss your timeline, arrange a potential gap assessment, and schedule your formal certification audit.
What CMMC Questions Do You Have for Smithers?
Do I need CMMC?
The requirement depends entirely on the type of data you handle. If you process, store, or transmit CUI, you will likely need a Level 2 certification. If you only handle FCI, a Level 1 certification may suffice. Always verify the specific requirements listed in your contracts.
Is data that comes out of my ERP considered CUI?
It depends on how your organization uses the system. If you load or create CUI within your Enterprise Resource Planning (ERP) software, then the entire ERP, its hosting provider, and all employees with access fall within the scope of your assessment. If the system only holds contract deliverables and funding specifics, it likely contains FCI rather than CUI. Keeping CUI out of your ERP is highly recommended to limit your assessment scope.
Are employee mobile phones in scope for an assessment?
If an employee uses a mobile device to process, store, or transmit CUI, that device may be in scope. This is particularly true if the data is accessed via native applications. Implementing a mobile device management (MDM) container or using a virtual desktop infrastructure can provide the necessary logical separation to keep personal devices out of scope.
Does my managed service provider (MSP) have to be assessed?
Yes. If your MSP has access to any of your CUI assets, or if they manage security controls required for your compliance, they become a critical part of your assessment. Organizations must ensure their external service providers meet the same stringent cybersecurity standards required by the DoD.
Conclusion: Why Pursue CMMC Compliance Today
The transition to mandatory cybersecurity validation represents a significant shift for the defense manufacturing sector. By understanding the CMMC framework, accurately defining your data environment, and systematically implementing NIST SP 800-171 controls, your organization can protect its critical assets and secure its position within the defense supply chain. Preparation takes time, and engaging early with an authorized C3PAO ensures you have the guidance necessary to navigate the assessment process successfully. If your team is ready to take the next step toward certification, contact Smithers experts to discuss your compliance strategy.