If you manufacture anything for the U.S. Department of Defense — or supply to a company that does — CMMC compliance is no longer a future consideration. It is a present contractual requirement.
The Cybersecurity Maturity Model Certification 2.0 final rule became effective November 10, 2025. DoD has begun incorporating CMMC requirements into new solicitations. Phase 2, beginning November 2026, requires third-party assessments for Level 2 compliance. The timeline is not theoretical anymore.
Only 41% of defense industrial base organizations surveyed had reached a readiness level for CMMC 2.0. That means the majority of manufacturers subject to CMMC requirements are either unaware of what compliance requires, aware but not yet started, or started but not far enough along to meet Phase 2 assessment timelines.
This article covers who CMMC applies to, what the compliance levels mean in practice, and what manufacturers should do first to begin closing the gap.
Who CMMC Applies To
CMMC applies to all organizations in the defense industrial base — every contractor and subcontractor in the DoD supply chain, not just prime contractors.
CMMC compliance is mandatory for all 300,000+ DoD contractors and subcontractors to be eligible for contract awards. That number includes the large defense primes everyone knows — Lockheed, Raytheon, Boeing — and the thousands of small and mid-sized manufacturers that supply components, materials, and services to those primes.
If your organization handles Controlled Unclassified Information in the performance of a DoD contract, CMMC Level 2 applies to you. If your organization handles Federal Contract Information but not CUI, CMMC Level 1 applies.
What is CUI?
Controlled Unclassified Information is information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy — but doesn't meet the bar for classified status. For manufacturers, CUI includes: technical drawings and specifications flowing from prime contractors, proprietary defense component data, contract deliverables containing performance or design information, and any information marked CUI or FOUO in contract documentation.
If you're unsure whether your organization handles CUI, the practical test is whether your contracts contain DFARS clause 252.204-7012. If they do, you handle CUI and CMMC Level 2 applies.
The subcontractor question
CMMC flows down through the supply chain. If a prime contractor requires CMMC Level 2 of their subcontractors, and those subcontractors require it of their suppliers, the obligation reaches further into the manufacturing supply chain than many small manufacturers realize.
The practical implication: if your largest customer is a defense prime or a Tier 1 supplier to a defense prime, ask specifically whether your contracts will incorporate CMMC requirements. Don't wait for the formal modification — ask now so you have lead time.
The Three CMMC Levels
CMMC 2.0 reduced the original five levels to three, streamlining the framework while maintaining the security rigor that DoD requires.
Level 1 — Foundational
Applies to: contractors handling Federal Contract Information but not CUI.
Requirements: 17 practices from FAR clause 52.204-21, covering basic cyber hygiene — access controls, authentication, media protection, and system configuration basics.
Assessment: annual self-assessment with annual affirmation by a senior company official.
Level 2 — Advanced
Applies to: contractors handling CUI.
Requirements: 110 security requirements across 14 control families from NIST SP 800-171r2. This is the level that applies to the majority of manufacturers in the defense industrial base.
Assessment: third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) every three years, with annual self-assessments in between. Phase 2 begins November 2026.
Level 3 — Expert
Applies to: contractors on the most critical DoD programs handling the most sensitive CUI.
Requirements: NIST SP 800-172 controls in addition to all Level 2 requirements.
Assessment: government-led assessment by DCMA DIBCAC.
For the vast majority of manufacturers subject to CMMC, Level 2 is the applicable standard. This article focuses on Level 2.
The CMMC 2.0 Implementation Timeline
Understanding the timeline tells you how much lead time you actually have — and whether you're already behind.
| Phase | Date | Requirement |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 and Level 2 self-assessments required in new DoD solicitations |
| Phase 2 | November 10, 2026 | Level 2 C3PAO third-party assessments required |
| Phase 3 | November 10, 2027 | Level 3 certification requirements added |
| Phase 4 | November 10, 2028 | All applicable contracts require full CMMC compliance |
Phase 1 is already in effect. Self-assessments are required in new solicitations now. If you're bidding on new DoD contracts and haven't completed a self-assessment, you may already be out of compliance with current requirements.
Phase 2 is 17 months away as of this writing. For manufacturers that haven't started CMMC preparation, that timeline is tight. Organizations typically need 6 to 18 months to prepare for a C3PAO assessment depending on current security posture. Starting now means you have a realistic path to Phase 2 compliance. Starting in six months means you're racing a deadline.
The 14 Control Families and What They Mean for Manufacturers
NIST SP 800-171's 110 security requirements are organized across 14 control families. Understanding what each family covers helps manufacturers understand where their gaps are likely to be.
Access Control — Who can access what systems, data, and networks. Role-based access, least privilege, remote access controls, and CUI access restrictions.
Audit and Accountability — Logging and monitoring. Who accessed what, when, from where. Log collection, retention, and review.
Awareness and Training — Security awareness training for all users, role-specific training for users handling CUI.
Configuration Management — Baseline configurations for all systems, configuration change control, and security configuration settings.
Identification and Authentication — MFA requirements, password policies, and authentication for all users and devices.
Incident Response — Documented incident response capability, reporting requirements, and incident handling procedures.
Maintenance — Controlled maintenance of organizational systems, including remote maintenance access management.
Media Protection — Protection, control, and sanitization of media containing CUI.
Personnel Security — Screening of individuals before authorizing access to systems containing CUI.
Physical Protection — Physical access controls for facilities and systems containing CUI.
Risk Assessment — Periodic risk assessments and vulnerability scanning.
Security Assessment — Periodic assessment of security controls, identification of deficiencies, and corrective action plans.
System and Communications Protection — Network segmentation, boundary protection, and cryptographic protections for CUI in transit.
System and Information Integrity — Malware protection, security alerts, patch management, and system monitoring.
The most commonly failed controls in assessments are access control configuration gaps, audit logging deficiencies, undocumented or untested incident response plans, and missing or incomplete System Security Plans. These aren't the most technically complex controls — they're the ones that require the most documentation discipline to maintain.
The SPRS Score: Your Current Compliance Baseline
Before a C3PAO assessment, every Level 2 contractor must calculate and submit a Supplier Performance Risk System score — the numerical representation of your current NIST SP 800-171 compliance.
SPRS scores range from -203 to 110. A perfect score of 110 represents full compliance with all 110 requirements. Points are deducted for each unmet requirement: -5 for significant risks, -3 for specific impact requirements, -1 for limited or indirect effects.
For CMMC Level 2, a minimum SPRS score of 88 is required to obtain Conditional status — meaning you meet most requirements with a documented Plan of Action and Milestones for the gaps. A score of 0 or below typically disqualifies contractors from contract awards.
The SPRS self-assessment is the starting point. It tells you where you are, what the gaps are, and what remediation looks like before a C3PAO assesses your program against the same standard.
What to Do First: A Practical Starting Point
For manufacturers that are beginning CMMC preparation, the sequence matters as much as the individual steps.
Step 1: Identify and scope CUI
You can't protect what you haven't identified. The first step is identifying every location where CUI exists in your organization — systems that store it, networks that transmit it, people who handle it, and vendors who access it. This scoping exercise defines the boundary of your CMMC program.
Many small manufacturers discover during scoping that CUI exists in more places than they expected — email systems, shared drives, ERP modules, and engineer workstations that aren't part of their formal IT environment.
Step 2: Complete an SPRS self-assessment
With CUI scoped, conduct a SPRS self-assessment against all 110 NIST SP 800-171 requirements. Document your current score, identify every requirement that isn't fully met, and record the evidence supporting requirements that are met.
This assessment is the foundation of your System Security Plan and your POA&M. Don't skip it or approximate it — the C3PAO assessment will evaluate your program against the same 110 requirements, and your self-assessment should reflect your actual posture, not your intended posture.
Step 3: Develop your System Security Plan
The System Security Plan documents your entire CMMC program — what systems are in scope, how each of the 110 requirements is implemented, who is responsible for each control, and what evidence exists for each implementation.
The SSP is both a compliance document and an operational guide. It tells a C3PAO assessor exactly how your organization meets each requirement. A well-written SSP that accurately reflects your environment is the difference between a smooth assessment and a painful one.
Step 4: Build your Plan of Action and Milestones
Every gap identified in the SPRS self-assessment becomes a POA&M item — a documented remediation commitment with a timeline and a responsible owner. The POA&M isn't an admission of failure. It's required evidence that you've identified your gaps and have a plan to close them.
POA&M items must be closed within 180 days of a C3PAO assessment for gaps identified during the assessment. Having a current POA&M before assessment demonstrates program maturity.
Step 5: Engage a co-managed IT partner with CMMC expertise
The technical implementation of the 110 controls — deploying and configuring access controls, implementing audit logging, managing patch SLAs, configuring MFA across all systems, and maintaining the documentation that demonstrates compliance — requires both IT operational capability and CMMC-specific expertise.
A co-managed IT partner with CMMC experience manages the technical controls and documentation while the internal team maintains operational knowledge and business context. The security operations layer — 24/7 monitoring, managed EDR, vulnerability management — simultaneously satisfies CMMC's Audit and Accountability, System and Information Integrity, and Incident Response control families.
Where Securafy Fits
Securafy supports Ohio manufacturers and defense contractors through CMMC Level 2 preparation and ongoing compliance maintenance — from initial SPRS self-assessment and System Security Plan development through C3PAO assessment preparation and post-assessment POA&M management.
The co-managed IT engagement delivers the technical controls that CMMC Level 2 requires: 24/7 security monitoring satisfying the Audit and Accountability family, managed EDR and patch management satisfying System and Information Integrity requirements, network segmentation support satisfying System and Communications Protection, and MFA enforcement satisfying Identification and Authentication requirements.
For Ohio manufacturers in the defense industrial base, CMMC compliance also satisfies Ohio Safe Harbor documentation requirements under ORC § 1354 — the NIST SP 800-171 framework is one of the qualifying frameworks explicitly listed in the statute.
To understand how Securafy supports the full CMMC compliance journey, visit the Compliance as a Service page.
To assess your current cybersecurity posture against CMMC requirements before beginning formal preparation, the Cybersecurity Assessment tool gives you an objective baseline in under 10 minutes.
The 2026 Cybersecurity Buyer's Guide covers the security program fundamentals every manufacturer should understand before beginning any compliance framework journey.