Cybersecurity is a significant concern for any company, but for those manufacturers and contractors looking to secure work within the Defense Industrial Base (DIB) it is absolutely paramount. 

The Cybersecurity Maturity Model Certification (CMMC) is the framework that the Department of Defense (DoD) uses to ensure that all its prime and subprime contractors meet the nation’s most strict cybersecurity requirements for doing business together. Since being announced in 2019, the CMMC has not been mandatory, but rather served as a suggested framework for contractors. 

That’s all changing now. In November 2025, the DoD began rolling out compliance requirements for CMMC in four phases over the next three years, with phase one currently underway.

However, as a small or even midsized manufacturer, achieving compliance with the DoD’s cybersecurity requirements can feel out of reach. That is exactly where Manex partnering with Manex can make a tremendous difference. 

Manex can help you prepare for CMMC certification and achieve the cybersecurity compliance necessary to obtain defense contracts. 

Today, Manex will delve into the importance of Cybersecurity Maturity Model Certification, explore the CMMC compliance requirements, as well as what you need to do to prepare for the CMMC certification process.

CMMC levels cybersecurity compliance

What is Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification framework exists to ensure that any organization working with the Defense Department has the necessary cybersecurity protocols in place to ensure protection of sensitive information that is routinely used and shared across systems used within the DIB.  

CMMC is primarily concerned with protecting two types of information:

  • Federal Contract Information (FCI): A sensitive class of information that is generated for or by the government as part of a contractor’s relationship with a federal agency. This is non-public information that is critical to the daily operations of a project, such as project timelines, performance reports, deliverables, or other reports.
  • Controlled Unclassified Information (CUI): Sensitive information created by the federal government or one of its contractors that requires safeguarding or special controls. While not strictly classified or secret, CUI is intended only for sharing information within the government, and not intended for public dissemination.

Each of these categories of information could jeopardize national security if exposed via a cyberattack. Under the Defense Federal Acquisition Regulation Supplement (DFARS) a basic assessment score in NIST SP 800-171 and CMMC cybersecurity compliance is mandated by all participants in the DIB who handle, process, store, or transmit FCI or CUI.

Initially launched in January 2020 by the DoD, CMMC 2.0 is the current cybersecurity compliance strategy required by all contractors and subcontractors working within the DIB.

CMMC Levels Explained

The initial version of CMMC launched with five tiers of increasingly strict cybersecurity requirements. 

However CMMC 2.0 was quickly introduced in 2021, streamlining these requirements into three tiers, with the goal of lessening the compliance burden on small businesses while also aligning more closely with other existing non-federal cybersecurity standards such as NIST 800-171.

The current three-tiered approach to CMMC sets cybersecurity compliance standards based on the sensitivity of the information handled. Organizations do not need to achieve all three levels of CMMC compliance to work with the DoD, but specific contracts may require higher levels of CMMC cybersecurity compliance. 

Level 1: Foundational

Level 1 is the foundational level of CMMC compliance requirements, which focuses on basic cybersecurity compliance and protection of FCI. 

At this level, contractors use 15 cybersecurity compliance strategies outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21 to guarantee the protection of FCI. Organizations that hold only a CMMC Level 1 designation are not permitted to utilize CUI. 

Level 1 is achieved through an annual self assessment, with each organization responsible for self-testing each year, as well as annual compliance affirmation. 

Level 2: Advanced

CMMC level 2 focuses on advanced cybersecurity hygiene, requiring organizations to perform and document 110 security controls across 14 domains. These come directly from NIST SP 800-171, and include access controls, configuration management, incident response, risk assessment and other key areas of compliance. 

Holding a CMMC Level 2 designation allows organizations to handle CUI as well as FCI, which is essential for any business that handles information that can impact national security. 

To obtain CMMC Level 2, most organizations must pass an independent assessment by a Third-Party Assessment Organization (C3PAO) authorized for CMMC every 3 years. In some cases, a self-assessment may be acceptable for contractors who handle less critical CUI. In addition, every contractor must verify compliance with the 110 security requirements via an annual affirmation. 

Level 3: Expert

The final level of CMMC, level 3 is designed to ensure cybersecurity compliance for DoD contractors who handle the most sensitive forms of CUI. 

In addition to compliance with the first two levels of CMMC, organizations who obtain level 3 certification must demonstrate and maintain a plan to defend against advanced persistent threats (APTs). This typically includes 24/7 security monitoring, enhanced incident response, strict access controls, and other proactive security requirements. 

On top of the 110 security requirements of Level 2, CMMC Level 3 also includes 24 additional security requirements taken directly from NIST SP 800-172. 

To achieve CMMC Level 3, a tri-annual assessment led by the Defense Industrial Base Cybersecurity Assessment Center must be passed, along with an annual compliance affirmation.  

NIST SP 800-171 and CMMC

You may have noticed that NIST SP 800-171 becomes a part of CMMC at Level 2, but what does this mean for organizations that already hold NIST SP 800-171? 

Prior to the introduction of CMMC in 2020, NIST SP 800-171 was the cybersecurity standard required for many contractors working as part of the DIB who handled CUI. 

With the revision of CMMC 2.0, Level 2 mirrors the 110 security controls listed under NIST SP 800-171. However a major difference is that self assessments for CMMC Level 2 are not permitted, as they were with NIST SP 800-171. 

Even if your organization already has compliance with NIST SP 800-171, achieving CMMC Level 2 will require an independent C3PAO. As the full CMMC 2.0 is rolled out, all contractors who work with any form of CUI will require at least CMMC Level 2, even if they already have compliance with NIST SP 800-171. 

CMMC Implementation Timeline

The Department of Defense has begun mandating CMMC compliance starting with phase 1 on November 10, 2025. Below is the current timeline for contractors to gain compliance:

  • Phase 1: The DoD now requires at minimum CMMC Level 1 self assessments, and in some cases Level 2, as a condition for being awarded a contract. 
  • Phase 2: Beginning November 10, 2026, all contracts which require the handling of CUI will require mandatory CMMC Level 2 certification, assessed by a C3PAO. 
  • Phase 3: Beginning November 10, 2027, CMMC Level 3 will be required for the highest priority contracts.
  • Phase 4: As of November 10, 2028, CMMC will be fully implemented, meaning that all contracts issued by the DoD will require at least CMMC Level 1 or higher.

How to Prepare for CMMC Training and Certification

The DoD has already begun rolling out CMMC 2.0 compliance requirements, which means there is little time to waste if you wish to continue securing contracts with the DoD.

The good news is Manex can help you prepare with CMMC training and certification. Here’s how:

  • Readiness and Scope Assessment: If you only work or plan to work with FCI, Level 1 is all that is needed. However any organization that handles CUI will need at least Level 2, with only those working on the most sensitive programs requiring Level 3. Manex will help you determine what level you need, as well as conduct a readiness assessment to determine where your organization currently stands.
  • CMMC Gap Analysis: Next, we’ll help you understand your shortcomings against CMMC and NIST SP 800-171 requirements. We’ll lend our manufacturing expertise to evaluate your shop floor, quality systems, ERP systems, and more to document gaps and create a prioritized list of what issues must be addressed to gain compliance. 
  • Compliance Roadmap: Based on our gap analysis, we’ll develop a cybersecurity compliance strategy that will help you plan for the necessary changes to meet security requirements, without disrupting your production flow. 
  • Documentation and Training Support: Compliance with CMMC requires implementation of technical controls as well as extensive documentation of your procedures. We’ll help you develop the policies needed, as well as train your workforce and management on how to maintain compliance. 
  • Mock Audit and Review: After we’ve worked together to build and implement a plan, we’ll conduct a mock audit to validate the changes and ensure that you’re ready for the real audit from an independent C3PAO. The goal is to leave your team fully prepared and confident, so you can pass the CMMC certification on your first try. 

Don’t Delay CMMC 2.0 Certification: Partner With Manex for CMMC Training and Cybersecurity Compliance

CMMC compliance Phase 1 is already under way. If you want to obtain lucrative DIB contracts, you’ll need to demonstrate your organization’s ability to meet the government’s extensive requirements for safely and securely handling FCI and CUI.

With over 50 years of consulting experience, Manex has helped countless manufacturers improve their operations. We’re ready to put you in position to succeed with comprehensive CMMC cybersecurity compliance preparation. 

Contact Manex today to learn more about our NIST 800-171 and CMMC assessment programs can prepare you for certification.