What you need to know about CMMC

Your biggest customer just called. They need to know your CMMC certification timeline. Your stomach drops. You've been putting this off, thinking you had more time, and now you're staring at 110 security controls wondering where to even start.

Here's what most manufacturers are getting wrong: October 1, 2025, isn't your certification deadline – it's when the CMMC program officially begins and contracts start including certification requirements. Your actual deadline is October 2026, giving you 12 months from now.

But before you relax, here's the catch: The certification process takes 3-6 months minimum, and the line for assessments is about to get VERY long. If you're reading this in September 2025 and haven't started, you need to begin immediately to avoid the bottleneck that's coming.

Who Actually Needs CMMC?

If you touch ANY DoD data or work with companies that do, you need CMMC.

• This includes:
• Direct DoD contractors (obvious)
• Subcontractors at any tier (less obvious)
• Suppliers to defense contractors (often forgotten)
• Machine shops making parts for defense equipment
• IT service providers supporting defense contractors
• Logistics companies shipping for defense contractors
  

The surprise catch

You might need CMMC even if you never bid on DoD contracts directly. If Lockheed Martin wants you to machine a bracket, or if Raytheon needs you to provide specialized components, you'll need certification to keep that business, too.

3 Levels of CMMC:

Which One Do You Actually Need?

Level 1: Basic Protection (Self-Certification)

• Who needs it? Companies handling Federal Contract Information (FCI) only. FCI can be defined as information not intended for public release. This includes:
• Purchase orders
• Invoices
• Basic contract information
• Shipping addresses
• What is it? Basic cyber hygiene – 17 practices
• How to get it? Annual self-assessment
• Timeline: 1-2 weeks
• Cost: $2,000-$5,000 (mostly internal time)

Reality check

Very few manufacturers stay at Level 1. Once you're in the defense supply chain, you typically handle CUI and need Level 2.

Level 2: Enhanced Protection

• Who needs it? Companies handling Controlled Unclassified Information (CUI) Examples of CUI in the manufacturing context include:
• Technical drawings and specifications
• Manufacturing processes
• Material specifications
• Quality data
• Delivery schedules for military equipment
• Prototype designs
• Testing data
• What is it? 110 security requirements from NIST SP 800-171
• How to get it? Third-party assessment by a C3PAO (Certified Third-Party Assessment Organization)
• Timeline: 3-6 months
• Cost: $25,000-$100,000+ depending on gaps
  

Reality check

90% of DoD manufacturers need Level 2. If you're making anything more complex than basic supplies, you're probably handling CUI.

Level 3: Advanced Protection

• Who needs it? Companies working on critical defense programs
• What is it? All Level 2 requirements PLUS 24 additional controls from NIST SP 800-172
• How to get it? Government-led assessment
• Timeline: 6-12 months
• Cost: $100,000-$500,000+

Reality check

• You probably DON'T need Level 3 unless:
• You're working on weapons systems
• You handle classified information
• You're specifically told by DoD

The 110 Controls You May Have Heard About

Level 2's infamous 110 security requirements sound overwhelming, but they break down into 14 basic families. Here are the ones that trip up manufacturers most:

The "Expensive" Controls

• Access Control (22 controls) - Multi-factor authentication on EVERYTHING
• Incident Response (3 controls) - You need a documented plan AND a retained forensics team
• System & Information Integrity (7 controls) - Continuous monitoring tools aren't cheap

The "Complicated" Controls

• Media Protection (9 controls) - How do you encrypt data on a 20-year-old CNC machine?
• Personnel Security (2 controls) - Background checks for anyone touching CUI
• Physical Protection (6 controls) - Secured areas for CUI work (yes, the shop floor counts)

The "High Fail Rate" Controls

• Audit & Accountability (9 controls) - You must log EVERYTHING and keep it for 30+ years
• Configuration Management (9 controls) - Document every system change
• Maintenance (6 controls) - Track who services your equipment (including HVAC in server rooms)

The Official CMMC Timeline

October 2025:  CMMC requirements begin appearing in NEW contracts
October 2026:  Full certification REQUIRED for contract awards

CMMC Tasks Starting September 2025

September - December 2025: Assessment & Planning (You Are Here)

• Gap assessment to see where you stand
• SPRS score calculation (most start at -60 to -100)
• Budget planning for 2026 improvements
• Get in line for C3PAO assessment

January - March 2026: Foundation Building

• Implement core security controls
• Deploy required tools (MFA, EDR, SIEM)
• Create documentation (policies, procedures)
• Begin staff training

April - June 2026: Remediation & Hardening

• Address remaining gaps
• Internal assessments
• Fix what breaks (something always breaks)
• Finalize documentation

July - September 2026: Certification Sprint

• C3PAO formal assessment
• Address any findings
• Receive certification
• Update SAM.gov registration
  

The CMMC Bottleneck

There are only 150 authorized C3PAOs nationwide. They need to assess 75,000+ defense contractors. Do the math. By January 2026, assessment slots will be booked 4-6 months out. Companies starting now get priority. Companies starting in 2026 get waitlisted.

What This Actually Costs

Direct Costs

• Gap Assessment: $10,000-$25,000
• Remediation Support: $20,000-$50,000
• Security Tools: $30,000-$80,000/year
• EDR solution: $50-$100/endpoint/year
• SIEM: $1,000-$3,000/month
• Vulnerability scanning: $500-$2,000/month
• MFA solution: $3-$10/user/month
• C3PAO Assessment: $15,000-$30,000
• Annual Maintenance: $20,000-$40,000

Hidden Costs

• Employee time (200-500 hours)
• Productivity loss during implementation
• Potential hardware upgrades
• Ongoing training
• Annual reassessments
  Total realistic budget: $75,000-$150,000 for Level 2 (first year)

Common CMMC Myths

Myth 1: "We're too small to need this"

Reality:  We've actually heard this one directly. Unfortunately, size doesn't matter— handling CUI does.

Myth 2: "Our prime contractor will handle this"

Reality:  Every company self-certifies. Your prime can't certify for you.

Myth 3: "We can just segment CUI to one system"

Reality:  CUI tends to spread. That email with specifications? That's CUI on your email server, backup system, and every workstation that accessed it.

Myth 4: "Level 1 is enough for now"

Reality:  Most contracts specify Level 2. Getting Level 1 and then upgrading wastes time and money.

Myth 5: "We can do this internally"

Reality:  Unless you have a full-time security team, you'll need help. The documentation alone requires specific expertise.

You need to get started right away if:

• Your passwords are still on sticky notes
• You're using Windows 7 anywhere
• Everyone is an admin on your systems
• You don't have written IT policies
• Your backups haven't been tested in 6 months
• You use personal email for business
• Ex-employees still have access to systems
• You don't have cyber insurance
• Your WiFi password is your company name
• You can't answer: "Where is all our CUI?"

If you checked more than three of these, you can't afford to waste time.  Start on your certification today.

What Happens If You Miss the October 2026 CMMC Deadline?

We cannot overstate the importance of managing your CMMC certifcation. Let's be realistic about the consequences of missing the October 2026 deadline.

Immediate Impact:

• You will not be able to bid on new DoD contracts
• Your existing DoD contracts will likely not renew
• Prime contractors drop you from approved vendor lists
• Competitors take your defense market share

But Here's the Good News:

Starting in September 2025 gives you 13 months. That's enough time to:

• Properly implement all controls
• Spread costs over multiple quarters
• Train staff properly (not rushed)
• Test and refine your security
• Get certified WITHOUT panic