CMMC for Manufacturing


November 24, 2021

By 2025, Every Factory Contracting with the Department of Defense Will Have to Complete a Cybersecurity Maturity Model Certification (CMMC). Is Your Manufacturing Firm Ready?

If you’re like most small or medium-sized manufacturing companies, you’ve heard about the CMMC certification. You maybe even know you have to get it. But whether it’s due to fear of the cost, or the lack of proper staff to dedicate to it, you may not have gotten started on it yet. After all, CMMC for Manufacturers won’t be required until 2025. What’s the rush?

If you are a manufacturer that supplies or contracts with the federal government—especially the Department of Defense—you can’t afford to wait. Why? Because CMMC certifications are starting to be a line item ask in new Department of Defense government contracts, right now. As a matter of national security, every supplier or contractor must demonstrate that they have protective cybersecurity and physical plant security practices in place. And by 2025, you can bet, procurement won’t let you near your favorite DoD clients until the ink is dry on your certification. To put it simply, you’ll need to embrace CMMC, or leave money on the table.

The bad news is, getting a certification is relatively expensive, and will require a lot of resources and time to complete. The good news is, the certification requirements are “tiered” based on the sensitivity of the data you’re handling. So, you won’t have to complete extra certification steps if you don’t work on that high of a security level. And best of all, you don’t have to hire on people to complete the certifications for you. You can turn to a reputable managed IT services provider, or CMMC consultant, to help walk you through the certification process.

But, before we get into all that, let’s talk about what the certification is, what it covers, and how it works for the average manufacturer.

CMMC for Manufacturing: How Does It Work?

CMMC provides the government with proof that you have safe data handling and cybersecurity processes. Any company that’s part of the DoD supply chain must be CMMC compliant.

A third party certification auditor, (known as a C3PAO), will conduct your audit. Once your accreditation is secured, you can submit the credential as part of your contracts with the government.

There are five levels to CMMC certification. The level of certification required of your firm will depend how much information you generate and store. Information that’s tied to military personnel, products, or processes has been given the term CUI, or “controlled unclassified information.” There are several different subcategories underneath that—like CTIs, “controlled technical information” (such as the schematics to a part for an aircraft carrier), or “law enforcement sensitive” (LES), and many more.

The five levels of CMMC certification are :

  • 1—Where you’re required to provide cybersecurity around your government contract data
  • 2— This intermediate step includes basic cybersecurity and tighter safeguards around a portion of your information
  • 3— Comprehensive data management across the enterprise
  • 4 and 5— Comprehensive data cybersecurity that proactively protects against incoming threats

That’s a very simplified breakdown of the levels, which are actually far more complex than this. But this does show that not every manufacturer in the DoD supply chain has to have their data in lockdown. In fact, the majority of suppliers will generally fall between levels one and three. Levels four and five are for those manufacturers that deal with extremely sensitive military/law enforcement information.

“But wait,” you may say, “I’m already having to comply with DFARS. Isn’t this the same thing?” Actually, DFARS (the Defense Acquisition Federal Regulation Supplement (DFARS), is considered the bare minimum of compliance now. You must demonstrate DFARS level security, along with the CMMC certification. A CMMC certification covers 17 areas of your operations as a start, from your physical plant security, to your systems, to your data security.

How Long Will It Take to Get Certified?

To get a certification, your company will have to pass a CMMC audit for the level you’re trying to reach. Those audits are conducted by a registered CPAO organization, which you can find here. This registered marketplace will help you get access to the professionals you need for auditing, as well as a wealth of other information.

How long your road to certification is will depend on the level of certification that’s needed, and the current state of your factory’s cybersecurity safeguards. Regardless of your status, however, you should budget at least six months to get through the process. Why so long?

CMMC certification is an extremely technical process that takes a deep dive into your cybersecurity processes. You’ll need several months to assess every aspect of your systems, and identify gaps. Then you’ll need to put the products and platforms in place to address the gaps. And you’ll have to integrate all these changes into your factory’s day-to-day operations. Remember, it’s not just enough to demonstrate you’ve bought this or that firewall, or some other cybersecurity program. You have to demonstrate that it is working properly and all your people are trained on how to use it.

Once you’ve finished this process, which generally takes between six months and a year for most companies, auditors will do their assessment. If you pass, you’ll be awarded the CMMC certification, which will open the door to new contracts, or, simply ensure you keep the ones you already have. Your CMMC certificate will be valid for three years.

Who Can Help Me Get Certified, and How Much Can I Expect to Spend?

MSPs like Integris can help you do a thorough assessment and develop a cybersecurity plan that’s CMMC compliant, A good MSP can also help you purchase and install the right platforms, hardware, and systems. How much you need to spend will, again, depend on the level of certification you’re aiming for, and how close your current procedures are to what will be required.

In general, there will be three areas of expense for CMMC Certification for Manufacturers:

  • Gap Analysis/Roadmap—conducted by your MSP or a certified CMMC consultant, this will involve the hourly time it takes to compare your system against the requirements of the certification, and come up with a remediation plan. This can vary from a few thousand dollars to six figures, depending on the complexity of your operation.
  • Remediation implementation—This will include the purchase and implementation of new cybersecurity systems, such as new firewalls, multi-factor authentication, cloud-based services like Microsoft Windows 365, and managed detection and response systems. These new products will generally be charged on a scalable, per-user basis.
  • Audit costs—You will have to pay an accredited auditing firm to conduct your audit, an expense which can cost between $10,000 and $40,000. Fortunately, if you have or win a government contract as a result of the audit, you can generally bill the Department of Defense for this as a “reasonable expense.”

By this point, you can see getting a CMMC is a major lift for any size organization. However, there are experts who stand at the ready to help walk you through the process step by step. Here’s what to do next.

CMMC Certification for Manufacturers: Where Can I Go to Learn More?

Integris specializes in working with small to medium-sized businesses, and we have a large number of smaller manufacturing plants as our clients. If you’re in one of our service areas, we’d love to talk to you about the specialized services we offer to the manufacturing sector, including CMMC preparation.

Wondering how your cybersecurity measures up? Try our free, Cybersecurity Assessment Checklist! It’s a great way to identify your gaps, and create a roadmap for discussion with your IT provider on next steps. If you’d like to talk to Integris, we’d love to help you! Contact us, today!

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as,, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...