FAQs about CMMC compliance: What manufacturers need to know 

Is your factory ready for the new CMMC upgrades?

If you’re a manufacturer that works with the U.S. Department of Defense  (DoD), you know—the pressure is on to earn a Cybersecurity Maturity Model Certification (CMMC) and achieve full CMMC compliance. In fact, The CMMC final rule took effect in December of 2024, potentially requiring manufacturers to be CMMC-certified as early as October 2025 to continue bidding on and receiving new government contracts without impact.

If your facility has an existing contract with the DoD, it won’t be retroactively affected yet. However, new task orders under those contracts could require compliance. So, if you’d like to continue doing business with the U.S. government, compliance is no longer optional.  

Fortunately, the road to CMMC compliance is not as daunting as it first appears. The right managed service provider (MSP) partner can help you find your cybersecurity gaps and shore up the documentation you need to pass your assessment. It’s true—an up-front investment may be required to get the right tools and procedures in order for CMMC. Yet, when you’re done, the compliance process will help you harden your defenses, prepare for the next wave of technology advances, and become a trusted partner. Because of this, most Integris clients have found CMMC that certification boosts business overall. 

If you’d like to get up to speed on the finer points of CMMC certification, these frequently asked questions can help you get started. 

Top questions manufacturers have about CMMC compliance

Q. What is CMMC, why was it created, and what kinds of businesses does it cover? 

A. The CMMC certification was created in response to an increase in the number of cyberattacks aimed at defense contractors. The framework was designed by the U.S. Department of Defense to standardize cybersecurity practices among all of its vendors. Primarily, it is designed to govern contractors who handle federal contract information and Controlled Unclassified Information (CUI). Generally, this includes prime contractors, subcontractors, and foreign companies working with U.S. defense entities. Whether you’re a manufacturer producing parts for military equipment, or a software provider that supports defense companies, CMMC compliance is required for getting and keeping government contracts. 

Q. What types of information does CMMC protect? 

Q. What are the differences between CMMC 1.0 and CMMC 2.0? 

A. CMMC 2.0 streamlines the original 1.0 framework in several meaningful ways. It consolidates the CMMCs from five to three. Importantly, it aligns more closely with NIST SP 800-171 standards, which has long been an important benchmark for cybersecurity in federal contracting. The new 2.0 framework also offers  more flexibility through its Plans of Action and Milestones (POA&Ms), which  allows companies to receive conditional certification while they work toward full compliance. Contractors that are considered low risk can now self-attest their compliance, eliminating the need for a required third-party audit. 

Q. What are the current CMMC levels and what do they mean? 

A.  With the recent changes to the CMMC program, assessment levels have been narrowed down to three. CMMC levels will soon be defined according to the sensitivity of the information handled and the amount of cybersecurity rigor that is expected. If you are wondering what level your organization is at, here is a breakdown: 

• Level one-foundational. Companies at this level are not handling complex information for the DoD. Their only exposure is with federal contract information (FCI). Cybersecurity basics are required at this level, such as access control and to record of regular system updates. Third- party assessments are not required for certification. Manufacturers can self-attest each year instead. 
• Level two- advanced.  Designed for organizations that manage CUI, this intermediate level mandates compliance with a broad array of cybersecurity best practices outlined by NIST SP 800-171. At this level, the DoD may or may not require annual reviews by a certified third-party assessor (C3PAO). The requirement varies by contract and the nature of the information being accessed. 
• Level three–expert:This high-risk level is reserved for contractors that handle sensitive information that is particularly vulnerable to advanced persistent threats. Because national security may be involved, assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Enterprise-grade security measures are required for this type of government contractor.  

Q. What is the role of a CMMC Third-Party Assessment Organization (C3PAO)? 

A. A CMMC Third-Party Assessment Organization (C3PAO) Is an organization that’s earned a specific accreditation authorizing them to do Level 2 and Level 3 third-party assessments for CMMC.  The CMMC Accreditation Body certifies C3PAOs , and qualifying organizations must meet rigorous standards including ISO/IE C 17020 compliance. During an assessment, the body evaluates cybersecurity practices, reviews documentation such as your System Security Plan or Plan of Action & Milestones. It also tests your cybersecurity controls to ensure that everything is working properly. When it completes the assessment, the C3PAO submits its findings to the DoD. The DoD will review and determine whether your company qualifies for certification. 

Integris is not a C3PAO. But our fractional CISOs can help your organization create a plan to get your company prepared for your CMMC assessment. 

Q. What is a plan of action and milestones (POA&M) and how does it affect certification? 

A. If your organization is not currently meeting CMMC guidelines, you will be asked to provide a plan of action and milestones (POA&M) stating the actions that you will be taking to bridge the gap. Under CMMC 2.0, companies can receive conditional certification if they meet at least 80% of the required controls, while also submitting a written POA&M to resolve any issues within 180 days. This extra flexibility means your business can move forward servicing your contract while your POA&M is being executed. However, if you don’t execute the plan properly within that time frame, your company could be on the hook for false attestations under the False Claims Act. So plan accordingly. 

Q. What are the risks of non-compliance (e.g., False Claims Act violations)? 

A.  Noncompliance with CMMC requirements can result in disqualification from bidding on DoD contracts. If you have specifically lied about your compliance, especially on your annual attestations, you risk violating the False Claims Act which can lead to legal action, fines, and reputational damage. Furthermore, it’s just bad business overall. In today’s environment cybersecurity is a key differentiator. Failing to meet standards can open up your business to data loss and erode customer trust. 

A. Any significant changes to your business or IT infrastructure can trigger a reassessment of your CMMC certification status. This is especially true during mergers and acquisitions. If you merge with an uncertified business, the new part of your business will need to be evaluated, and any employees will need to be trained on how to handle compliance during their daily work. Even mergers of two certified companies will still require an assessment to be completed, to confirm system compatibility and proper cybersecurity controls. Companies considering an acquisition should factor in the time and investment needed for a recertification process. 

Q. What documentation do I need for a CMMC assessment?

A.  Written documentation is a key part of your CMMC compliance. You will be required to submit a system security plan (SSP) outlining how your organization will implement required cybersecurity practices. If you’ve identified gaps in your current system that haven’t been filled yet, you’ll need to provide a POA&M to address the gaps. Regulators will look for other key documents as well, including policies and procedures for access control, incident response, configuration management, and audit logging. You’ll need to provide evidence such as screenshots, logs, and training records. Assemble them now so they’ll be ready for review. 

Learn more about how Integris helps manufacturers: Integris Highly Regulated Industry IT Services

Q. How can an MSP or fractional CISO help with CMMC compliance? 

A. An MSP can provide the infrastructure you need to be successful as a compliant manufacturer, including 24/7 monitoring, incident response, and reporting services that align CMMC requirements. A fractional CISO can take it a step further, serving as a CMMC consultant helping you provide documentation and governance surrounding your CMMC compliance. These CISSP-certified security experts help you think strategically about cybersecurity infrastructure, budgeting, and compliance readiness. Serving as your CMMC consultant, they can help conduct gap analysis, implement required controls, and prepare documentation for your assessments.  

Q.  How much can I expect to spend to get CMMC certified, and how long does the process take? 

A.  Your investment in CMMC certification will depend on the size of your organization, the complexity of your contracting work, and your operational maturity level at the time you start. Your timeline will vary, too. Manufacturers with mature systems may be ready for certification in three to six months, while those with significant gaps could take as long as six to 12 months to reach compliance.

Costs will also vary widely. Smaller companies may spend $15,000 to $100,000 including CMMC consultant fees, remediation, and assessment fees. Larger organizations with complex needs will spend significantly more. 

It’s important to note that companies may see a potential increase in operation expenses to maintain good standing with the requirements of CMMC, as well. Specialized tools, software, and licenses may be required to properly safeguard your environments.

Q. How does CMMC compliance intersect with other standards like NIST, ISO, or FedRAMP? 

A.  Luckily, CMMC level 2 and 3 requirements are built on much of the same foundation used in other cybersecurity frameworks, including NIST SP800-171 and NIST SP 800-172. Many of the controls for CMMC also overlap with those in ISO 27001, SOC2, and FedRAMP. These commonalities allow manufacturers to adopt A1 audit approach, implementing controls once and applying them across multiple compliance regimes

Q. What are the most common ways that manufacturers fall short of CMMC compliance? 

A. When manufacturers fall short on their CMMC compliance assessment, it’s usually because of a lack of updating and cybersecurity investment as their businesses grow. The fallout from this can take many forms, but here are the most common shortfalls we see: 

• Insufficient access controls and identity protections 
• Poor documentation across the board 
• Failure to conduct regular risk assessments 
• Underestimating the importance of training and awareness for employees 
• Lack of a clear security roadmap and dedicated resources 
• Failure to invest in cybersecurity tools that work well together, resulting in reports and monitoring that don’t sync 
• Lack of coordination and documentation for updates and remediations 

If your company is preparing for CMMC compliance, Integris can help 

Our fractional CISO staff can help you do the legwork needed to obtain your CMMC certification. Contact us today for a free consultation.