CMMC Compliance for DoD Contractors

What Is CMMC?

The Cybersecurity Maturity Model Certification is a verification framework developed by the Department of Defense to ensure that companies handling sensitive government information have the security controls in place to protect it. It applies to any organization that does business with the DoD, whether as a prime contractor or as a subcontractor further down the supply chain.

CMMC 2.0, the current version, consolidates the original five-level model into three levels, each tied to specific security practices. The goal is a measurable, auditable standard rather than a self-attestation system. For contracts involving Controlled Unclassified Information (CUI), a verbal commitment to good security is no longer sufficient.

The framework is built on the security controls found in NIST Special Publication 800-171, the federal standard for protecting CUI in non-federal systems. CMMC essentially takes those requirements and adds a formal verification process. Most of the 110 security controls in NIST 800-171 map directly to CMMC Level 2, which is where the majority of DoD contractors will need to certify.

CMMC requirements are being phased into DoD contracts now. Businesses that haven't started their assessment and gap analysis are already behind the pace of contracts beginning to require it.

CMMC doesn't exist in a vacuum. It runs alongside other active obligations: the SEC's cybersecurity disclosure rules, the incoming CIRCIA incident reporting requirements, and state privacy law expansions. Michigan's 2024 Cyber Roadmap names advanced manufacturing and defense as two of five priority cybersecurity domains for the state. CMMC readiness is directly aligned with those priorities. For a full breakdown of the 110 NIST 800-171 requirements that underpin CMMC Level 2, visit our NIST 800-171 resource page. For a full picture of the broader regulatory landscape, visit our Manufacturers Resource Hub.

Built On

NIST SP 800-171: Protecting Controlled Unclassified Information

CMMC's technical requirements are rooted in NIST 800-171, a federal publication that defines 110 security requirements across 14 control families. Understanding 800-171 is foundational to understanding what CMMC actually requires. The same framework also forms the basis of incident response planning expected under CIRCIA, and aligns with CISA's Cross-Sector Cybersecurity Performance Goals.
Read our full NIST 800-171 resource page →

Defense Industrial Base

If your company makes components, provides materials, performs services, or handles any information tied to a DoD contract, your organization is likely part of the Defense Industrial Base and subject to CMMC requirements. This includes manufacturers in automotive, aerospace, electronics, and advanced materials sectors.

CMMC 2.0 Certification Levels

CMMC 2.0 organizes certification into three levels based on the sensitivity of the information a contractor handles and the risk to DoD programs and systems.

Foundational

Level 1

Covers the 17 basic cyber hygiene practices aligned with FAR 52.204-21. Applies to contractors handling Federal Contract Information (FCI). Annual self-assessment with executive affirmation is required.

Self-assessment, no 3rd-party audit required

Advanced

Level 2

Aligns with all 110 security requirements in NIST SP 800-171. Applies to contractors handling Controlled Unclassified Information (CUI). This is where the majority of DoD supply chain companies land. Triennial third-party assessments are required for priority programs.

3rd-party assessment required for most contracts

Expert

Level 3

Designed for the highest-priority programs with the most sensitive DoD information. Builds on NIST 800-171 and adds requirements from NIST 800-172. Government-led assessments are conducted by DCSA.

Government-led assessments by DCSA

Who Needs CMMC Certification?

CMMC applies across the Defense Industrial Base, not just to prime contractors. If you touch any part of a DoD contract, understanding your obligations is essential.

Manufacturers in the Defense Supply Chain

Companies that produce components, raw materials, or finished goods for DoD programs are directly in scope, including tier-2 and tier-3 suppliers whose products end up in defense systems.

Prime Contractors and Subcontractors

Prime contractors will see CMMC requirements directly in their solicitations. Subcontractors have those requirements flowed down from their prime. Either way, the obligation is real.

Professional and Technical Services Firms

Engineering, IT, logistics, and other services firms supporting DoD programs are equally subject to CMMC requirements when they handle CUI. The framework isn't limited to manufacturers.

Companies Pursuing New DoD Business

If you're planning to bid on DoD contracts and don't yet have CMMC certification, the time to start is before the solicitation arrives. The assessment and remediation process takes time.

Not sure if CMMC applies to your business? That's the most common question we get, and it's the right place to start. A free scoping conversation with STACK will tell you which level applies, whether you're in scope, and what the path forward actually looks like for an organization your size.

Schedule a Free Consultation

How STACK Supports Your CMMC Journey

As a Registered Practitioner Organization, STACK is authorized to help DoD contractors and their suppliers prepare for CMMC assessment. Here's what that process looks like.

Scoping and Initial Assessment

We start by understanding what information your organization creates, processes, stores, or transmits. Defining your CMMC scope correctly is the foundation of everything that follows. Overscopping wastes resources. Underscopping creates risk. We help you get it right.

Gap Analysis Against NIST 800-171

We evaluate your current security controls against the 110 requirements in NIST SP 800-171, which form the basis of CMMC Level 2. The gap analysis produces a clear picture of what's in place, what's missing, and what needs remediation before an assessment.

Remediation Planning and Implementation

Not every gap requires the same investment. We prioritize remediation based on risk and assessment impact, and we help your team implement the controls that address the most significant findings.

System Security Plan (SSP) Development

CMMC requires a documented System Security Plan that describes how your organization meets each security requirement. We develop and maintain this documentation with you, in language that satisfies assessors without burying your team in complexity.

Assessment Readiness and Ongoing Support

We prepare your team for the third-party assessment process, conduct pre-assessment reviews, and provide ongoing managed security services to maintain your certification posture. CMMC isn't a one-time event. It's a commitment to continuous practice.

Ready to start with Step 1? Scoping is where every CMMC engagement begins. It's also where most organizations realize they've been guessing about their obligations. Schedule a free consultation and we'll start there together.

Start with a Free Consultation

CMMC Questions We Hear Often

Practical answers to the questions manufacturers and contractors ask when they're getting started with CMMC.

We're a small manufacturer. Do we really have to do this?

If your products or services touch any part of a DoD contract and you're handling CUI, then yes. Company size doesn't exempt you from the requirement. CMMC Level 1 and Level 2 are designed to be achievable for smaller organizations. The controls aren't new concepts. Many of them are things your IT environment should already be doing. The assessment process formalizes and verifies what's in place.

What's the difference between FCI and CUI?

Federal Contract Information (FCI) is information the government provides or generates under a contract, not intended for public release. Controlled Unclassified Information (CUI) is a broader category: sensitive but unclassified information that requires protection under law, regulation, or government policy. CUI triggers Level 2 requirements. If you're not sure which category applies to your organization, a scoping conversation is the right first step.

How is CMMC related to NIST 800-171?

NIST SP 800-171 is the technical standard that defines the 110 security requirements contractors must meet when handling CUI. CMMC Level 2 is essentially a verified implementation of those 110 requirements. If you've already done work to comply with NIST 800-171, you have a head start on CMMC. Your 800-171 gap analysis and your CMMC gap analysis are effectively the same exercise. Visit our dedicated NIST 800-171 resource page for a full breakdown of all 14 control families and the scoring model.

How long does the CMMC process take?

It depends significantly on your current security posture. Organizations with mature security programs and documented controls may be able to move through readiness and assessment in several months. Organizations starting from a lower baseline should expect longer, particularly if remediation requires infrastructure changes. Starting early gives you the most flexibility and the least pressure.

What does it mean that STACK is an RPO?

A Registered Practitioner Organization is an organization vetted and recognized by the Cyber AB, the accreditation body overseeing the CMMC ecosystem. RPO status means STACK has personnel authorized to advise on and support CMMC preparation, including scoping, gap analysis, remediation planning, and SSP development. The third-party assessment itself must be performed by a Certified Third-Party Assessment Organization (C3PAO), but we prepare you for it.

CMMC is about DoD. Does it interact with other regulations we're already tracking?

Yes, and this is where things get complicated for manufacturers. CMMC operates alongside several other active requirements. The SEC's cybersecurity disclosure rules require publicly traded companies to report material incidents within four business days. CIRCIA, with a final rule expected from CISA in May 2026, will require covered critical infrastructure entities to report significant incidents within 72 hours and ransomware payments within 24 hours. State privacy laws, including expanded CCPA regulations that took effect January 2026, add documentation and audit obligations. These requirements have overlapping but not identical scopes. A manufacturer in the DoD supply chain may need to satisfy all of them simultaneously. STACK's Manufacturers Resource Hub tracks these requirements in one place.

What should we do if we experience a cyber incident?

Report it quickly and to the right places. Michigan businesses should contact the Michigan Cyber Command Center (MC3) at mc3@michigan.gov or 877-MI-CYBER for non-emergency assistance, or the MSP Operations Center at 517-241-8000 after hours. All businesses should also file a report with the FBI's Internet Crime Complaint Center at ic3.gov. If you're a DoD contractor, your System Security Plan should document your incident response procedures, and CMMC assessors will expect evidence that those procedures are practiced. If CIRCIA's final rule is in effect at the time of your incident, you may have mandatory federal reporting obligations with tight timelines. STACK can help you build an incident response plan that satisfies all of these requirements before you need it.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment

CMMC 2.0 Compliance for Defense Contractors