The United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) in order to improve the cybersecurity of the Defense Industrial Base (DIB). The DIB is the worldwide industrial complex that supports research and development of military weapons systems and parts.
CMMC is effective December 16, 2024, and you can read the DoD’s final rule here. The purpose of CMMC is to protect Controlled Unclassified Information (CUI) that the DoD shares with contractors and subcontractors. CMMC will help the defense industry meet adequate security requirements of 32 CFR Part 2002, DFARS 252.204-7012, and DoDI 5200.48 in the implementation of the National Institute of Standards and Technology (NIST) SP 800-171.
Manufacturers that should be CMMC-compliant
Manufacturers that work with the DoD and other federal agencies and handle CIU should be CMMC compliant. While the purpose of CMMC is to strengthen cybersecurity, being CMMC compliant will improve a company’s reputation, provide a competitive advantage, and enable them to work with the DoD in the long term.
Requirements to be CMMC compliant
The CMMC model consists of 3 tiers of cybersecurity requirements. At each level, certain requirements must be met, and assessments must be passed to enable the DoD to verify DIB's implementation of cybersecurity standards. You can read the details of each level from the DoD’s final rule.
Below is the CMMC tiered model with requirements and assessments:
For contractors handling CUI, which requires CMMC level 2, the controls are essentially the same as NIST 800-171. The key distinction is that CMMC requires a third-party audit of controls by an authorized C3PAO, rather than a self-attestation, and all controls must be met.
Funding opportunities and resources
The cost of implementing these new cybersecurity standards, including hardware, software, and training, as well as getting your business audited can add up quickly.
Many states offer resources to help companies learn about CMMC requirements and some programs also provide technical support and funding. Below you will find information about programs available across the U.S. Contact your local Manufacturing Extension Partnership (MEP) Center or Procurement Technical Assistance Center for additional information.
California: California Manufacturing Technology Consulting (CMTC) is a private non-profit organization that provides technical assistance, workforce development, and consulting services to small and medium-sized manufacturers in California. CMTC is affiliated with the National Institute of Standards and Technology (NIST) and is part of the Hollings MEP Program. They have cybersecurity resources available here and they did a webinar all about NIST SP 800-171.
Illinois: The Illinois Manufacturing Excellence Center (IMEC) created the Cyber-Safe Incentive Program for small to mid-sized manufacturers in order to remove hurdles in funding and knowledge to improve cyber readiness for manufacturers. Eligible manufacturers may be awarded up to $25,000 to reimburse documented expenditures of contractual services, infrastructure costs, and other approved costs directly related to cybersecurity implementation and monitoring. Learn more about the Cyber-Safe Incentive Program here.
Indiana: The Indiana Economic Development Corporation (IEDC), using a program funded by the U.S. Small Business Administration (SBA), is partnering with Purdue MEP to conduct cybersecurity assessments and implementation. Funding is open through August 2025 - or until funds run out. Learn more about IEDC here.
Maryland: The Maryland Defense Cybersecurity Assistance Program (DCAP) was established in 2018 through support from the DoD’s Office of Local Defense Community Cooperation (OLDCC) and Maryland Department of Commerce, and assists the defense community with preparation for CMMC 2.0, Gap Analysis, SPRS score, Plan of Action and Milestones (POAM), and more. Maryland MEP has funding available for qualifying Maryland manufacturers to assist with the cost of NIST 800-171/CMMC Preparation and Employee Training. Learn more about the Maryland DCAP here.
Michigan: The Defense Cybersecurity Assurance Program (DCAP) operated by the Economic Growth Institute at the University of Michigan has cost-share funding to support defense supply chain manufacturers and resources to help companies find consultants to assist them. Learn more about the Michigan DCAP here.
New York: The New York MEP is a network of organizations that provide growth and innovation services to small and mid-sized manufacturers throughout the state to help them create and retain jobs, increase profits, and save time and money. Find your regional MEP center here to learn more about resources and funding opportunities.
FuzeHub, the statewide New York MEP Center, offers manufacturing grants, and the next round of funding is expected to open in early 2025. Learn more about FuzeHub’s manufacturing funding opportunities here.
New York State‘s Regional Economic Development Council Initiative, which helps drive regional and local economic development across New York State, offers funding to support existing New York State small manufacturers investing in capital projects to improve competitiveness or productivity through modernization and integration of advanced technology. Learn more about the Small Manufacturers Modernization Grant here.
North Carolina: The North Carolina MEP encourages manufacturers to contact the NC State University Industry Expansion Solutions for a free CMMC consultation. Their Defense Industry Initiatives division offers funding opportunities and their Cybersecurity division offers CMMC resources, including courses and training.
Ohio: The Ohio MEP helps small and medium-sized manufacturers increase sales, create jobs, and generate cost savings through technological innovation, workforce training, and improved management practices. The Ohio MEP office administers the program through 6 regional partners across the state. Find your regional MEP here to learn more about resources and funding.
Pennsylvania: The Pennsylvania MEP manages MEP federal funding and program outcomes through collaboration with a network of 7 Industrial Resource Centers. Find your local Pennsylvania resource center here to learn about funding opportunities and other resources.
Texas: The Texas Manufacturing Assistance Center (TMAC) can conduct a pre-assessment to ensure your company is ready prior to attempting a CMMC – C3PAO Assessment, reducing risk at a lower cost. TMAC is building a team of CMMC Certified Professionals and can assist any manufacturer in developing processes to meet the CMMC. Learn more about the cybersecurity initiatives at the Texas Manufacturing Assistance Center here.
Wisconsin: The Wisconsin Center for Manufacturing and Productivity (WCMP) engages with partnerships and initiatives at the local, state, and federal levels to provide the best available support and resources to help manufacturers reach their goals. The Wisconsin Manufacturing Extension Partnership (WMEP) serves the southern and eastern parts of the state, while the UW-Stout Manufacturing Outreach Center (MOC) serves the north and west. For more information to help your business, contact the organization that serves your region.
Be sure to contact your local Manufacturing Extension Partnership (MEP) Center or Procurement Technical Assistance Center for additional information.
CMMC level 2 partners should join Xometry
Xometry is expected to be among the first to achieve CMMC level 2 status in January 2025. However, to properly serve its customers, Xometry needs to ensure there are also CMMC level 2 suppliers within its network. CMMC requirements will flow down to suppliers with active CMMC certifications to ensure compliance.
Suppliers with CMMC, or those expecting to attain it, can apply to join the Xometry partner network to access millions of dollars in jobs daily, with no quoting or bidding and reliable payments on net-40 terms.
For customers, the selection for CMMC will be available through the Xometry Instant Quoting Engine® under the certifications section of quote configuration for applicable processes.