What is CMMC and How Does it Affect Me?

What is CMMC and How Does it Affect Me?


Any organization (manufacturing company) hoping to work within the defense contract supply chain will need to meet the standards set by the Cybersecurity Maturity Model Compliance (CMMC). Managed by the Department of Defense (DoD), the CMMC is a tiered system of compliance measures, which are intended to evaluate the maturity of the organization’s cybersecurity systems, processes, and contingencies. CMMC was introduced in 2020, refined in 2021, and will be fully required by 2026.

Even if you’re a (manufacturing) organization that’s not looking to work with the DoD – being CMMC compliant can benefit you because it works to actively improve your cybersecurity measures.

CMMC describes a (manufacturing) company’s preparedness against key security issues. A low score on the CMMC model means that your organization is ill-prepared for potentially malicious actions, whereas a high score on the CMMC model will mean that your organization has taken active, critical steps toward mitigating malicious actors.

There are three tiers of certification in the CMMC 2.0 model:

  1. CMMC level 1, “Foundational,” is the most basic level of compliance. This includes basic security practices, including access controls, implementing identity controls, and performing password protection. Level 1 companies don’t have a complete security strategy, they only know the basics. Many organizations start here, then improve their security solutions.
  2. CMMC level 2, “Advanced,” is a reasonably advanced level of security compliance. If your (manufacturing) organization is hoping to work with Controlled Unclassified Information (CUI), then you will need this level of compliance. Organizations hoping to achieve Level 2 will need to follow the 110 best security practices aligned with NIST SP 800-171.
  3. CMMC level 3, “Expert,” is the highest level of certification and what most organizations should aspire to be at. Organizations should be practicing advanced and progressive cyber hygiene, continually optimize their security processes, and analyze their network traffic. Organizations will need a sophisticated understanding of auditing, accountability, access control, and incident response. Achieving CMMC Level 3 will require an organization to follow a set of 110+ practices based on NIST SP 800-172. It will also require government-led audits, as opposed to the third-party audits necessary for achieving Level 2. 


It’s important to focus on the maturity part of the Cybersecurity Maturity Model Certification: compliance is everchanging.

New threats and defenses are established all the time, so an integral part of compliance at any level is maintaining that compliance. This can be challenging, and it is a major process to meet CMMC requirements.

Creating, enforcing, and maintaining security controls take time and when certification is available, manufacturers (you) don’t want to be left behind.

We may experience a backlog from those that are ready for certification between now and when the certification goes live. And remember that meeting CMMC Level 2 will be required for all Department of Defense (DoD) contractors, with self-attestation being minimum for Level 3 capabilities with third-party certification being required for some contractors. 

There is also a complete culture shift involved with achieving the above levels of certification. Everyone needs to be aware of their role upholding compliance at every level of your organization. Therefore, these new compliance requirements mean more than just a change to the policies of your IT department. More importantly, there will be changes to how information is handled throughout your organization, and IT will underpin these changes across each department. 


A business can think of CMMC as a measure of their general cybersecurity health. While CMMC has been designed specifically for DoD contracts, most of the requirements of CMMC apply to any organization dealing with critical, personally identifiable or protected information.

To tackle most DoD contracts, organizations will need basic CMMC compliance. But, that doesn’t mean that achieving better compliance shouldn’t be the ultimate goal of an organization and its IT team.

By working with us, a business can ensure that they are moving toward better cybersecurity — including CMMC compliance requirements. An organization won’t need to devote significant amounts of internal time toward compliance and will be able to achieve better compliance faster.

[Live] CMMC 2.0 Ongoing Updates

[Live] CMMC 2.0 Ongoing Updates


2022 – Q4

CMMC: The Latest

• Rule to be sent to OIRA October 2022.
• Final interim/proposed rule to be released March 2023.
• Rule in contracts beginning May 2023.
• CMMC compliance takes 9-12 months.
• Sec. 866 of the 2022 NDAA requires a report on the impact of
CMMC on small businesses within 180 days. The report must
− the estimated costs of complying with each level of the
− any decrease in the number of small business concerns that
are part of the defense industrial base resulting from the
implementation and use of the framework; and
− an explanation of how the Department of Defense will mitigate
the negative effects to small business concerns that are part
of the defense industrial base resulting from the
implementation and use of the framework.”

2022 – Q3

CMMC: The Latest

• How it will work:

− DoD entered into an MOU (and now contract) with a
single CMMC Accreditation Body (AB).
− The AB will implement the CMMC model, train and
certify assessors, and evaluate assessments. The
AB sits between DoD and the contractors.
− There will be three levels of assessment with the
third being the most stringent.
− DoD will assign a CMMC rating to each contract
and only contractors that have had a successful
assessment at that rating can perform.
− It is unknown who will assign certification levels
required to subcontractors and enforce that.

How to Receive Funding for DoD Cybersecurity Compliance

How to Receive Funding for DoD Cybersecurity Compliance

The DoD Cybersecurity Compliance is the Cybersecurity Maturity Model Certification (CMMC 2.0).

What is this?

The CMMC program is aligned to DoD’s information security requirements for Defense Industrial Base partners (those of whom create products or services that allow for the sustainability or deployment of military operations).

Why’s it important?

Michigan Cyber Defense is created a CyberSmart program that provides $22,500 to small to medium-sized businesses to help obtain the CMMC 2.0.

My company sells products or services for the military… How do I get $22,500 for CMMC 2.0?

Talk to us – we’re a pre-approved CyberSmart resource for the state of Michigan. 

We conduct your gap analysis and can assist in writing your System Security Plan and Plan of Actions and Milestones. Moreover, we can help you become certified. 

How do I know if I need the CMMC 2.0 Compliance?

If you create products or services for the military, you need the compliance. If you create products or services for another company that works with the military, you’re going to need the compliance. 

Many times, we say that if you’re ITAR certified, you’re going to need the CMMC 2.0 certification. 

What if I do nothing?

After 2025, you will no longer be eligible to sell products directly or indirectly (prime or subcontractor) to the DoD or Aerospace industries. 

How long is the State of Michigan providing grant funds for becoming CMMC 2.0 certified?

Until October 2023, but we recommend getting started right away.

What’s Cybersecurity Insurance?

What’s Cybersecurity Insurance?

Cybersecurity insurance is a new, emerging industry. Companies that purchase cybersecurity insurance today are considered early adopters. 

Cyber insurance policies help cover the financial losses that result from cyber events and incidents. In addition, cyber-risk coverage helps with the costs associated with remediation. It also includes payments for the legal assistance, investigators, crisis communicators, and customer credits or refunds. 

More or less, it insures potential losses due to cyber attacks.

Do I need cyber insurance?

Any business that creates, stores, and manages electronic data online can benefit from cyber insurance. Some examples include: customer contracts or credit card numbers.

That means, using Google Drive, online servers, or performing transactional data between businesses can be helped/benefitted from cyber insurance. 

What does it cover?

• meeting extortion demands from a ransomware attack
• notifying customers when a security breach has occurred
• paying legal fees levied as a result of privacy violations
• hiring experts to recover compromised data
• restoring identities of customers whose personal identifiable information was compromised
• recovering data that has been altered or stolen
• repairing or replacing damaged or compromised computers systems

What it doesn’t cover?

• cyber events initiated and caused by employees or insiders
• failure to correct a known vulnerability, such as a company that knows that a vulnerability exists, fails to address it and is then compromised from that vulnerability
• the cost to improve technology systems, including security hardening in systems or applications

What are my next steps?

First of all, contact us to get started. From there, we’ll show you how to remain safe and proactive from any cyber attack. 

The Top 6 Reasons Why You Should Update Your Office Phones

The Top 6 Reasons Why You Should Update Your Office Phones

Has it been a while since you’ve taken a hard look at your office phones? We understand, it’s not an everday thing…

We expect so much out of our communication tools… and when they don’t work, it’s a hassle.

If you’ve been in a situation where it’s hard to reach a customer or coworker – don’t worry, we’ve got you covered. Here are the top 6 reasons why you should update your office phones with us:


It’s a feature that’s extremely beneficial to you when you’re away from your desk. Essentially, you use one phone to answer your personal and work calls. The best part? When you call a client, they see your work number. 


Route calls to different departments or voicemail boxes via interactive menus. While this seems common, it’s actually quite not. The feature itself screams modern day small business because we’re all limited on time, so why not help everyone communicate a little easier?


Again, it seems like a common concept, but most small-to-medium sized businesses don’t have this feature.

If you miss an important call from a client, you don’t want your work phone voicemail to not accept because your inbox is full (trust us, it happens more than you think).

Get a copy of the voicemail directly to your email and ensure you connect back. Seems too good to be true.


Do you want someone always answering your office phones? With ring groups, you can. Some of our clients use this feature because they have multiple locations that need to assist a regional area, and they want to ensure the best customer experience


Use your computer (i.e. VOIP) to make calls. No need to grab your cell phone out of your pocket when you’re in the office working productively… Use your computer!


Use your personal cell phone as an “all-in-one” solution for customer service. Text your clients as requested/needed.


Contact us about new office phones for your business – we’ll take care of you!