How to identify if you need CMMC?

How to identify if you need CMMC?

Identify CMMC

Before we identify CMMC, we must understand Controlled Unclassified Information (CUI).

CUI is an important factor in achieving CMMC, because protecting CUI is a key component of cybersecurity.

The CMMC model is a framework that helps organizations assess and improve their cybersecurity posture. It’s designed to help organizations achieve a baseline level of cybersecurity maturity that aligns with their risk management goals and objectives.

One of the key security controls in CMMC is the protection of CUI. Organizations that handle CUI must ensure that they are safeguarding this information in accordance with applicable laws, regulations, and guidance. This includes identifying and marking CUI appropriately, as well as implementing the appropriate security controls to protect it.

Understanding CUI (Classified Uncontrolled Information)

CUI is a category of sensitive but unclassified information that is regulated by the US government. To ensure that CUI is appropriately safeguarded, specific markings and controls are used to identify it. They are:

1. Banner & Footer Markings

These markings may include a statement indicating that the document contains CUI and should be handled accordingly. For example, a banner marking might read “Controlled Unclassified Information – Do Not Release Without Authorization.” Footer markings may include the specific CUI category and subcategory.

Pro-tip: There is no requirement to add the “U,” signifying unclassified, to the banner and footer as was required with the old FOUO marking (i.e., U//FOUO).

CUI markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with “(CUI).” “CUI” will not appear in the banner or footer.

Last tip – there will be an acknowledgement added to the warning box on the first page of multi-page documents to alert readers to the presence of CUI in a classified DoD document. 

2. Category & Sub-Category Markings

These are used to identify the type of information and the level of protection it requires. Categories may include areas such as “Legal,” “Financial,” or “Defense.” Subcategories provide further specificity within each category. For example, within the “Defense” category, subcategories may include “Weapons Systems Design” or “Military Operations.”

3. CUI Basic vs. CUI Specified

CUI Basic refers to information that is not specifically listed in the CUI Registry but still requires safeguarding. CUI Specified refers to information that is specifically listed in the CUI Registry and has a designated category and subcategory. CUI Specified will also be marked with (SP-) on the document.

4. Limited Dessimination Controls

Limited dissemination controls are used to restrict the distribution of CUI to authorized individuals only. This may include controls such as password protection, access controls, or encryption.

5. Portion Markings

Portion markings are used to identify specific sections of a document that contain CUI. This allows individuals to quickly identify which portions of the document are sensitive and require protection. Portion markings may include labels such as “CUI,” “FOUO” (For Official Use Only), or “Limited Distribution.”

Quick side note: if Portion Markings used in one part of the document, they must be used throughout the entire document.


What is CMMC and How Does it Affect Me?

What is CMMC and How Does it Affect Me?


Any organization (manufacturing company) hoping to work within the defense contract supply chain will need to meet the standards set by the Cybersecurity Maturity Model Compliance (CMMC). Managed by the Department of Defense (DoD), the CMMC is a tiered system of compliance measures, which are intended to evaluate the maturity of the organization’s cybersecurity systems, processes, and contingencies. CMMC was introduced in 2020, refined in 2021, and will be fully required by 2026.

Even if you’re a (manufacturing) organization that’s not looking to work with the DoD – being CMMC compliant can benefit you because it works to actively improve your cybersecurity measures.

CMMC describes a (manufacturing) company’s preparedness against key security issues. A low score on the CMMC model means that your organization is ill-prepared for potentially malicious actions, whereas a high score on the CMMC model will mean that your organization has taken active, critical steps toward mitigating malicious actors.

There are three tiers of certification in the CMMC 2.0 model:

  1. CMMC level 1, “Foundational,” is the most basic level of compliance. This includes basic security practices, including access controls, implementing identity controls, and performing password protection. Level 1 companies don’t have a complete security strategy, they only know the basics. Many organizations start here, then improve their security solutions.
  2. CMMC level 2, “Advanced,” is a reasonably advanced level of security compliance. If your (manufacturing) organization is hoping to work with Controlled Unclassified Information (CUI), then you will need this level of compliance. Organizations hoping to achieve Level 2 will need to follow the 110 best security practices aligned with NIST SP 800-171.
  3. CMMC level 3, “Expert,” is the highest level of certification and what most organizations should aspire to be at. Organizations should be practicing advanced and progressive cyber hygiene, continually optimize their security processes, and analyze their network traffic. Organizations will need a sophisticated understanding of auditing, accountability, access control, and incident response. Achieving CMMC Level 3 will require an organization to follow a set of 110+ practices based on NIST SP 800-172. It will also require government-led audits, as opposed to the third-party audits necessary for achieving Level 2. 


It’s important to focus on the maturity part of the Cybersecurity Maturity Model Certification: compliance is everchanging.

New threats and defenses are established all the time, so an integral part of compliance at any level is maintaining that compliance. This can be challenging, and it is a major process to meet CMMC requirements.

Creating, enforcing, and maintaining security controls take time and when certification is available, manufacturers (you) don’t want to be left behind.

We may experience a backlog from those that are ready for certification between now and when the certification goes live. And remember that meeting CMMC Level 2 will be required for all Department of Defense (DoD) contractors, with self-attestation being minimum for Level 3 capabilities with third-party certification being required for some contractors. 

There is also a complete culture shift involved with achieving the above levels of certification. Everyone needs to be aware of their role upholding compliance at every level of your organization. Therefore, these new compliance requirements mean more than just a change to the policies of your IT department. More importantly, there will be changes to how information is handled throughout your organization, and IT will underpin these changes across each department. 


A business can think of CMMC as a measure of their general cybersecurity health. While CMMC has been designed specifically for DoD contracts, most of the requirements of CMMC apply to any organization dealing with critical, personally identifiable or protected information.

To tackle most DoD contracts, organizations will need basic CMMC compliance. But, that doesn’t mean that achieving better compliance shouldn’t be the ultimate goal of an organization and its IT team.

By working with us, a business can ensure that they are moving toward better cybersecurity — including CMMC compliance requirements. An organization won’t need to devote significant amounts of internal time toward compliance and will be able to achieve better compliance faster.

[Live] CMMC 2.0 Ongoing Updates

[Live] CMMC 2.0 Ongoing Updates


2022 – Q4

CMMC: The Latest

• Rule to be sent to OIRA October 2022.
• Final interim/proposed rule to be released March 2023.
• Rule in contracts beginning May 2023.
• CMMC compliance takes 9-12 months.
• Sec. 866 of the 2022 NDAA requires a report on the impact of
CMMC on small businesses within 180 days. The report must
− the estimated costs of complying with each level of the
− any decrease in the number of small business concerns that
are part of the defense industrial base resulting from the
implementation and use of the framework; and
− an explanation of how the Department of Defense will mitigate
the negative effects to small business concerns that are part
of the defense industrial base resulting from the
implementation and use of the framework.”

2022 – Q3

CMMC: The Latest

• How it will work:

− DoD entered into an MOU (and now contract) with a
single CMMC Accreditation Body (AB).
− The AB will implement the CMMC model, train and
certify assessors, and evaluate assessments. The
AB sits between DoD and the contractors.
− There will be three levels of assessment with the
third being the most stringent.
− DoD will assign a CMMC rating to each contract
and only contractors that have had a successful
assessment at that rating can perform.
− It is unknown who will assign certification levels
required to subcontractors and enforce that.

How to Receive Funding for DoD Cybersecurity Compliance

How to Receive Funding for DoD Cybersecurity Compliance

The DoD Cybersecurity Compliance is the Cybersecurity Maturity Model Certification (CMMC 2.0).

What is this?

The CMMC program is aligned to DoD’s information security requirements for Defense Industrial Base partners (those of whom create products or services that allow for the sustainability or deployment of military operations).

Why’s it important?

Michigan Cyber Defense is created a CyberSmart program that provides $22,500 to small to medium-sized businesses to help obtain the CMMC 2.0.

My company sells products or services for the military… How do I get $22,500 for CMMC 2.0?

Talk to us – we’re a pre-approved CyberSmart resource for the state of Michigan. 

We conduct your gap analysis and can assist in writing your System Security Plan and Plan of Actions and Milestones. Moreover, we can help you become certified. 

How do I know if I need the CMMC 2.0 Compliance?

If you create products or services for the military, you need the compliance. If you create products or services for another company that works with the military, you’re going to need the compliance. 

Many times, we say that if you’re ITAR certified, you’re going to need the CMMC 2.0 certification. 

What if I do nothing?

After 2025, you will no longer be eligible to sell products directly or indirectly (prime or subcontractor) to the DoD or Aerospace industries. 

How long is the State of Michigan providing grant funds for becoming CMMC 2.0 certified?

Until October 2023, but we recommend getting started right away.

Security vs. Compliance: What’s the Difference?

Security vs. Compliance: What’s the Difference?

Business data security and protection has never been this important! Especially in this dispensation of fast digital transformation.

On one hand, advanced technology has got businesses running more smoothly and increasing their conversion rates. However, on the negative side, cybersecurity threats have also grown in sophistication, thanks to the same cutting-edge technology, which cybercriminals are taking advantage of. The result is the need for heightened IT security by businesses and strict IT compliance requirements by regulatory bodies.

But is security just another name for compliance? Is your business secure after you have all those boxes ticked in the compliance document? Let’s explore each and help you remove the blurry line between both.


In a nutshell, it’s the processes and controls involved to ensure your data, systems, and networks are masked against cyber breaches. Generally, security encompasses:

  • Data: Your data storage and transmission media are critical. Every business should have data loss and recovery plans, such as cloud backups. Additionally, proactive network monitoring should ensure that no criminals intercept the data while in transit.
  • Systems: Your systems should be physically protected and, more importantly, digitally protected against malware and attacks. This can be achieved through constant software updates or patching. And regular/automatic system scans to detect an infection/breach early. Besides, as more businesses adopt BYOD (Bring Your Own Device) at the workplace, you should ensure that those personal devices accessing the company network are free from malware or security vulnerabilities.
  • Users: From phishing to reckless errors, users play a crucial role in determining whether your business is secure or not. That is why you should conduct frequent user training about security and ways to prevent attacks.


Compliance comes into play when third-party regulatory/governmental bodies are involved. Typically, compliance seeks to ensure that your business has implemented the irreducible minimums of various security standards such as HIPAA, GDPR, or PCI. Compliance aims to meet:

  • Industry regulations
  • Security frameworks
  • Government policies
  • Client contractual terms


Both. For you to be successful in business, you’ll need to both secure your business and comply with third-party regulatory or contractual guidelines. For instance, to get a DOD contract, you’ll need to comply with CMMC standards that apply to that contract. On the other hand, if you experience a breach due to weak security, you risk the loss of critical business data, revenue, and reputation damage, even if you’re compliant.

In summary, security:

  • Is done for your own sake while compliance seeks to satisfy a third party’s requirements.
  • Seeks to protect your digital assets through risk assessment, monitoring, and mitigation, but business needs drive the need for compliance.
  • Should be frequently maintained, whereas compliance is a one-time event and is complete once the regulatory body is satisfied.

To conclude everything, IT security is the practice of executing adequate technical controls to defend your systems and networks against cybersecurity threats, while compliance is applying these practices to meet third-party regulatory or contractual requirements.


Whether you’re looking to solidify your security or meet a new compliance threshold, you’ll need a good IT team to implement the required security measures. However, building an effective in-house IT team is not easy, not to mention how costly that may be. Therefore, seeking a managed security solution, such as ICS Data, is wise, practical, and cost-effective, especially for SMEs. Get in touch to get started.