Due to increased risks of data loss to cyberattacks and to incorporate industry feedback, the Department of Defense (DoD) has issued an updated model of security measures. Not only does this new framework aim to protect sensitive information, but also to unify the systems that federal contractors use. With a commitment to data protection, Carr Manufacturing Company, Inc. is focused on obtaining Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance.


The CMMC standards help the DoD determine which companies and contractors adhere to predetermined cybersecurity regulations before enlisting them in doing government work. All DoD contractors must go through an extensive certification process and ultimately meet a minimum of the first level of CMMC compliance. The goal is to protect the defense industrial base (DIB) by limiting system vulnerabilities and establishing defined best practices. However, the certification process also shines a light on a contractor’s readiness for handling cybersecurity attacks, as well as their accountability.


While all DoD contractors must be compliant, CMMC compliance also covers any company within the DoD supply chain. This could include small businesses, international suppliers, and more. All of these organizations must meet at least level 1 of the CMMC standards, as determined by DoD-authorized third-party assessment groups.


To achieve CMMC compliance, a company must go through an application and assessment process with a third-party or governmental review. It may take six months or more for a contractor to complete this process, so it is beneficial for a company to do a self-assessment analyzing its current procedures and determining the type of data the company handles, be it controlled unclassified information (CUI) or federal contract information (FCI), prior to application.

The assessing agency will determine a company’s adherence to CMMC as well as NIST standards. Should the company meet all necessary requirements, the DoD will identify that company’s particular level of compliance from five levels of specific regulations.


The National Institute of Standards and Technology (NIST) SP 800-171 helps organizations strengthen their cybersecurity and protect CUI and NFO controls through self-certification. To better monitor for non-compliance, and because some contractors had difficulty complying with NIST SP 800-171, the DoD presented the CMMC to unify and streamline the certification process and audit adherence to the NIST SP 800-171. Importantly, the CMMC standards are more stringent and encourage accountability, with the DoD or an independent third party ensuring a company has the minimum cybersecurity coverage required for compliance.


CMMC consists of five levels of compliance. The higher levels require all controls or practices from the previous levels, making it a tiered framework.


To be CMMC compliant, companies must meet at least the bare minimum, or level 1, of antivirus standards and FCI protection. It includes 17 basic practices (NIST SP 800-171 controls).


A transition step from FCI coverage into some CUI protection, level 2 adds 55 more controls, along with cybersecurity procedure documentation requirements.


At level 3, contractors have proven they can safeguard CUI through documented practices. With 131 total controls, this level includes the complete list of NIST SP 800-171 and its CUI stipulations.


Level 4 includes 157 controls to proactively determine procedures that will allow a contractor to protect CUI over time from advanced persistent threats (APTs).


The highest level of security, level 5 includes 173 total controls that optimize cybersecurity standards company-wide for full CUI coverage from APTs.


All CUI is also FCI, with CUI requiring the utmost protection. If a company works with FCI, which is information that is not intended for public release but has been produced as part of a government-contracted product or service, the company must be certified for levels 1 or 2. If, however, a company works with CUI, or information a governmental agency produces or holds that law or policy dictates an agency handle and safeguard, the company will need to be certified for levels 3 through 5.


Lacking cybersecurity procedures can lose manufacturers business, but CMMC compliance opens a company up to lucrative government contracts. For the DoD, working with CMMC-certified providers ensures that data (research, drawings, specifications, manuals, reports, code, etc.) a company generates or processes will be safe from other organizations and hackers.


Carr Manufacturing has an expert team with a mission-ready attitude and access to proven cybersecurity efforts. To find out more about our security policies or our custom assembly solutions, contact us for a quote today.