If you make parts for the Department of Defense, you've probably heard "CMMC" thrown around lately. Maybe your prime contractor mentioned it. Maybe you got an RFP that required it. Maybe you're wondering what the hell it even means.
Here's the no-BS explanation.
CMMC = Cybersecurity Maturity Model Certification
It's a cybersecurity standard the DoD created to protect Controlled Unclassified Information (CUI). That's the technical drawings, specifications, and contract details you handle daily.
Think of it like ISO 9001, but for cybersecurity. And unlike ISO, it's mandatory — not optional.
Why Does the DoD Care About Your Cybersecurity?
Chinese and Russian hackers have been stealing defense technology for years. They're not hacking Lockheed Martin directly (those guys have serious security). They're hacking small machine shops that make F-35 parts.
You store CAD files on a desktop running Windows 7. Your shop manager emails specs from his Gmail account. Someone plugs a random USB drive into the CNC controller to transfer a file.
That's how data leaks happen.
The DoD finally realized the weakest link isn't the prime contractors — it's the supply chain. That's you.
What Are the CMMC Levels?
There are three levels. Most machine shops need Level 2.
Level 1 (Basic Cyber Hygiene)
- 17 basic practices
- Stuff like "use antivirus" and "change default passwords"
- Self-assessment (no auditor required)
- Only for contracts that don't involve CUI
Level 2 (Advanced) ⭐ Most Common
- 110 practices from NIST SP 800-171
- Requires third-party assessment
- This is what most DoD suppliers need
- Costs $15K-$50K depending on your current state
Level 3 (Expert)
- 110+ advanced practices
- Only for critical national security programs
- You'll know if you need this (most shops don't)
If you're making parts for the DoD and handling technical drawings, you need Level 2.
What Does CMMC Actually Cover?
CMMC isn't just about firewalls and passwords. It's 14 different security domains:
- Access Control: Who can see what files? Are passwords strong enough?
- Asset Management: Do you know what computers and devices you have?
- Audit & Accountability: Can you prove who accessed CUI and when?
- Configuration Management: Are your systems up to date? Are settings documented?
- Identification & Authentication: Multi-factor authentication (MFA) for all users
- Incident Response: What happens when you get hacked?
- Maintenance: How do you update systems? Who has admin access?
- Media Protection: How do you wipe old hard drives? Can someone steal a backup tape?
- Personnel Security: Background checks, security training
- Physical Protection: Lock the server room, control building access
- Recovery: Can you restore from backups if ransomware hits?
- Risk Assessment: Do you know your vulnerabilities?
- Security Assessment: Regular testing and monitoring
- System & Communications Protection: Firewalls, encryption, network segmentation
Yeah, it's a lot. But most of it is common sense you should already be doing.
How Much Does CMMC Cost?
Real talk: $20K-$100K depending on where you start.
Breakdown:
- Assessment fee: $5K-$15K (one-time, paid to C3PAO auditor)
- Gap remediation: $10K-$50K (fixing what's broken before the audit)
- Tools & software: $3K-$10K/year (password managers, MFA, backup systems, monitoring)
- Consultant (optional): $10K-$30K if you need hand-holding
If you're starting from scratch (no IT policies, old computers, no backups), you're closer to $100K.
If you already have good IT hygiene (Windows 10+, backups, antivirus, policies), you're closer to $25K.
Timeline: When Do You Need CMMC?
Phase 1 (November 10, 2025): ✅ ALREADY STARTED - CMMC self-assessments are appearing in new contracts NOW
Phase 2 (November 10, 2026): 🔴 324 DAYS AWAY - Third-party CMMC Level 2 certification required for new contracts
Phase 3 (November 10, 2027-2028): Level 3 assessments and full implementation
Bottom line: You have less than 11 months to get CMMC Level 2 certified. If you want to bid on DoD work after November 10, 2026, start NOW.
What Happens If You Don't Get Certified?
Simple: You can't bid.
No certification = no contract = no DoD revenue.
Prime contractors are already asking subs for CMMC status. If you're not certified and your competitor is, guess who gets the work?
Can You Fake It?
No.
CMMC requires a third-party assessment by a certified auditor (C3PAO). They'll check your systems, review your policies, interview your team, and verify everything.
If you fail, you don't get certified. No cert = no contract.
Self-assessments are dead. The honor system doesn't work (because everyone lied).
What's the First Step?
Most shops start with a gap assessment — figure out where you are vs. where you need to be.
You can:
- Hire a consultant to do a gap assessment ($5K-$10K)
- Use our free compliance quiz to get a rough readiness score (2 minutes, no signup)
- Read the NIST SP 800-171 standard yourself (free, but 100+ pages of government-speak)
Option 2 is the fastest way to see if you're even close.
Can You Do This Yourself?
Depends.
If you have an IT person on staff who knows cybersecurity, maybe.
If your "IT guy" is the machinist who "knows computers," probably not.
Most small shops (5-20 people) hire a consultant for 3-6 months to:
- Document policies
- Fix technical gaps (MFA, backups, network segmentation)
- Prep for the assessment
- Coordinate the C3PAO audit
Cost: $15K-$30K depending on how messy things are.
Bottom Line
CMMC isn't going away. It's mandatory for DoD work, and November 10, 2026 is only 324 days away.
Phase 1 started in November 2025 — contractors are already being asked about CMMC compliance.
You need 5-7 months to get certified. The earlier you start, the cheaper and less painful it is.
Don't wait until spring 2026. By then, C3PAO assessors are booked solid and you won't make the deadline.
Next step: Take the free 2-minute quiz to see where you stand. It'll give you a readiness score and rough cost estimate — no signup, no sales calls.
