Does CMMC apply to my company?
In the Defense contracting world we speak of primes, those who sign the contracts, and subs, subcontractors who get work on a prime contract. As you move up the supply chain everyone acts as both a prime and sub on various contracts. If you follow the Defense supply chain all the way to the source three multinational companies control the majority of the spend.
As a small business owner in Connecticut you may wonder if CMMC, Cybersecurity Maturity Model Certification applies to you. CMMC, the new initiative launched by the Department of Defense will require a third party to assess your cybersecurity.
If you are a Defense contractor or work in advanced manufacturing in Conencticut you need to follow CMMC. Starting in 2026 all defence contracts will require third party CMMC assessments. Currently defense contractors who have a contract with a specific clause, 7012 must do a self assessment. CMMC will replace this. So if you have a Defense contract start preparing.
Yet you may not even have a Defense contract and may want to think about CMMC compliance. You may even have a business relationship with some contractors who demand you get compliant with . Some contractors may demand proof you uploaded a score from a self-assessment. These business to business relationships sit outside of the DFARS contracts that govern self-assessment (7012, 7019) and CMMC (7021).
As a small business owner in Connecticut you should consult cybersecurity experts and legal before sharing a System Security Plan, Plan of Action & Milestone, or your SRPS score from a self-assessment. If you have contracts that flow down the 7012 clause you can check with the Program Management Officer or the Contract Officer. The Department of Defense does not usually get involved in the relationships between a prime and subcontractor.
At some point you have a decision to make. Do the revenues you generate from contracts that flow down a 7012 clause generate large enough margins to justify the investment in compliance with 171 using the 171a methodology and self-assessment and then further investment into CMMC by 2026?
Yet much of cybersecurity, and the non-technical controls required by CMMC, equal better business practices. In fact legislation to provide data breach liability shields sits in the Connecticut State legislature right now. One of the frameworks allowed for compliance: NIST-SP-800-171. So you have a responsibility and many other compliance tasks such ISO 27001, ISO9001, CMMI Dev L that will lead to observable evidence an assessor would use.
So you kinda gotta do this cybersecurity stuff no matter what.
Entrepreneurs can also see the opportunity in providing CMMC compliance. The Connecticut CMMC Coalition believes our State can import, rather than export,compliance dollars and business in what we call the NAIC Nerd codes. Millions of dollars and thousands of jobs.
The contracting world uses NAICS, a coding system of business types. They are six digit codes. The 54 are all the professional, scientific, and technical services. Connecticut has long stood on as the arsenal of democracy, and we must continue this history as we shift from kinetic warfare into immersive cyber battlefields.
Lot of jobs in cyber, and with our role in finance, insurance, and Defense Connecticut can attract and develop top-talent. We can pwn the NAIC Nerd codes.
So in answering, “Does CMMC apply to my company?”
The answer is always, “It depends.”
From a legal and regulatory perspective CMMC will involve any company that will receive or create either Federal Contract Information or Controlled Unclassified Information.
Federal Contract Information, data generated by or on behalf of a government contract, not meant for public release will require a CMMC Certification Level 1. Federal Acquisition regulations, FAR 52.204-21 to be exact, requires 17 basic safeguards of this data.
Controlled Unclassified information (CUI), data received or created on behalf of the U.S. government that a law, regulation, or government-wide policy requires or permits an agency to handle will require CMMC Level 3 certification.
img credit: CMMC choices. A remix of “Network Rack” flickr photo by one individual flickr.com/photos/44… shared under a Creative Commons (BY-SA) license and “Choices” flickr photo by keepitsurreal flickr.com/photos/ke… shared under a Creative Commons (BY-SA) license shared under a Creative Commons (BY-SA)