CMMC Explained for Small Business Owners

Who is CyberNINES?

I have been doing cybersecurity for over 25 years now; CyberNINES has been around for a year and a half. The talent that makes up CyberNINES® is not new. As a retired navy officer and having spent the last ten years as a practitioner with a defense contractor learning how to get compliant, I have something to offer. 

No alt text provided for this image

What is CMMC? Cybersecurity Maturity Model Certification is new, but the underpinnings are not new. NIST SP 800-171 is a security compliance standard under the Defense Federal Acquisition Regulation Supplement (DFARS) and was introduced back in 2017. These regulations flow down from a prime contractor and move down the supply chain. As long as you accept a contract that has a drawing with Controlled Unclassified Information (CUI), which is Department of Defense technical data, you must comply with these regulations. 

No alt text provided for this image

These regulations and processes have always been true. How the DoD is presenting and wrapping this up is what we see here. Before CMMC implementation, companies could self attest to some 110 cybersecurity controls. Through audit and assessment, some estimates found that only 15-20% of required companies met these standard requirements (NIST SP 800-171).

Why CMMC & NIST? Short Answer…National Security.

To help ensure and protect the supply chain of the Department of Defense. These standards and controls protect CUI passed down from Prime Contractors to Subprimes and throughout the supply chain. Small businesses are ill-prepared to defend themselves against nation-state actors trying to steal the data.


  • NIST SP 800-171 is a framework security compliance standard.
  • CMMC - not the law of the land…yet. Two years from now, DFARS will state that contractors who receive CUI must meet CMMC, which is packaged around NIST SP 800-171.

Who is required to be certified? To ensure NIST requirements, there are three different levels of compliance:

No alt text provided for this image


  • Level 1 is responsible for protecting contract information only. The Federal Contracts themselves.
  • Level 2 - 2017 DFARS Most manufacturing and defense and industrial base. There are 80k companies in that category. 
  • Level 3 - Prime Contractors.


This is a very complex environment, small businesses need support. If they need to meet level 2, they will need support, and a 3rd party assessment to be authorized as a DoD contractor.


What is the timeline?

CMMC is coming; my recommendation is to start working now. We believe it takes two full years to fully accomplish the 110 controls. When CMMC does start to effectively roll out there will be opportunities lost due to CMMC compliance not being met. 

As of today, there are 10 companies authorized to do the assessments and 80k companies that need them.

Check out the full podcast to get other answers to pressing CMMC-related questions:

  • How much does it cost?
  • Why do we have it?
  • Who has set the requirement?
  • Other benefits of cybersecurity


My advice: Get started now. Find yourself a trusted partner, if you have an IT provider, ask the tough questions. We can always come in and assist. 

Leave a Comment