Customer Support
Request Pricing

CMMC Without the Chaos

For years, cybersecurity in the defense supply chain operated on an honor system. Companies self assessed, submitted scores, and moved on.

When the Department of Defense began auditing those self reported scores, many organizations that claimed near perfect compliance were failing independent assessments.

That system is over.

As of November 2025, CMMC is being written directly into Department of Defense contracts. It is no longer guidance. It is a requirement to win and maintain defense work.

What Is CMMC?

CMMC, the Cybersecurity Maturity Model Certification, ensures companies handling defense information are protecting it appropriately.

There are three levels:

Level 1 focuses on Federal Contract Information and includes 15 basic safeguarding requirements. It still allows annual self assessment.

Level 2 applies to Controlled Unclassified Information and requires compliance with 110 security requirements derived from NIST 800 171. Most organizations at this level must undergo independent third party assessment.

Level 3 builds on Level 2 and adds enhanced protections designed to defend against advanced persistent threats.

The Supply Chain Reality

Many companies do not think of themselves as defense contractors until a customer requires certification.

Machine shops, printers, logistics providers, and specialty service companies are discovering that CMMC requirements flow down through the supply chain. Even if you are several tiers removed from the prime contractor, if controlled information touches your systems, you are in scope.

What the Process Looks Like

CMMC cannot be bolted on at the last minute. It requires:

  • Identifying where controlled information lives

  • Defining scope

  • Implementing required controls

  • Developing policies and procedures

  • Training staff

  • Documenting evidence

Many organizations work with Registered Practitioner Organizations to prepare, followed by assessment from a Certified Third Party Assessor Organization.

The timeline for Level 2 can extend up to 12 months or more, depending on where you start.

The Bigger Shift

CMMC reflects a larger change in cybersecurity expectations:

  • From self attestation to independent verification

  • From perimeter security to supply chain security

  • From checkbox compliance to operational capability

Whether you are directly in the defense industrial base or not, these principles increasingly apply across industries.

For a practical breakdown of what CMMC means and how companies are navigating certification without the chaos, listen to this episode of the CyberCast.

Picture of Jeffrey King
Jeffrey King

President of AT-NET | Managed Technology Solutions Expert | Cybersecurity Specialist

Jeffrey King is an experienced leader in managed technology solutions with more than 20 years of expertise. As President of AT-NET, he oversees a wide range of services including IT support, cloud solutions, cybersecurity, and business risk management.

His work focuses on cybersecurity and network architecture, with hands-on skills across Unix, VMware, Linux, Cisco, and Microsoft systems. Under his leadership, AT-NET delivers solutions in areas such as compliance (HIPAA, CMMC, PCI, SEC, FINRA), vulnerability management, data backup and recovery, email and endpoint security, and IT project management.

Jeffrey also guides initiatives in co-managed IT services, structured cabling, VoIP systems, and integrated security technologies such as cameras and access control.

Get in touch with our experts and get a free consultation

Get in Touch
Recent Posts:
Get a Free Consultation

Contact our experts today

Get in Touch
Recent Posts:
All Resources ⬈
To safeguard your business against the unexpected, contact us for a free consultation.

Together, we can build a resilient future for your business.

Speak to an Expert