What Is CMMC? A Plain-English Guide for Tennessee Manufacturers in the Defense Supply Chain

Hyperion Networks • May 21, 2026

Share this article

 CMMC, the Cybersecurity Maturity Model Certification, is a U.S. Department of Defense compliance program requiring contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to meet specific cybersecurity standards before contract award. CMMC 2.0 has three levels — Foundational, Advanced, and Expert — aligned with NIST SP 800-171 and NIST SP 800-172, codified at 32 CFR Part 170.

Why CMMC Matters Right Now for East Tennessee Manufacturers

East Tennessee anchors a substantial federal and defense supply chain. Oak Ridge National Laboratory, the Y-12 National Security Complex, and a wide network of aerospace, composites, and precision-machining suppliers feed Department of Defense programs, often through multiple tiers of subcontractors. Many of those subcontractors are 15-to-100-employee shops that have never had to think about formal cybersecurity certification — until now.

Phase 1 of CMMC enforcement began on November 10, 2025, when the Defense Federal Acquisition Regulation Supplement (DFARS) final rule took effect. From that date forward, contracting officers can require CMMC compliance as a condition of contract award. Phase 2 begins November 10, 2026, when third-party certification at Level 2 becomes the standard expectation for contracts involving CUI. The phased rollout completes in November 2028.

The practical effect: a Tennessee manufacturer bidding on defense work in 2026 or 2027 will likely need to be certified — or actively in the middle of an assessment — to remain eligible.

What CMMC Stands For — and Who Runs It

CMMC stands for Cybersecurity Maturity Model Certification. The program is operated by the U.S. Department of Defense and codified at 32 CFR Part 170, the rule published in the Federal Register on October 15, 2024 and effective December 16, 2024. The companion DFARS rule (48 CFR Part 204), which embeds CMMC requirements into defense contracts via DFARS clause 252.204-7021 , was published September 10, 2025 and took effect November 10, 2025.

Two assessment-related entities matter for any manufacturer reading this:

  • C3PAOs — CMMC Third-Party Assessment Organizations. Independent firms accredited by the Cyber AB (the CMMC Accreditation Body) to perform Level 2 certification assessments.
  • DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center , a unit of the Defense Contract Management Agency (DCMA). DIBCAC conducts the government-led assessments required at Level 3.

The Three Levels of CMMC 2.0

CMMC 2.0 organizes cybersecurity requirements into three levels based on the sensitivity of the information a contractor handles. Most Tennessee manufacturers in the defense supply chain will land at Level 2.

Level 1 — Foundational

  • Information type: FCI only
  • Practices: 15 basic security requirements from FAR 52.204-21 (mapped to 17 distinct CMMC practices in the official Level 1 Assessment Guide)
  • Assessment: Annual self-assessment with executive affirmation

Level 2 — Advanced

  • Information type: CUI
  • Practices: 110 controls from NIST SP 800-171
  • Assessment: Self-assessment or C3PAO third-party certification, depending on contract requirements
  • Frequency: Every three years

Level 3 — Expert

  • Information type: CUI on critical national security programs
  • Practices: NIST SP 800-171 plus selected controls from NIST SP 800-172
  • Assessment: Government-led DIBCAC assessment
  • Frequency: Every three years

FCI vs. CUI — the Real Question Behind "Which Level Applies"

The first question every manufacturer needs to answer is: what kind of government information actually flows through our systems?

Federal Contract Information (FCI) is information provided by or generated for the federal government under a contract that is not intended for public release. FCI includes contract performance data, vendor information, and routine project communications. FCI alone triggers Level 1.

Controlled Unclassified Information (CUI) is more sensitive — technical drawings, specifications, controlled technical data, certain export-controlled information, and other categories defined in the CUI Registry maintained by the National Archives. If a contract requires the contractor to receive, generate, store, or transmit CUI, Level 2 applies.

Many shops handle both. The rule of thumb: if the prime contractor sends technical drawings, build specifications, or any document marked CUI, Level 2 is the realistic baseline.

Who Actually Needs CMMC

CMMC applies to any organization in the Defense Industrial Base that processes, stores, or transmits FCI or CUI on a non-federal information system. That definition reaches farther than most manufacturers expect:

  • Prime contractors holding direct DoD contracts
  • Subcontractors at any tier in the supply chain
  • Component suppliers, machine shops, and fabricators
  • Service providers — including IT, engineering, and logistics firms — whose systems touch FCI or CUI

DFARS clause 252.204-7021 includes a flowdown requirement. Prime contractors are responsible for ensuring their subcontractors meet the applicable CMMC level. In practice, primes are already requiring compliance evidence from subs — often well before the official phase deadlines.

The "we're too small to matter" assumption is the most common — and most expensive — misread of this rule. Smaller manufacturers tend to have the least mature security programs and the longest remediation runways, which makes early movement more important, not less. The DoD's own regulatory analysis for 32 CFR Part 170 estimated that approximately 8,350 medium and large entities will need Level 2 third-party certification across the Defense Industrial Base.

CMMC Timeline and the Four-Phase Rollout

The Department of Defense designed a four-phase rollout to spread enforcement over three years. Each phase begins one calendar year after the previous one.

Phase 1 — November 10, 2025 to November 9, 2026. Level 1 and Level 2 self-assessments may be required as conditions of contract award. The DoD also has discretion to require Level 2 third-party (C3PAO) certification for select higher-priority contracts during this phase.

Phase 2 — Begins November 10, 2026. Mandatory Level 2 C3PAO certification becomes the standard expectation for applicable contracts involving CUI. Self-assessment is no longer sufficient for most CUI work.

Phase 3 — Begins November 10, 2027. Level 3 assessment requirements (DIBCAC-led) are introduced for contracts involving CUI on critical national security programs.

Phase 4 — Begins November 10, 2028. Full implementation. CMMC requirements appear as a condition of award in all applicable DoD solicitations and contracts, other than those for commercially available off-the-shelf (COTS) items.

A critical nuance: prime contractors are not bound to wait for the official DoD phase to demand compliance from subcontractors. Many primes are already requiring Level 2 readiness or certification from their supply base now.

The Real Cost and Effort of CMMC

Honest framing on cost matters because most published estimates are either alarmist or vague. The expense of CMMC has four components:

  1. Assessment fees — paid to the C3PAO conducting a Level 2 certification, or absorbed internally for self-assessment.
  2. Remediation costs — the security tools, hardening work, and infrastructure changes needed to meet the 110 NIST SP 800-171 controls.
  3. Ongoing tooling and monitoring — endpoint protection, logging, identity management, and similar systems must run continuously, not just during the audit window.
  4. Internal time and documentation — building and maintaining a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and the evidence trail that proves controls are operating.

Industry consensus puts most organizations at six to twelve months from "we just started" to "ready for an assessment." For shops with no formal IT governance in place today, the higher end of that range is realistic.

CMMC vs. NIST SP 800-171 vs. ITAR

Three frameworks get conflated in defense-supply-chain conversations. They are not the same thing.

  • NIST SP 800-171 is the technical control set itself — 110 security requirements published by the National Institute of Standards and Technology. CMMC Level 2 is built on these controls.
  • CMMC is the certification program that requires contractors to demonstrate — through self-assessment or third-party audit — that NIST SP 800-171 controls are actually implemented and operating.
  • ITAR (International Traffic in Arms Regulations) governs export control of defense articles and technical data. ITAR data is typically also CUI, which means ITAR-handling manufacturers will almost always need CMMC Level 2 — but ITAR compliance itself is a separate U.S. Department of State regulation.

A manufacturer can be NIST 800-171 self-attested today and still need to undergo a C3PAO assessment to be CMMC certified. The certification is the new requirement.

The Three-Pillar View of CMMC Readiness

Hyperion Networks evaluates every client's IT environment through three lenses: Stability, Security, and Operations. CMMC readiness sits cleanly inside that framework.

Stability — CMMC requires documented, repeatable processes. The System Security Plan, configuration management procedures, change-control discipline. Without stability, controls drift and audit evidence breaks.

Security — the 110 NIST SP 800-171 controls themselves. Access control, audit and accountability, identification and authentication, incident response, system and communications protection, and the rest. This is the technical core.

Operations — the daily evidence that controls are running. Logs being reviewed. Alerts being investigated. Patches being applied on schedule. Assessors do not credit policies that exist only on paper. They credit operational evidence.

A CMMC assessment is, in effect, an audit of all three pillars at once. Manufacturers that approach security as a "set it and forget it" project consistently fail readiness reviews because the operational evidence is missing.

Common CMMC Misconceptions

"CMMC is just paperwork." Level 2 requires implemented and operating controls validated by either a self-assessment with executive affirmation or a C3PAO audit. Documentation matters, but the controls behind the documentation must be real.

"Self-attestation is enough." Self-attestation alone is sufficient only for Level 1, and for certain Level 2 contracts during Phase 1. Beginning November 10, 2026, third-party certification becomes the standard for most CUI work.

"We can wait until a contract requires it." A Level 2 readiness program typically takes six to twelve months. A contract that requires CMMC at award is a contract a non-ready manufacturer cannot win.

"Our cyber insurance covers this." Cyber insurance is a separate financial product. It does not satisfy any CMMC control requirement and does not substitute for an assessment.

"Our MSP handles it." An MSP is not automatically CMMC-aligned. If an MSP touches CUI on behalf of a contractor, the MSP's environment is part of the assessment scope. Working with an MSP whose own systems are not aligned to NIST SP 800-171 can disqualify a manufacturer from a contract.

How a Tennessee Manufacturer Should Prepare

A practical four-step path from "where do we start" to "ready for assessment":

  1. Determine information type. Identify whether the business handles FCI, CUI, or both. The contract language and a data flow analysis answer this.
  2. Confirm the required CMMC level. Most Defense Industrial Base manufacturers handling CUI will land at Level 2.
  3. Run a NIST SP 800-171 gap assessment. Compare current controls against the 110 requirements. Document every gap.
  4. Build the System Security Plan and POA&M. The SSP describes how each control is implemented. The POA&M tracks remediation for any gap.

Steps 1 through 3 typically take 30 to 90 days. Step 4 and the actual remediation work make up most of the runway.

The MSP's Role in CMMC

A managed service provider supporting a CMMC-bound manufacturer plays a specific role: implementing and operating the technical controls (logging, identity, endpoint, configuration, monitoring), maintaining the evidence trail, and ensuring the MSP's own environment does not introduce scope leakage.

Two questions a manufacturer should ask any current or prospective MSP:

  • "Are your systems aligned to NIST SP 800-171?"
  • "Will you sign as our External Service Provider in our System Security Plan?"

An MSP that cannot answer the first question affirmatively, or refuses the second, is not a CMMC-ready partner.

Frequently Asked Questions

Is CMMC the same as NIST SP 800-171?

No. NIST SP 800-171 is the underlying control set — 110 cybersecurity requirements. CMMC is the certification program that verifies those controls are implemented and operating. CMMC Level 2 is built on NIST SP 800-171.

How long does CMMC certification take?

Most organizations need six to twelve months from initial gap assessment to assessment-ready. Shops with no formal IT governance in place today should plan toward the longer end of that range.

Do small manufacturers really need CMMC?

Yes, if the manufacturer handles FCI or CUI under a DoD contract — directly or through a flowdown from a prime. Size does not exempt a contractor from the requirement.

What happens if a Tennessee manufacturer fails a CMMC assessment?

A failed Level 2 assessment results in either a conditional certification (with POA&M items to remediate within 180 days, per 32 CFR § 170.21 ) or no certification, depending on the score. No certification means contract ineligibility for any award requiring that level.

Does CMMC apply to subcontractors and suppliers?

Yes. DFARS clause 252.204-7021 includes a flowdown requirement. Prime contractors are responsible for ensuring their subcontractors meet the applicable CMMC level for any contract that handles FCI or CUI.

What is a C3PAO?

A CMMC Third-Party Assessment Organization. C3PAOs are accredited by the Cyber AB (CMMC Accreditation Body) to conduct Level 2 certification assessments.

Does CMMC apply to commercial off-the-shelf (COTS) contracts?

No. Contracts exclusively for COTS items, as defined in FAR 2.101, are excluded from CMMC requirements.

Next Steps for Tennessee Manufacturers

Defense work flowing through East Tennessee is not slowing down. The phased rollout is the runway, not the deadline. The manufacturers that move now will compete with a shrinking pool of certified suppliers in 2026 and 2027 — which is itself a competitive advantage.

Hyperion Networks works with manufacturers, healthcare providers, legal practices, and professional services firms across East Tennessee on the day-to-day stability, security, and operational discipline that CMMC formalizes. If a flowdown letter has shown up — or the next contract recompete is on the horizon — a CMMC readiness conversation is the right first step.

Schedule a no-cost CMMC readiness conversation with Hyperion Networks. Joe Ray and the Hyperion team will help map your FCI/CUI exposure, identify the applicable CMMC level, and outline a realistic path forward.

< Older Post

Recent Posts

A modern business professional using a VoIP-enabled phone system in a professional Knoxville office.

5 Ways to Choose the Best VoIP System for Your Business | Hyperion Networks

May 21, 2026
Learn how to select the ideal VoIP system for your business in East Tennessee. Our guide covers features, costs, and local support to keep your office connected.

Before AI Works in Your Plant, Your Data Has to Grow Up

By Hyperion Networks April 1, 2026
AI will not fix bad manufacturing data — it will scale it. Here is what East Tennessee manufacturers need in place before AI becomes useful on the plant floor.
Rows of black server racks in a data center with a mobile computer workstation on a concrete floor.

Case Study: Enterprise Managed IT Success Story: Standardizing Multi-Site Networks for Knoxville and Louisville Professional Services Firm

March 24, 2026
See how Hyperion Networks eliminated regional downtime and blind spots for a multi-office enterprise using centralized oversight and FortiManager standardization.
A row of black server racks in a data center, featuring visible red and blue cables through the mesh doors.

Case Study: Disaster Recovery for Knoxville & Maryville 100+ Employee Professional Services Firm

By Hyperion Networks March 24, 2026
Discover how Hyperion Networks secured a 100+ employee firm with redundant cloud backups and Managed VoIP, achieving 99.8% uptime across all branches.
The Sunsphere in Knoxville, Tennessee, a golden-domed tower, rises above a modern building under a sunny blue sky.

Case Study: Reducing Support Tickets by 40% with M365 Optimization For Professional Services Firm in Knoxville

By Hyperion Networks March 24, 2026
Learn how Hyperion Networks fixed Outlook failures and Teams sync issues for a Knoxville firm, achieving a 15-minute average response time.
Manufacturing plant floor production line in East Tennessee

How to Reduce IT Downtime in Manufacturing: The Stability, Security & Operations Framework

By Hyperion Networks Team March 23, 2026
East Tennessee manufacturers lose throughput when IT fails. Learn the three-pillar framework to prevent system failures, contain damage, and recover fast.
A laptop displaying an email sits on a wooden desk with a notebook, pen, coins, and an open wallet.

How to Stop Executive Impersonation Scams: A Guide for East Tennessee Manufacturers

March 23, 2026
It's just another Tuesday morning in Maryville. The production floor is huming, shipments are staged for the afternoon rush, and your purchasing team is fighting lead times on raw materials. In a high-growth manufacturing environment, nobody has a spare second to second-guess an email, especially not your controller. Then a message lands. It looks like it's from the CEO. The tone is exactly what you'd expect: direct, familiar, and urgent. It says a new vendor needs payment immediately to avoid a project delay. The boss says they're tied up in a meeting and can't be reached, so just grease the wheels and process the wire. That single click is how a six-figure lesson begins. For manufacturers in the Knoxville area, this isn't a movie-style hack involving green text on a black screen. It's a believable message sent at the perfect time to override a busy employee's hesitation.
A person sitting at a dimly lit desk faces a laptop screen displaying an

Case Study: A Password Almost Cost This Company Everything

March 18, 2026
If you ended an IT vendor relationship three years ago, how do you know for certain their access is gone? If there's any hesitation in your answer, keep reading. Our NOC caught it at 2:00 AM before a single file moved. The client profile  Industry: Large-Scale Professional Services/Manufacturing Scale: 100+ Users
A person wearing a headset works at night in a dimly lit office, monitoring a digital map of delivery trucks on screens.

The 2 AM Truck Test: Will Your IT Partner Answer When Logistics Stalls?

March 18, 2026
Case Study: When the Pick-Lists Failed
Team members in a factory office discuss a project strategy written on a whiteboard, overlooking a production floor.

Disaster Planning for Manufacturers: Where Stability, Security, and Operations Meet

By Danny Crumpton March 17, 2026
The "Hyperion Tabletop": A Simple Way to Start If your organization isn't ready to undertake a full resilience review, we encourage you to run one simple exercise before the end of the month. It costs nothing, requires no outside help, and will tell you more about your real vulnerabilities than most formal assessments. Get the right people in a room: IT leadership, operations, plant management. Give them one constraint: the primary network is completely inaccessible and will remain so for the next six hours. Then present three questions and listen carefully to the responses. Just listen. Access: Do we have the vendor phone numbers written down physically? Priorities: Does IT know that "Line 4" is more important than "Accounting" right now? Workarounds: Does the shift lead know how to run the plant without the ERP? The places where people go quiet, look at each other, or start to argue…. those are your gaps. They are not hypothetical risks. They are real ones—specific to your building, your team, your operation. The good news is they're all fixable. The only question is whether you find them in a conference room on a Tuesday, or at 2:00 AM when it actually matters. Talk to Hyperion about building a plan your plant floor can actually use when it counts.
Show More