Understanding CMMC Requirements for DoD Suppliers

Understanding CMMC Requirements

Understanding CMMC Requirements History

Understanding CMMC Requirements is critical for businesses of all sizes in the defense industry.  A key to establishing effective Cybersecurity Maturity Model Certification (CMMC) is knowing what led to its development.

Executive Order 13806

In 2017 President Donald Trump signed Executive Order 13806 Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States.  This order was undertaken in a coordinated effort by a number of government agencies.  Subject matter experts identified five macro forces that that are leading to a deterioration in U.S. capabilities.  From these they determined ten risk archetypes to the Department of Defense’s (DoD) supply chain.

Risk Identification

The Macro Forces identified are:

  1. Sequestration and Uncertainty of U.S. Government Spending
  2. Decline of U.S. Manufacturing Capability and Capacity
  3. U.S. Government Business Practices
  4. Industrial Policies of Competitor Nations
  5. Diminishing U.S. Science, Technology, Engineering, and Math (STEM) and Trade Skills

The ten Risk Archetypes are:

  1. Sole Source
  2. Single Source
  3. Fragile Supplier
  4. Fragile Market
  5. Capacity Constrained Supply Market
  6. Foreign Dependency
  7. Diminishing Manufacturing Sources and Material Shortages
  8. Gap in U.S. Based Human Capital
  9. Erosion of U.S. Base Infrastructure
  10. Product Security


With regard to the challenges identified in its assessment, the Interagency Task Force made a number of recommendations.  Those that specifically addressed cybersecurity included:

  1. Modernization of efforts to combat Chinese intellectual property theft.
  2. Enhancing abilities to analyze, assess and monitor vulnerabilities of the industrial base.
  3. Implementation of a risk-based methodology for oversight of contractors in the National Industrial Security Program, founded on risk management framework principles to assess and counter threats to critical technologies and priority assets.
  4. Reducing the personnel security clearance backlog through more efficient processes.
  5. Further enhancing efforts to explore next generation technology for future threats.

Defense Product Cybersecurity

The defense industry supply chain is reliant on the flow of data through a vast number of networks both within and across multiple manufacturer’s systems.  Securing this data is essential for maintaining integrity, confidence, and competitive advantage.  The rapid increase in cyber-espionage aimed at the industrial sector places this data at an increased risk.  While a number of cybersecurity approaches exist in the industrial sector, most are not appropriate or adequate for the protection of controlled and uncontrolled defense information.  Key issues include:

  1. Lack of uniformity in security implementation.
  2. Inconsistent implementation by defense suppliers.
  3. Reliance on self-attestation.

CMMC is an effective means of implementing a risk based management approach that will establish baseline requirements, remain adaptive to changing cyber threats, and create a certification process.  This will allow for the integration of companies of all sizes and at all levels to maintain the resiliency and integrity of the defense manufacturing supply chain.

CVG Strategy’s Experience and Commitment

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to understanding CMMC requirements, establishing effective programs, and achieving certification.

Kevin Gholston

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email