Glossary

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC) is a U.S. DoD framework for assessing and certifying contractor cybersecurity maturity.

Cybersecurity and Regulatory Compliance (CMMC, NIST, DFARS and ITAR)CMMC

Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity assessment framework used by the United States Department of Defense (DoD) to evaluate and verify the cybersecurity maturity of defense contractors and certain suppliers. It defines a tiered set of practices and processes that organizations implement and then have assessed by accredited third-party assessors to determine whether they can handle specific categories of defense-related information.

Scope and purpose

CMMC primarily applies to organizations that handle:

  • Federal Contract Information (FCI), which is information provided by or generated for the U.S. government under contract and not intended for public release.
  • Controlled Unclassified Information (CUI), which includes sensitive technical data, drawings, specifications, and other information that requires safeguarding but is not classified.

In industrial and manufacturing environments, CMMC is relevant to companies that design, manufacture, test, or maintain defense-related products or components, and that store or transmit CUI or FCI in their IT or OT systems, MES, ERP, PLM, or quality systems.

Key concepts

  • Maturity levels: CMMC defines multiple cybersecurity maturity levels, each associated with a set of practices and processes. Higher levels require more comprehensive and institutionalized controls.
  • Mapped practices: Many CMMC practices are aligned with existing standards and guidance, particularly NIST SP 800-171 for protection of CUI, as well as other NIST and federal cybersecurity references.
  • Third-party assessment: For applicable contracts, organizations are assessed by authorized CMMC Third-Party Assessment Organizations (C3PAOs). The outcome is a maturity level determination used by the DoD in contract award decisions.
  • Contractual requirement: Specific CMMC levels may be listed in solicitations and contracts, indicating the minimum level an organization must be assessed at to be eligible for award.

Operational meaning in manufacturing

Within manufacturing, aerospace, and other regulated sectors, CMMC affects how organizations design and operate both IT and OT environments that process CUI or FCI. Typical operational implications include:

  • Identifying where CUI resides across MES, ERP, PLM, QMS, file shares, and engineering tools.
  • Implementing access control, logging, and monitoring for systems that store or transmit CUI, including shop-floor terminals and connected equipment.
  • Defining processes for change control, configuration management, and incident response that meet CMMC-aligned practices.
  • Coordinating with suppliers and subcontractors that may also handle CUI and need to align with applicable CMMC expectations.

Relationship to other frameworks

  • NIST SP 800-171: CMMC incorporates and builds on many of the NIST 800-171 requirements for protecting CUI in non-federal systems.
  • DFARS clauses: Defense Federal Acquisition Regulation Supplement (DFARS) clauses often reference NIST 800-171 and CMMC-related obligations for contractors and subcontractors.
  • Other cybersecurity standards: Organizations may map controls from ISO 27001, NIST 800-53, and industrial cybersecurity standards such as IEC 62443 to CMMC practices as part of their internal alignment.

Common confusion

  • CMMC vs. NIST 800-171: NIST 800-171 is a set of requirements for protecting CUI; CMMC is a certification-oriented framework that incorporates and assesses implementation of those and additional practices.
  • CMMC vs. general cybersecurity: CMMC is not a complete global cybersecurity standard for all industries. It is a DoD-focused model used to evaluate and document cybersecurity maturity for defense contracting.

Manufacturing-relevant examples

  • A precision machining supplier to a defense OEM implements role-based access control and logging on its MES and file servers, then undergoes a CMMC assessment to demonstrate its maturity level for handling CUI-labeled drawings.
  • An aerospace MRO provider segregates networks and hardens workstations used to access technical orders and maintenance data that qualify as CUI, documenting these measures to align with CMMC practices.

Related Blog Articles

There are no available FAQ matching the current filters.

Related FAQ

Can we exclude certain plants from our ISO 27001 scope?

Yes, you can exclude specific plants from your ISO 27001 scope, but only if you define and justify boundaries clearly and do not create gaps or misleading impressions of coverage. The Statement of Applicability, risk assessment, and scope statement must be internally consistent, and auditors will challenge arbitrary or cosmetic exclusions, especially when sites share systems, networks, or data.

What access controls are recommended for aerospace supplier portals?

Aerospace supplier portals should use least-privilege, role-based access with strong identity proofing, MFA, scoped data segregation, approval workflows, and full audit trails. The right control set depends on the data involved, export-control exposure, supplier tier, and how well the portal integrates with ERP, PLM, QMS, and identity systems already in place.

Can we integrate ISO 27001 with our existing AS9100 system?

Yes, ISO 27001 can be integrated with an existing AS9100-based management system, but it is not plug-and-play. Integration depends on how your current QMS is structured, maturity of your processes, and the quality of your documentation and tooling. Expect some rework of procedures, controls, risk methodologies, and records to avoid conflicts, duplication, and audit gaps. In regulated aerospace environments with long-lived systems, an incremental, layered approach is usually safer than a large, all-at-once redesign.

What special data security steps are needed for MES-based AI projects?

MES-based AI projects usually need tighter controls than ordinary analytics because they touch production records, operator actions, process parameters, and sometimes controlled technical data. The key steps are data classification, strict segmentation, least-privilege access, traceable model governance, validated interfaces, and clear rules for what data can leave plant systems.

Related Glossary

NIST Cybersecurity Framework (CSF)

A voluntary framework of cybersecurity standards and practices from NIST, used to manage cyber risk in industrial and OT/IT environments.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is sensitive but unclassified data that requires safeguarding and controlled handling by regulation or policy.

NIST SP 800-171

NIST SP 800-171 is a U.S. NIST publication that defines security requirements for protecting controlled unclassified information in non-federal systems.

CISO

CISO stands for Chief Information Security Officer, the executive role accountable for an organization’s information and cybersecurity program.

Let's talk

Ready to See How C-981 Can Accelerate Your Factory’s Digital Transformation?

Request a Demo

product

Shopfloor OperationsSupply Chain & ProcurementMROSolutionsRequest a Demo

Resources

BlogCommunitySecurity & ComplianceAPI & IntegrationsTalk to an Aerospace Expert

About

About UsPrivacy PolicyCookie PolicyTerms of ServiceContact Us

© 2026 Connect 981. All rights reserved.