Ohio is home to a significant defense industrial base — manufacturers in Stark County, Summit County, and across Northeast Ohio supply components, parts, and services to the Department of Defense. If your business holds or is pursuing a DoD contract, CMMC 2.0 compliance is no longer optional. The rules are in effect, and non-compliance means losing existing contracts and being ineligible for new ones.
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is the DoD's framework for ensuring that contractors and subcontractors adequately protect sensitive government information — specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 was finalized in 2024 and streamlined the original five-level model into three levels. Most small and mid-sized manufacturers fall into Level 1 or Level 2.
The Three CMMC Levels
Level 1 — Foundational (FCI Only)
Level 1 applies to contractors who handle Federal Contract Information but not Controlled Unclassified Information. It requires 17 basic cybersecurity practices drawn from FAR 52.204-21. Level 1 allows annual self-assessment — no third-party auditor is required. Most small shops processing purchase orders or non-sensitive contract documentation fall here.
The 17 Level 1 practices cover basics like: limiting system access to authorized users, screening personnel, identifying information systems handling FCI, limiting physical access, sanitizing media before disposal, and patching vulnerabilities promptly.
Level 2 — Advanced (CUI)
Level 2 applies to contractors handling Controlled Unclassified Information — technical drawings, specifications, test data, or any information marked CUI in a government contract. Level 2 requires implementing all 110 practices from NIST SP 800-171. For most contracts, Level 2 requires a third-party assessment by an authorized C3PAO (CMMC Third Party Assessment Organization).
Level 2 is where most Ohio manufacturers working on defense programs sit. If your contract has CUI markings or references DFARS 252.204-7012, you're almost certainly in Level 2 territory.
Level 3 — Expert
Level 3 applies to the highest-priority DoD programs and requires additional controls beyond NIST 800-171. It's government-led and only relevant to a small fraction of the defense industrial base. Most Ohio manufacturers will not need to pursue Level 3.
The 110 NIST 800-171 Controls: Key Domains
For manufacturers pursuing Level 2, the 110 controls span 14 domains. Here are the areas that most commonly require significant IT work:
- Access Control (AC): Limit system access to authorized users; enforce least-privilege; control remote access
- Audit and Accountability (AU): Log user activity, review logs, protect audit logs from tampering
- Configuration Management (CM): Establish baseline configurations; control and monitor software installed on systems
- Identification and Authentication (IA): Enforce MFA for all CUI system access; manage authenticators securely
- Incident Response (IR): Establish and test an incident response capability; report incidents
- Maintenance (MA): Control and log maintenance of organizational systems
- Media Protection (MP): Control and protect CUI on physical media; sanitize before disposal
- Risk Assessment (RA): Periodically assess organizational risk; remediate vulnerabilities
- System and Communications Protection (SC): Segment networks; encrypt CUI in transit and at rest
- System and Information Integrity (SI): Deploy endpoint protection; patch promptly; scan for malware
The System Security Plan (SSP)
A foundational CMMC requirement that many Ohio manufacturers overlook is the System Security Plan. The SSP documents your environment — what systems process CUI, how those systems are protected, and how each of the 110 controls is implemented. Without an SSP, there is nothing for an assessor to evaluate. Writing an SSP typically takes 40–100 hours of effort for a mid-sized manufacturer and requires input from both IT and operations leadership.
Plan of Action & Milestones (POA&M)
If you have gaps in your 110 controls — and nearly every organization does initially — the POA&M documents which controls are not yet fully implemented, the planned remediation steps, and target completion dates. A POA&M is not a loophole; it demonstrates that you've identified gaps and have a credible plan to close them. However, certain high-priority controls must be fully implemented before an assessment can proceed.
Timeline and What to Do Now
CMMC requirements are being phased into contracts. If you're already under a contract with DFARS 252.204-7012, you've been required to comply with NIST 800-171 since 2017 — and now enforcement through CMMC assessments is active. New contract solicitations are increasingly including CMMC Level 2 requirements as a go/no-go condition.
The right timeline for preparation depends on your current state and contract pipeline. Most manufacturers need 6–18 months to close gaps and prepare for a C3PAO assessment. Starting that process now — with a gap assessment against the 110 controls — is the right first move.
CMMC Gap Assessment for Ohio Manufacturers
We work with Northeast Ohio manufacturers to conduct NIST 800-171 gap assessments, build System Security Plans, and implement the technical controls required for CMMC Level 1 and Level 2. Call to discuss your contract requirements.