Announcing Compliance with Department of Defense Cyber Security Requirements

CMMC cyber security requirements

We’re Ready for Our CMMC Audit!

Leading Edge Metals & Alloys (LEMA) is proud to announce that we have achieved self-assessed compliance with the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) designated cyber security requirements years ahead of the current certification deadlines, which have been evolving since 2020 as the DoD refines its guidance for contractors and subcontractors that work with the high-stakes, high-security department.

“As a frequent subcontractor on significant aerospace and defense (A&D) projects, we align closely with the outlined cyber security requirements and the importance of compliance,” explains Leading Edge Metals & Alloys President Erik Zimmerman. “We wanted to be way ahead of the certification deadlines, and we are thrilled to have accomplished that.”

Full CMMC certification will require a CMMC Third Party Assessment Organization (C3PAO) audit prioritized by the DoD. The deadline currently stated by DoD is 2027, but even that will be phased, with Prime/Primary Contractors first in line for the audits.

“Now that we have achieved compliance, you can bet we’ll be carefully monitoring both the requirements and our status to ensure we are always up to date, not just for compliance and an eventual certification audit, but also to protect our company, our customers, and our data,” Zimmerman emphasizes.

A Closer Look: What is CMMC?

The short version is that CMMC is a constantly evolving set of cyber security requirements documented by the DoD to strengthen the entire supply chain against cyber security threats.

In the DoD’s own words, “Cybersecurity is a top priority for the Department of Defense (DoD). The Defense Industrial Base (DIB) faces increasingly frequent and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements. It is designed to enforce the protection of sensitive, unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information (CUI).”

Finalized in late 2024, CMMC 2.0 includes a three-year rollout plan for compliance with cyber security requirements for DoD contractors and subcontractors. The plan includes two self-assessed levels (Level 1 and Level 2) and two C3PAO-certified levels (Level 2 and Level 3). Learn details about CMMC and designated Levels here.

What are the Cyber Security Requirements for Contractors and Subcontractors Working with the Department of Defense (DoD)?

At the highest level (Level 3), there are currently 134 requirements designated within the CMMC. We won’t list them, but they are all in the interest of protecting sensitive, unclassified information.

It starts at Level 1 cyber security requirements, affirming the basic protection of Federal Contract Information (FCI) as designated by the Federal Acquisition Regulation (FAR). FCI is “information not intended for public release provided or generated for the Government under contract to develop or deliver a product or service to the Government…” and builds from there.

Compliance requires implementing meticulous cyber security procedures and policies, including:

  • Multifactor authentication
  • Extensive documentation and end-user training
  • Continuous monitoring and improvement
  • Minimum annual self-assessments

How does a Government contractor or subcontractor like us tackle such a massive challenge? Very carefully and with expert guidance.

Achieving CMMC Compliance with Cyber Security Requirements Now for Future Certification

Accomplishing our first self-assessed compliance was no small task, and we were too smart to tackle it alone. We chose VC3, a leading cyber security managed services provider (MSP), and strategic advisor Joseph Ficarra to help us navigate the massive undertaking.

“When DoD first announced CMMC cyber security requirements, audit deadlines were targeted for the end of 2022, the same year we took full ownership of Leading Edge Metals and Alloys,” says Zimmerman. “We knew right away we needed professional guidance to get it right. Fortunately, that deadline got pushed way back, but that doesn’t detract from the incredible value we place on our partnership with Joseph at VC3.”

Thanks to VC3 and our dedicated team led by Zimmerman and Chief Operating Officer John Patriarche, we’ve done the work to be secure and in the best position for successful audits when the DoD is ready.

“There is a bewildering amount of compliance info to keep track of,” emphasizes Ficarra. “Leading Edge Metals and Alloys is way ahead of the curve, first among our clients to achieve this level of compliance with the CMMC cyber security requirements. We’re very impressed with how proactive, tidy, meticulous, and end-user-focused this team is, and look forward to the day when they receive their full CMMC certification. They are ready.”

Contact us to discuss cyber security and other certifications, or request a quote to cut right to the chase. Sign up to receive our monthly newsletter, and join the conversation on LinkedIn.