By: Jason Phinney
If you're a manufacturer serving the DoD and you're still "planning to plan" for CMMC 2.0, you're running out of road. The rules are no longer coming—they're here. Finalized in December 2024, enforcement is rolling out this summer. And if you're in Arizona? That timeline just got tighter.
So, let's break this down into something you can use today—no jargon, no panic, just a clear path forward.
Why Q3 2025 Matters More Than You Think
According to the latest updates from Keiter CPA and Cherry Bekaert, DoD contractors will begin seeing CMMC Level 2 requirements embedded in new contracts this quarter. That means:
-
You need to be ready to self-assess or prove your posture via a third-party (C3PAO) audit.
-
Delays = lost contracts. No more grace period. No more "we're working on it" excuses.
Your Q3 Compliance Checklist
Here's what Arizona-based manufacturers should immediately focus on:
-
Know Your Level
Most subcontractors handling Controlled Unclassified Information (CUI) fall under Level 2. This includes 110 security practices based on NIST SP 800-171.
Action: Confirm your level with a gap assessment. -
Map Your CUI/FCI Footprint
You can't secure what you can't see. Identify all systems where CUI/FCI resides. Don't forget your MSP's access or subcontractor connections.
Action: Create or update your System Security Plan (SSP). -
Build a POA&M (Plan of Action & Milestones)
Not 100% compliant yet? Fine—but you better show you're on the path. POA&Ms let you contract while finishing up, but they're time-boxed now.
Action: Prioritize open items by risk and audit weight. -
Go with a CyberAB-Certified Provider
The CyberAB is the only body authorized to certify CMMC assessment organizations. If your MSP isn't recognized by them, you're gambling with your audit readiness.
Action: Verify that your compliance partner is certified by CyberAB (we are). -
Start Mock Audit Prep
Evidence collection isn't a one-click task. Start building your audit-ready binder now. Use checklists based on the 320+ objectives in NIST 800-171.
Action: Do a dry run with someone who's audit-savvy. -
Secure Local Support
Arizona MSPs understand the regional quirks—like heat-damaged systems or rural bandwidth gaps. Don't rely on out-of-state cookie-cutter packages.
Action: Choose a local partner who speaks your language (and doesn't hide behind acronyms).
Bottom Line: "Later" Is No Longer an Option
CMMC isn't just paperwork—it's the key to your livelihood. The DoD isn't bluffing, and your competitors are already moving.
You don't have to navigate this alone. You just need a guide who's been in the trenches—who gets manufacturing, compliance, and common sense.
Let's Talk
Need help scoping your data, building your SSP, or prepping for audit?
Book a free 30-minute CMMC Readiness Call today. We'll give you a plain-English plan—no jargon, no pressure, just real answers.
About the Author
Jason Phinney is a CyberAB Registered Practitioner and trusted compliance advisor helping manufacturers get CMMC-ready with confidence and clarity. His mission is simple: protect contracts, simplify cybersecurity, and make audit readiness feel less like a fire drill and more like a well-oiled machine.