Defense Industry, Protect Confidential Information

The CMMC is a collection of standards and practices to protect the confidential information of clients and the business. Utilization it makes it easier for you to communicate your needs to product and service providers as well as share and learn effective practices with others.

Created originally to support the Defense Industry, including supply chain members, it has great value for all businesses. 

America’s SBDC has adopted the  CMMC (Cybersecurity Maturity Model Certification) as the North Star to guide small businesses on the journey of cybersecurity and data breach protection activities. It was created by the Department of Defense. See private sector and defense applications below.


 Cyber Hygiene

Processes: Performed

Your organization performs the specified practices. Because you may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation.



 Cyber Hygiene

Processes: Documented

Your organization establishes and documents practices and policies to guide the implementation. The documentation of practices enables individuals to perform them in a repeatable manner. You develop mature capabilities by documenting their processes and practicing them as documented.



Cyber Hygiene

Processes: Managed

Your organization establishes, maintains and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.


Level 4


Processes: Proactive

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Level 5


Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Private Sector

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect confidential information (CI) that resides on with the business. Some may belong to business partners, clients, or others. It is the recommendation of Americas SBDC to take a formal approach to utilize the CMMC so if needed you will be better positioned to be assessed formally by the CMMC Accreditation Body.

Defense Industrial Base

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. 

A very clear distinction at this point is that the Department of Defense will require you to be formally assessed at one of the above levels. Please follow formal guidance from the CMMC Accreditation Body the official certification body for the CMMC.  The term CUI is defined by the National Archives here.

Americas SBDC is utilizing the CMMC as our North Star. This gives businesses purpose, “to protect confidential information”, of their own, employees, partners, and clients who entrust them with confidential and private information.  it also provides milestones and ability to share good practices with others, including sector specific good practices against unique threats.

More coming very soon


Contact Charlie Tupitza, Cyber and Data Breach Protection Lead at: or call 703-989-8777

America’s SBDC is the association that represents America’s nationwide network of Small Business Development Centers (SBDCs).

Contact your local SBDC for no-cost business consulting and low-cost business training.

© 2020 America’s SBDC