CMMC Myths
by Jon Lober | NOC Technology
This article is part 2 of a series on CMMC Certification. Learn more by reading What You Need to Know About CMMC
Don't fall for these common myths when it comes to the October 2026 CMMC certification deadline.
Common CMMC Myths
MYTH 1
"We're too small to need this."
Reality: We've heard this one directly. Unfortunately, size doesn't matter— handling CUI does. If your business handles any CUI, you will be required to implement CMMC. It's not a matter of "getting audited." It's a contract requirement.
MYTH 2
"Our prime contractor will handle this."
Reality: Every company self-certifies. Your prime contractor cannot and will not certify for you.
MYTH 3
"We can just segment CUI to one system."
Reality: You think you'll contain it, but CUI tends to spread easily. Received an email with specifications? That's CUI on your email server, backup system, and every workstation that accessed it.
MYTH 4
"Level 1 is enough for now."
Reality: Most contracts specify Level 2. Getting Level 1 and then upgrading to Level 2 wastes time and money.
MYTH 5
"We can do this internally."
Reality: Unless you have a full-time security team, you'll likely need help. The documentation alone requires specific expertise.
Manufacturing-Specific Challenges to protecting classified or sensitive data:
The Shop Floor Problem
Your ERP might be secure, but what about:
- CNC machines running Windows XP?
- PLCs that can't support encryption?
- Quality systems that can't enable MFA?
- Shared workstations on the production floor?
The Supplier Data Exchange
- CAD files sent via personal Dropbox
- Specifications shared through unsecured FTP
- Email attachments with technical drawings
- USB drives from customers with designs
The Remote Access Dilemma
- Engineers accessing systems from home
- Vendors remoting into equipment for support
- Cloud storage for large CAD files
- Mobile access to production data
You need to get started right away if:
- Your passwords are still on sticky notes
- You're using Windows 7 anywhere
- Everyone is an admin on your systems
- You don't have written IT policies
- Your backups haven't been tested in 6 months
- You use personal email for business
- Ex-employees still have access to systems
- You don't have cyber insurance
- Your WiFi password is your company name
- You can't answer: "Where is all our CUI?"
If you checked more than three of these, you can't afford to waste time. Start on your certification today.
As a reminder: If you touch ANY DoD data or work with companies that do, you need CMMC.
- This includes:
- Direct DoD contractors (obvious)
- Subcontractors at any tier (less obvious)
- Suppliers to defense contractors (often forgotten)
- Machine shops making parts for defense equipment
- IT service providers supporting defense contractors
- Logistics companies shipping for defense contractors
Need help navigating CMMC requirements? NOC Technology's CEO Jon Lober is a CMMC Registered Practitioner who has guided dozens of manufacturers through certification. We understand both the technical requirements and manufacturing realities. Contact us for a no-obligation consultation about your certification timeline.
Remember: The difference between companies that make the October 2026 deadline and those that don't isn't capability – it's when they started. Today is your day to start.
