In today's blog, we're taking a step back from standard work around an investment casting foundry and shifting our focus towards certifications, specifically CMMC (Cybersecurity Maturity Model Certification). CMMC is a United States DoD certification program that, as the name suggests, revolves around the cybersecurity of contractors that produce components for the Department of Defense. Let's get into the details!

So, What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. It's a U.S. Department of Defense (DoD) program designed to ensure that contractors and subcontractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet specific cybersecurity standards.

You can think of FCI or CUI as proprietary information for any company. KFC is famously secretive about its 11 herbs and spices, and Coca-Cola doesn't just print recipes for its soft drinks.

Extrapolated into a real-world example, imagine that the DoD needed to produce metal components for an artillery system. To deliver the parts, a foundry or machine shop would require project models and other weapon system information that the Department of Defense wouldn't just trust with anyone (this information would be considered FCI and CUI).

This, in a nutshell, is what CMMC is all about. It is a robust set of cybersecurity standards that proves a would-be contractor can be trusted to keep sensitive data secure. CMMC has a broad scope and can apply to contractors producing just a handful of parts up to large, prime contractors producing hundreds of thousands of components.

What is CMMC 2.0?

CMMC 2.0 is the Department of Defense's updated Cybersecurity Maturity Model Certification framework, designed to ensure contractors protect sensitive information. Previously, CMMC was a five-model system, but it has now been streamlined into three levels aligned with National Institute of Standards and Technology (NIST) standards. More specifically, NIST SP 800-171 provides a set of controls/standards to be followed in order to meet CMMC 2.0 requirements.

Without getting too into the weeds, here is a brief look at the three levels:

Level 1 – Foundational

• Protects FCI.

• About 17 basic cybersecurity practices (from FAR 52.204-21).

• Requires an annual self-assessment with company leadership affirmation.

Level 2 – Advanced

• Protects CUI.

• Follows 110 controls from NIST SP 800-171.

• Some contractors can do annual self-assessments, but higher-risk ones need a third-party assessment every 3 years.

Level 3 – Expert

• For the most sensitive programs.

• Builds on Level 2 plus additional practices from NIST SP 800-172.

• Requires a government-led assessment every 3 years.

How Does JCP Certification Relate to CMMC?

Joint Certification Program (JCP) Certification is another DoD-related cybersecurity program that enables contractors to work on defense projects that contain controlled unclassified information. While JCP isn't as robust a standard as CMMC, it is a crucial milestone/benchmark that a company can achieve on its way to the more advanced cybersecurity standards.

You can think of JCP sort of like a learner's permit for a new driver, and CMMC as an actual driver's license. A new driver will need to learn the rules of the road, gain experience behind the wheel, learn how to parallel park, and more before obtaining their license.

Similarly, with JCP, foundries or machine shops can begin work on DoD projects and have access to things like part drawings and spec sheets. Once they can work on DoD projects, they can implement and prove their cybersecurity systems are functional to meet CMMC 2.0 standards.

If you want to learn more about JCP Certification, check out our article on IPC Foundry Group's JCP Certification.

Why CMMC 2.0 Matters for Businesses not in Defense

This is all well and good, but what if you aren't in the defense industry? Does any of this matter to you? We're glad you asked! CMMC 2.0, much like any quality certification, signifies that you are working with a foundry you can trust to get the job done and protect your proprietary information along the way. Here are just a few ways a CMMC-certified foundry can help businesses regardless of their industry.

1. Higher Cybersecurity Standards

CMMC-certified companies follow strict frameworks (aligned with NIST), which means stronger protection of your sensitive data—whether that’s financial records, IP, or customer information.

2. Reduced Risk of Breaches

You’re less likely to face supply chain disruptions or reputational damage from a partner’s cyber incident since CMMC 2.0 requires proven security controls.

3. Trust & Transparency

Certification shows a verified commitment to cybersecurity. This security is third-party validated, providing extra assurance.

4. Better Business Continuity

Companies that meet CMMC standards tend to have stronger incident response and disaster recovery processes, which translates to more reliable service for you.

5. Future-Ready Partnerships

Cybersecurity regulations are tightening across industries. Working with a CMMC-certified partner helps ensure you're aligned with best practices that may directly translate to your industry, be it home goods, nuclear energy, or anything in between.

Conclusion:

At the time of writing this article (Summer 2025), IPC Foundry Group is actively pursuing CMMC certification after recently achieving JCP Certification. We are uniquely committed to improving our facilities and training our team to be a precision casting partner you can count on, regardless of your industry. Want to stay in the loop on our certifications, services, and updates around our facilities? Join our mailing list!

If you'd like to see how IPC can save you time, money, and headaches on your next investment casting project, contact us today!