Arena Blog

Read Our Blog for the
Latest Trends and Insights

CMMC Compliance: Key Product Development Considerations for Defense Manufacturers

CMMC ComplianceThe Cybersecurity Maturity Model Certification v2.0 (CMMC) deadline is fast approaching with final implementation projected for later this year. If you are a product company currently contracting with the United States Department of Defense (DoD) or are planning to do so in the future, now’s the time to start working toward compliance. Once the CMMC ruling goes into effect, certification will be mandatory for most small to midsized defense manufacturers.


The Department of Defense developed CMMC as a framework to help organizations enhance cybersecurity practices throughout the defense industrial base (DIB). It originated from concerns over increasingly sophisticated cyberattacks on sensitive information across the DIB supply chain. The goal is to protect proprietary, strategic, and operational data from breaches that pose a threat to national security.

The CMMC framework impacts DoD contractors, subcontractors, and suppliers. By demonstrating compliance, organizations not only enhance data security, but foster credibility and gain a competitive advantage in the marketplace.


The CMMC model is centered around National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement (DFARS) guidelines—primarily NIST SP 800-171 and DFARS 252.204-7012. Certification requirements are divided into three levels based on information type and the organization’s degree of cybersecurity maturity. The levels build upon each other. So, a Level 3 certification fulfills all the requirements of Level 2 and Level 1. Likewise, a Level 2 certification fulfills all the requirements of Level 1. Defense contractors should assess the nature of their information and cybersecurity posture to determine the level that best aligns with their business.

Level 1: Foundational – Applies to entities that handle Federal Contract Information (FCI). Only basic safeguarding practices, as outlined in Federal Acquisition Regulation 52.204-21, are required for this certification. Companies must perform an annual self-assessment and attest to meeting all requirements.

Level 2: Advanced – Applies to contractors handling Controlled Unclassified Information (CUI). Here, the focus is on documentation and implementation of practices surrounding physical access controls, incidence response, risk management, and system integrity. Organizations are required to obtain third-party assessments.

Level 3: Expert – Contractors handling high-priority CUI on behalf of the DoD must be certified at this level. Organizations should implement proactive measures to detect and mitigate security threats before they occur. They must also undergo government-led assessments as part of the certification.

What is Federal Contract Information (FCI)?

FCI is information not intended for public release. It is used to develop or deliver a product or service to the government.

What is Controlled Unclassified Information (CUI)?

CUI is government-created or owned unclassified information that requires safeguarding and dissemination controls pursuant to applicable laws, regulations, and policies.

CMMC Certification Levels



Regardless of the CMMC certification level, defense contractors should have the following measures in place to safeguard sensitive product information throughout the entire lifecycle.

  • Documented plans, policies, and procedures for addressing system security controls, incidence response, and risk mitigation
  • System access controls to ensure that only authorized individuals (both internal and external) have access to sensitive product information
  • Continuous monitoring for system vulnerabilities and assessment of security control effectiveness
  • Cybersecurity awareness training for employees and external partners that reinforces the organization’s cybersecurity program. It should cover procedures on how to mitigate threats, handle sensitive product information, and respond to security breaches.

Because most of their efforts are focused on innovation, many aerospace and defense companies lack the resources, time, and budget to implement these extensive cybersecurity measures. Consequently, CMMC compliance may seem out of reach.


As more defense contractors embrace modern technology like cloud-native product lifecycle management (PLM), they’re able to not only streamline product development but readily comply with stringent export controls (ITAR/EAR) and cybersecurity regulations.

Today’s purpose-built PLM solutions with cloud-native architecture centralize all product information in a single digitized record. Secure web-based access enables globally dispersed teams to collaborate regularly on product development activities while avoiding security risks.

Arena’s Multilayered Security Meets FedRAMP Moderate Baseline Requirements

One of the core CMMC requirements is for DoD contractors to use cloud service providers that can demonstrate they have FedRAMP Moderate Baseline or Equivalent level security in place. Arena by PTC has implemented security measures that meet the FedRAMP Moderate Baseline requirements through its Arena PLM for AWS GovCloud solution. Arena PLM uses a multilayered approach to protect sensitive product information. Layers of protection include well-defined security processes and policies, firewalls, encryption of at-rest and in-transit data, user authentication, and continuous monitoring. Robust access management capabilities enable organizations to control the type of users and product information accessed. They also have a full audit trail of who accesses information and when they access it.

Arena PLM Security Model

Arena Multi Layer Protection Model

Arena’s security model translates to significant savings of time and cost for businesses since they don’t have to establish a cybersecurity framework from scratch. Because Arena is continually audited by third-party assessors, including FedRAMP, organizations can readily compile compliance evidence to expedite the CMMC certification process.


With CMMC and other stringent regulations at the forefront, defense manufacturers need a proven cloud-native solution like Arena to ease the financial and administrative burden of compliance and speed innovation.

Interested to learn more about Arena PLM for AWS GovCloud? Watch this demo.


Department of Defense. Proposed Rule. 32 CFR 170. Cybersecurity Maturity Model Certification (CMMC) Program