What Companies Need to Comply with CMMC?

Companies required to comply with the CMMC regulations include any company that conducts or monitors consumer credit transactions. This includes banks, mortgage companies, and other financial institutions. Any company completing a “covered transaction” needs to review its policies and procedures for compliance with the CMMC regulations.

Suppliers Tied to DoD

DoD-supplied product or service are involved in the design, development, production, manufacture, supply/use of commercial derivative aircraft. Commercial derivative aircraft are defined as any civil fixed-wing or helicopter type certificated by the FAA that derives from a military prototype and has similar performance characteristics such as size, weight capacity. 

If this applies to your company, you will need to comply with CMMC for all DoD contracts issued after October 25th, 2017.

Small Business

Small businesses must have a certain number of employees to comply with the CMMC. For example, if a company has between five and nine employees, they will need to abide by half of the regulations that fall under this act. If your business employs more than ten people, you must follow all guidelines outlined in CMMC.

The exact amount varies based on location, but at least six or seven different rules are enforced by government oversight organizations like OSHA for most companies. 

It’s essential for any business owner who wants to remain compliant with these new standards to understand what changes might be expected during inspections so they can get ahead of potential issues before their current policies become a problem.

DoD Contractors

They are responsible for determining the applicability of CMMC to their subcontracts, including how compliance will be achieved. For example, one common requirement is that all DoD contractors comply with CMMC when they contractually agree to manufacture classified items or provide support services in whole or part under a covered defense contract. 

Enforcing this rule ensures that foreign-manufactured components do not end up on U.S.-classified military equipment without proper security safeguards being taken by the contractor receiving them.

In addition, this practice could compromise national security and violate trade agreements if the items were re-exported outside of agreed-upon terms between countries involved in an international transaction involving these parts/services.

Foreign Suppliers

Foreign suppliers are not usually required to obtain CMMC licenses. However, foreign suppliers must be aware of the requirements of their local agents and customers as they may be obliged by law to maintain records separate from those in China during audits or investigations. For example, suppose an agent’s office computer is inspected.

In that case, its employees might need to provide files for separate storage on a USB drive so data can be used privately without revealing company secrets belonging only to Chinese parties.


If a company manufactures and sells its products in California, it must comply with CMMC law by surveying all applicable federal and state laws. They can do this by consulting an attorney for legal advice on CMC’s needs when advertising their goods online. 

Once completed, companies can begin selling their product(s) throughout CA without violating any CMC law as long as every advertisement complies with these guidelines set forth under each Federal Trade Commission Act §545 & California Business and Professions Code §17500.