New Mexico State University’s NM FAST program recently hosted a hands-on workshop to help local defense contractors and small businesses understand and prepare for Cybersecurity Maturity Model Certification, or CMMC, compliance. As federal requirements grow stricter, companies across the state are seeking clarity on how to protect sensitive data and maintain eligibility for DoD contracts.
The event brought together a diverse group of participants, from small machine shops to mid-sized engineering firms, all navigating the complexities of federal cybersecurity standards. While many were familiar with the term CMMC, attendees expressed uncertainty about how it applied to their operations. NM FAST staff addressed this gap by breaking down the framework into actionable steps, emphasizing that compliance is not about overhauling systems overnight but about building consistent, documented practices around data protection.
Key topics included access control, incident response, and safeguarding Controlled Unclassified Information, or CUI — technical data, designs, and other sensitive but unclassified material critical to national security. Participants learned how to identify where CUI flows through their systems, from email to cloud storage, and what specific controls are required at each stage. One attendee noted they had never realized that a simple spreadsheet containing part tolerances could qualify as CUI and trigger compliance obligations.
A major focus of the session was sustainability: CMMC is not a one-time certification but an ongoing commitment. Higher levels require third-party assessments, meaning companies must maintain readiness continuously. Presenters highlighted common pitfalls, such as undocumented procedures or unsecured remote access, and provided templates and checklists to help attendees build evidence packages for audits.
Smaller contractors raised concerns about resource limitations, particularly the lack of dedicated IT security teams or budgets for expensive tools. NM FAST advisors responded by highlighting free and low-cost resources, including the DoD’s CMMC Accreditation Body and NIST’s Small Business Cybersecurity Corner. They emphasized that demonstrating incremental progress and good faith effort, backed by clear documentation, can significantly strengthen a company’s position during evaluations.
By the end of the workshop, attendees had more than just handouts — they had a clearer roadmap for compliance. Many began drafting internal policies on the spot, while others scheduled follow-up consultations with NM FAST advisors to assess their current posture. The event underscored a critical shift: in today’s defense supply chain, cybersecurity is no longer just a technical concern — it’s a strategic business imperative. For New Mexico’s manufacturing and tech sectors, proactive preparation isn’t just about compliance — it’s about staying competitive in a high-stakes market.
