Xometry is on track for Cybersecurity Maturity Model Certification (CMMC) in January 2025. We have completed a third-party (C3PAO) NIST 800-171 audit with an SPRS score of 110 out of a possible 110. Xometry aims for CMMC Level 2 to meet our defense and aerospace customers’ requirements.
The pursuit of CMMC affirms Xometry's adherence to rigorous cybersecurity and information security standards, a matter of significant importance to customer compliance departments.
About CMMC
The Department of Defense’s Cybersecurity Maturity Model Certification program (CMMC) is a cybersecurity framework that protects the defense industrial base from increasingly frequent and complex cyberattacks. DoD contractors and subcontractors will soon be required to comply with CMMC to work with the following:
- Controlled Unclassified Information (CUI)
- Export controlled data, including ITAR
CMMC Level 2 requires organizations to undergo a third-party cybersecurity audit against a robust set of controls based on NIST 800-171. Beyond technical cybersecurity controls, compliance requires staff training, policies, procedures, and documentation supporting CMMC requirements.
About SPRS
Xometry completed a third-party NIST 800-171 audit conducted by an authorized C3PAO on October 10th, 2024. NIST 800-171 is a Department of Defense (DoD) cybersecurity framework mandated for contractors managing Controlled Unclassified Information (CUI), including ITAR-regulated export-controlled data. Xometry met 320 out of 320 assessment objectives, resulting in a Supplier Performance Risk System (SPRS) score of 110 out of 110.
Moreover, this accomplishment positions us favorably for the DoD CMMC cybersecurity framework. Unlike NIST 800-171, where a third-party audit is optional and partial compliance with the controls is permissible, CMMC mandates a third-party audit and full compliance with all controls. This distinction is critical as customers increasingly seek suppliers capable of meeting the stringent CMMC standards.
FAQs
Is CMMC the same as ITAR?
No. The International Traffic in Arms Regulations (ITAR) require compliant companies to register with the Department of State Directorate of Defense Trade Controls (DDTC). ITAR aims to prevent the unauthorized transfer of strategic or sensitive defense technologies to foreign entities. Xometry is ITAR registered and will continue to renew its registration alongside its CMMC certification.
How does CMMC apply to Xometry’s suppliers?
CMMC requirements will flow down to suppliers with active CMMC certifications to ensure compliance.
What is Xometry’s CMMC level?
Xometry is aiming for CMMC Level 2 to match the requirements of its customers. The graphic below outlines the different CMMC levels and their requirements.
Where Can I Learn About CMMC
We have a great resource on our blog here.
How do I request CMMC work through Xometry?
Xometry expects certification in early 2025. With that, the selection for CMMC will be available through the Xometry Instant Quoting Engine® under the certifications section of quote configuration for applicable processes. If you have projects that need this support in the meantime, please contact us.