CMMC and the Defense Furniture Supply Chain: What Manufacturers Need to Know

In our latest Catalyst Conversations, Michelle Warren sat down with Simon Jalali, President of A to Z Management Consulting and an expert with over 20 years of experience in cybersecurity and compliance auditing, to discuss the Cybersecurity Maturity Model Certification (CMMC) and its looming impact on the furniture industry. As the Department of Defense (DoD) tightens its security protocols, manufacturers must understand that compliance is no longer optional—it is a requirement for staying in the federal supply chain.

What is CMMC and Why Does It Matter?

CMMC is the DoD’s framework designed to protect sensitive data across its entire supply chain. While it might seem like a requirement only for tech companies or weapons manufacturers, it deeply impacts the furniture industry. Simon explained that this is not just another optional certification; it is becoming a "ticket to play" in the federal marketplace.

• "It's a new requirement by the DoD for protecting information; FCI (federal contract information) or CUI (controlled, unclassified, information). Companies that are involved in the DoD work, regardless of what tier you are, if you are a prime or subcontractor, you are required to be in compliance with the requirement.”

Simon clarified that any manufacturer providing infrastructure for the DoD is part of the "mission."

• "If you want to do any government contracting work, CMMC is something that, sooner or later, you need to be in compliance with when you're in that supply chain. If you're working with ships, hospitals, command centers, federal buildings that rely on furniture and casework, that's a part of it. [Right now] it’s a requirement if you want to work with DoD, and you all know that it always starts with DoD and then other agencies follow that.”

Understanding Information Types: FCI vs. CUI

A major takeaway from the session was the distinction between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). For furniture manufacturers, understanding which one you handle determines your compliance level. Simon broke down what actually constitutes FCI vs CUI.

• Level 1 (FCI): Basic contract details like customer names, contract numbers, and invoices. These are important but not considered highly sensitive.

• Level 2 (CUI): This is the primary focus of CMMC. In the furniture world, this includes materials that show how a space is built or used, such as drawings, layouts, specifications, floor plans, and installation plans.

Expert Insights: Simon Jalali’s 4-Step Approach

Simon outlined a strategic path for organizations to reach "audit-ready" status:

1. Scope & Baseline: Identify your CUI/FCI environment and define your assessment boundaries.

2. Evaluate: Review existing cybersecurity practices against requirements to identify compliance gaps.

3. Remediate: Address identified deficiencies and update your System Security Plan (SSP).

4. Readiness Review: Conduct a final pre-assessment review to validate evidence and ensure your organization is aligned with expectations

Conclusion and Next Steps

CMMC represents a significant hurdle, but also an opportunity for prepared manufacturers to differentiate themselves in a crowded market. Prime contractors prefer partners who are already compliant because it reduces their own risk. By meeting these standards, you can turn a requirement into a significant competitive advantage when bidding on lucrative government contracts. We want to thank Simon Jalali for sharing his expertise and helping our partners stay ahead of the curve. If you have specific questions about your compliance journey, you can reach him at [email protected] / https://atozmanagementconsulting.com/.

If you’re ready to evaluate your readiness for the federal market, we encourage you to take our Public Sector Success Assessment. Visit our website to see where you stand.