Cherokee Federal Achieves Key CMMC Level 2 Cybersecurity Certification

Executive Summary

Cherokee Federal, a major federal contractor, announced on April 24, 2026, that it has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2. This certification is a critical milestone for any company operating in the Defense Industrial Base (DIB). It signifies that Cherokee Federal has successfully implemented and had independently verified a comprehensive set of cybersecurity controls designed to protect sensitive government information. This achievement not only demonstrates a mature security posture but also provides a significant competitive advantage as the U.S. Department of Defense (DoD) prepares to make CMMC certification a mandatory requirement for contracts involving Controlled Unclassified Information (CUI).

Regulatory Details

The CMMC program is a DoD initiative designed to enforce cybersecurity standards across the DIB. CMMC Level 2 is a key tier in this model, focused on the protection of CUI.

• Scope: CMMC Level 2 requires adherence to the 110 security controls outlined in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
• Jurisdiction: The mandate applies to all DoD contractors and subcontractors who handle CUI as part of their contract performance.
• Assessment: Unlike previous self-attestation models, CMMC Level 2 requires a formal assessment by an accredited Certified Third-Party Assessment Organization (C3PAO). The successful assessment is then recorded in the government's Supplier Performance Risk System (SPRS) and is valid for three years.

Affected Organizations

This development primarily affects:

• Cherokee Federal: The certified entity.
• Department of Defense (DoD): The governing body mandating the certification.
• The Defense Industrial Base (DIB): The entire ecosystem of over 300,000 companies that contract with the DoD. Cherokee Federal's achievement sets a benchmark for other contractors.

Compliance Requirements

To achieve CMMC Level 2, Cherokee Federal had to demonstrate the implementation and operationalization of all 110 security controls from NIST SP 800-171. These controls span 14 domains, including:

• Access Control
• Incident Response
• Configuration Management
• Identification and Authentication
• Risk Assessment
• System and Information Integrity

This requires not just having policies in place, but also providing evidence that the controls are consistently and effectively enforced throughout the organization's systems that process, store, or transmit CUI.

Implementation Timeline

• April 24, 2026: Cherokee Federal announces its successful CMMC Level 2 certification.
• November 2026: The DoD is scheduled to begin phasing in CMMC Level 2 certification as a mandatory requirement in new contracts that involve CUI.

Cherokee Federal's early achievement places it well ahead of the deadline and the majority of its competitors.

Impact Assessment

The business impact for Cherokee Federal is overwhelmingly positive. It establishes them as a low-risk, trusted partner for sensitive government missions and provides a clear competitive differentiator. As thousands of other DIB companies scramble to achieve certification before the deadline, Cherokee Federal can focus on capturing new business. For the broader DIB, this serves as a case study and a motivator, highlighting that CMMC Level 2 is an achievable, albeit rigorous, standard. The operational impact within Cherokee Federal involved a significant investment in security infrastructure, processes, and personnel to meet and maintain the 110 controls.

Enforcement & Penalties

As CMMC becomes a contractual requirement, the penalty for non-compliance is straightforward: the inability to bid on or be awarded contracts that involve CUI. This could effectively lock non-certified companies out of a significant portion of the DoD market. Falsifying compliance information can also lead to severe penalties under the False Claims Act.

Compliance Guidance

For other DIB companies seeking to follow Cherokee Federal's path, the process involves several key steps:

1. Scoping: Clearly define the scope of the CMMC assessment boundary—i.e., which systems, people, and facilities process, store, or transmit CUI.
2. Gap Analysis: Conduct a thorough gap analysis against the 110 controls in NIST SP 800-171 to identify deficiencies.
3. Remediation: Develop and execute a Plan of Action & Milestones (POA&M) to remediate all identified gaps. This involves implementing technical controls, writing policies and procedures, and training personnel.
4. Engage a C3PAO: Select and contract with an accredited C3PAO to conduct the official certification assessment.
5. Maintain Compliance: CMMC is not a one-time event. Companies must continuously monitor their environment and maintain their security posture to pass recertification every three years.