If you’re a manufacturer or defense subcontractor in New Jersey or Eastern Pennsylvania, CMMC has likely been on your radar for years. The final rule is now published, and the Department of Defense is beginning to include CMMC requirements in new contracts. The question is no longer if you’ll need certification — it’s when.

Here’s what the final CMMC 2.0 framework means for your business, what level you likely need, and a realistic timeline for getting there.

What Changed in the Final Rule

CMMC 2.0 simplified the original five-level framework down to three levels. For most manufacturers and subcontractors handling Controlled Unclassified Information (CUI), Level 2 is the target. Level 2 maps directly to the 110 controls in NIST SP 800-171 — the same framework many contractors have been self-attesting to for years.

The critical difference: self-attestation is no longer sufficient for most contracts involving CUI. You’ll need a third-party assessment from a Certified Third-Party Assessment Organization (C3PAO). This is the piece that catches most manufacturers off guard — the assessment process takes months of preparation, and C3PAO availability is limited.

Do You Need CMMC?

If your company handles Federal Contract Information (FCI) only, you’ll need Level 1 — a self-assessment against 17 basic practices. Most manufacturers can handle this relatively quickly.

If you handle CUI — technical drawings, specifications, engineering data, or any information marked CUI by your prime contractor or the DoD — you need Level 2. This is where the heavy lifting happens: 110 controls covering access control, incident response, audit logging, encryption, and much more.

Not sure if you handle CUI? Look at your contracts. If you see DFARS 252.204-7012, you almost certainly do.

The Realistic Timeline

Here’s what manufacturers need to understand: getting from “we haven’t started” to “assessment-ready” typically takes 9 to 18 months, depending on your current IT maturity. The process involves:

Months 1-2: Scoping and gap assessment. Identify where CUI flows through your organization, define your assessment boundary, and document the gaps between your current state and NIST 800-171 requirements.

Months 3-8: Remediation. This is where the real work happens — implementing MFA everywhere, encrypting CUI at rest and in transit, deploying endpoint detection, building your incident response plan, configuring audit logging, and dozens of other technical and procedural controls.

Months 9-12: Documentation and testing. Write your System Security Plan (SSP), create your Plan of Action and Milestones (POA&M) for any remaining gaps, and conduct internal testing to verify everything works as documented.

Months 12-18: Assessment. Schedule your C3PAO assessment (book early — availability is tight), conduct a pre-assessment readiness review, and complete the formal assessment.

What to Prioritize First

If you’re just starting, focus on the controls that take the longest to implement and have the biggest impact:

Multi-Factor Authentication (MFA) on every account that can access CUI. This is non-negotiable and often the first thing assessors check.

Encryption for CUI at rest (on laptops, servers, and backups) and in transit (email, file transfers, VPN). FIPS 140-2 validated encryption is the standard.

Network segmentation to limit your CUI boundary. The smaller your assessment scope, the fewer controls you need to implement across your entire network. Put CUI on a separate network segment with restricted access.

Audit logging for all systems that touch CUI. You need to know who accessed what, when, and from where — and you need to retain those logs.

The Bottom Line for Lehigh Valley and NJ Manufacturers

The Lehigh Valley and Northern New Jersey corridor is dense with precision manufacturers, machine shops, and defense subcontractors. Many of these businesses have been self-attesting to NIST 800-171 compliance without actually implementing the controls. That approach is ending.

The manufacturers who start now will be positioned to win contracts when competitors can’t certify in time. The ones who wait will face rushed timelines, limited C3PAO availability, and the real risk of losing contract eligibility.

If you’re a manufacturer in NJ or Eastern PA and need help scoping your CMMC requirements, Iron Core offers a free initial assessment to help you understand where you stand and what it’ll take to get certified.

Three years ago, you could get cyber insurance by filling out a questionnaire and checking some boxes. That era is over. Carriers have been burned by massive claim payouts, and their underwriting has gotten dramatically more sophisticated. In 2026, most carriers now require proof of specific security controls before they’ll write or renew your policy — and they’re verifying your answers.

Here are the seven controls that have become essentially non-negotiable for cyber insurance eligibility.

1. Multi-Factor Authentication (MFA) — Everywhere

MFA on email only isn’t enough anymore. Carriers now require MFA on remote access (VPN), cloud applications, privileged accounts (admin access), and often all user accounts. If a carrier asks “do you have MFA?” and you’ve only enabled it for email, you’ll get denied or quoted at a steep premium.

The implementation doesn’t need to be complicated. Microsoft Authenticator or similar app-based MFA is acceptable. SMS-based MFA is increasingly frowned upon but still accepted by most carriers. Hardware keys are the gold standard if you want the best rates.

2. Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient. Carriers want to see a modern EDR solution — think SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint — deployed on every endpoint. EDR goes beyond signature-based detection to monitor behavior, detect anomalies, and enable rapid response to threats.

The key distinction carriers care about: EDR provides response capabilities (isolation, remediation, rollback), not just detection. If your “antivirus” can only alert you, it’s not EDR.

3. Verified Backup and Recovery

Carriers don’t just want to know that you have backups — they want to know your backups are offline or air-gapped (not accessible from your network if ransomware hits), tested regularly (when was the last time you actually restored from backup?), and sufficient to restore business operations within your acceptable downtime window.

The question that trips up most businesses: “When was your last successful backup restore test?” If you can’t answer that with a specific date and documented results, you have a problem.

4. Email Security and Phishing Protection

Phishing remains the number-one initial attack vector. Carriers expect to see advanced email filtering beyond basic spam protection, DMARC, DKIM, and SPF properly configured on your domain, and regular security awareness training for all employees (most carriers want to see quarterly phishing simulations).

If you’re running Microsoft 365, the built-in Exchange Online Protection is a starting point, but most carriers want to see an additional layer like Proofpoint, Mimecast, or similar.

5. Patch Management

Unpatched systems are one of the most common entry points for attackers. Carriers want evidence of a documented patch management process with specific timelines — critical patches applied within 14 days is the most common benchmark. They’ll often ask about your patching cadence during the application process, and increasingly, they’re running external vulnerability scans on your public-facing systems to verify.

6. Privileged Access Management

Who has admin access to your systems? Carriers want to see the principle of least privilege enforced — meaning users only have the access they need to do their jobs, separate admin accounts for IT staff (not using admin credentials for daily email), and regular access reviews to remove former employees and unnecessary permissions.

This is an area where many small businesses fail the underwriting process. If your entire team is running as local administrators on their laptops, that’s a red flag carriers have learned to spot.

7. Incident Response Plan

A written, tested incident response plan is now standard across most carriers. The plan should cover roles and responsibilities (who does what when an incident occurs), communication procedures (internal and external), containment and eradication steps, notification requirements for your specific regulatory obligations, and contact information for your IT provider, legal counsel, and the carrier itself.

Bonus points if you’ve conducted a tabletop exercise — a simulated incident walkthrough with your team. Some carriers specifically ask about this.

What This Means for Your Renewal

If you’re approaching a cyber insurance renewal without these controls in place, expect one of three outcomes: denial of coverage, a significant premium increase, or reduced coverage limits with expanded exclusions. None of these are good for your business.

The silver lining: implementing these controls doesn’t just satisfy your insurance carrier. They genuinely reduce your risk of a breach. The businesses that invest in these fundamentals spend less on insurance, experience fewer incidents, and recover faster when something does happen.

If you need help getting these controls in place before your next renewal, Iron Core specializes in building security programs that satisfy both carriers and regulators. We can assess your current posture and close the gaps before underwriting becomes a crisis.

New Jersey’s comprehensive data privacy law — the New Jersey Data Privacy Law (NJDPL) — took effect on January 15, 2026. If your business collects, processes, or stores personal data from New Jersey residents, this law applies to you. And unlike some state privacy laws with narrow applicability, the NJDPL casts a wide net.

Here’s what NJ businesses need to understand and the concrete steps you should be taking right now.

Who Does the NJDPL Apply To?

The law applies to businesses that conduct business in New Jersey or produce products or services targeted to NJ residents, AND during a calendar year either control or process the personal data of at least 100,000 NJ consumers, or control or process the personal data of at least 25,000 NJ consumers and derive revenue from the sale of personal data.

That second threshold is lower than many other state privacy laws. If you’re a professional services firm, medical practice, law firm, or financial advisor in NJ with a meaningful client base, you’re very likely covered.

What Rights Do Consumers Have?

The NJDPL gives NJ residents a suite of rights over their personal data. Consumers can request to know what personal data you’ve collected about them, request deletion of their personal data, request correction of inaccurate data, opt out of the sale of their data, targeted advertising, or profiling, and obtain a copy of their data in a portable format.

Your business must be able to respond to these requests within 45 days. That means you need processes, systems, and trained staff to handle these requests — not just a policy document gathering dust.

What Counts as “Personal Data”?

The definition is broad: any information that is linked or reasonably linkable to an identified or identifiable person. This includes the obvious (names, emails, phone numbers, Social Security numbers) and the less obvious (IP addresses, device identifiers, geolocation data, browsing history, and inferences drawn from any of these).

The law also creates a category of “sensitive data” — including racial or ethnic origin, religious beliefs, health data, biometric data, precise geolocation, and data from known children — that requires explicit opt-in consent before processing.

What Your Business Needs to Do Now

Conduct a data inventory. You can’t comply with a privacy law if you don’t know what data you collect, where it lives, who has access, and how long you keep it. Map out every system that touches personal data — your CRM, email marketing platform, website analytics, client management software, and even your phone system.

Update your privacy policy. Your website privacy policy needs to disclose the categories of personal data you collect, the purposes for processing, the categories of third parties you share data with, how consumers can exercise their rights, and your data retention practices. Generic template policies won’t cut it — the disclosures need to be specific to your actual practices.

Build a consumer rights request process. When someone emails asking “what data do you have on me?” — you need a documented, repeatable process to verify their identity, search your systems, compile the data, and respond within 45 days. Designate someone as responsible for handling these requests.

Review your vendor agreements. If you share personal data with vendors (cloud providers, marketing platforms, payment processors), your contracts need to include data processing agreements that comply with the NJDPL. Many vendors have already updated their terms — check whether yours have.

Implement reasonable security. The NJDPL requires “reasonable” data security measures. While the law doesn’t prescribe specific controls, the standard practice includes encryption, access controls, regular security assessments, employee training, and incident response planning. This is where your IT provider plays a critical role.

What Are the Penalties?

The NJDPL is enforced by the New Jersey Division of Consumer Affairs. There’s no private right of action (consumers can’t sue you directly under this law), but the Attorney General can impose civil penalties of up to $10,000 per violation for initial offenses and up to $20,000 per violation for subsequent offenses.

The Division must provide a 30-day cure period for first-time violations through July 2026 — but this grace period expires, and it only applies if you can actually cure the violation within 30 days. If your data handling practices are fundamentally non-compliant, 30 days won’t be enough.

How This Intersects with Your Existing Obligations

If you’re already subject to HIPAA, GLBA, or other federal privacy frameworks, the NJDPL doesn’t replace those — it layers on top. However, many of the security controls you’ve already implemented for HIPAA or financial regulations will satisfy the NJDPL’s “reasonable security” requirement. The gap is usually in the consumer rights processes and updated privacy disclosures, not in the technical controls.

For NJ businesses that haven’t dealt with comprehensive privacy regulation before — many professional services firms, construction companies, and smaller organizations — this is new territory. The good news is that the compliance framework is manageable if you start now.

Iron Core helps NJ businesses implement the technical controls and documentation needed for NJDPL compliance. If you’re unsure where your business stands, start with a free assessment — we’ll map your data exposure and give you a clear action plan.

It’s 7:30 AM on a Monday. Your office manager calls — nobody can open files, there’s a ransom note on every screen, and your phone system isn’t working. You’ve been hit with ransomware.

The decisions you make in the next 24 hours will determine whether you recover in days or weeks, whether you face regulatory penalties, and whether your cyber insurance actually pays out. Here’s the playbook.

Hour 0-1: Contain the Damage

Do NOT turn off computers. This is the most common mistake. Powering down can destroy forensic evidence and, in some ransomware variants, makes recovery harder. Instead:

Disconnect affected systems from the network. Unplug Ethernet cables and disable Wi-Fi. The goal is to stop the ransomware from spreading to additional machines, servers, and backups. If you can identify which machines are affected, isolate them. If you’re unsure, disconnect everything.

Do NOT pay the ransom immediately. Paying doesn’t guarantee you’ll get your data back, it may violate OFAC sanctions, and it makes you a target for repeat attacks. This is a decision that should involve your insurance carrier, legal counsel, and incident response team — not a panicked first reaction.

Document everything. Take photos of ransom notes on screens. Note which systems are affected. Record the time you discovered the incident. This documentation will be critical for your insurance claim, law enforcement report, and any regulatory notifications.

Hour 1-4: Activate Your Response Team

Call your IT provider or internal IT team. If you have a managed IT provider like Iron Core, this should be your first call. They can begin forensic triage, assess the scope, and start containment procedures that go beyond unplugging cables.

Call your cyber insurance carrier. Do this early — many policies have specific requirements about when and how incidents must be reported. Your carrier will assign a breach coach (usually an attorney) who will coordinate the response and help preserve attorney-client privilege over the investigation.

Call your attorney. If you handle regulated data (client records, patient information, financial data), you may have legal notification obligations that start ticking from the moment you discover the breach. Your attorney will advise on notification timelines for NJ, NY, PA, and any federal requirements that apply.

Do NOT contact the attacker. Any communication with threat actors should go through your incident response team or breach coach. Untrained communication can make things worse — including revealing how much you’re willing to pay.

Hour 4-12: Assess and Investigate

Determine the scope. Your IT team needs to identify which systems are encrypted, whether backups are intact, whether data was exfiltrated (stolen) before encryption, and how the attackers got in. Modern ransomware groups almost always steal data before encrypting it — this is what creates the double-extortion pressure.

Check your backups. Are they intact? Are they offline or air-gapped? Were they connected to the network and potentially encrypted too? The state of your backups is the single biggest factor in your recovery timeline. If you have clean, recent backups, you can recover without paying. If you don’t, your options narrow significantly.

Preserve evidence. Your incident response team should be capturing forensic images of affected systems, preserving logs, and documenting the attack chain. This evidence is needed for your insurance claim, any law enforcement investigation, and potential regulatory inquiries.

Hour 12-24: Begin Recovery Planning

Prioritize system recovery. You can’t restore everything at once. Work with your team to identify the systems that are most critical to business operations — email, billing, patient scheduling, production systems — and restore those first.

Notify employees. Your staff needs to know what happened, what they should and shouldn’t do (don’t log into anything yet, don’t click suspicious emails), and when they can expect systems back online. Clear communication prevents panic and reduces the risk of employees making the situation worse.

Plan regulatory notifications. Depending on your industry, you may need to notify patients (HIPAA — 60 days), customers, state attorneys general, the SEC, or other regulators. Your breach coach will guide the timing and content of these notifications.

File a report with the FBI’s IC3. This is especially important if you’re considering paying a ransom — OFAC compliance requires checking whether the threat actor is a sanctioned entity.

The Best Time to Prepare Was Yesterday

If you’re reading this before an incident, you’re in the best possible position. The businesses that recover fastest from ransomware are the ones that had an incident response plan, tested backups, endpoint detection, and a relationship with an IT provider who specializes in incident response — before the attack happened.

If you don’t have a documented incident response plan, tested backup recovery procedures, and confidence in your security posture, that’s the gap to close now. Not after the ransom note appears.