Ruda Optical is CMMC Level 2 Certified

Ruda is Cybersecurity Maturity Model Certification (CMMC) Level 2 certified as of October 2025. We have completed a third-party (C3PAO) NIST 800-171 audit with an SPRS score of 110 out of a possible 110.  

CMMC Level 2 certification allows Ruda Optical to meet Defense and Aerospace customers’ needs and accept contracts containing Controlled Unclassified Information (CUI) which requires special handling and dissemination under federal regulations. 

About CMMC

The following is from the DoW’s website: 

The CMMC Program aligns with the DoW’s existing information safeguarding requirements for the DIB. The program provides the DoW with increased assurance that prospective contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that will process, store, or transmit FCI or CUI during contract performance. 

Key features of the CMMC Program: 

  • Tiered Model: CMMC assesses compliance with cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. The program also outlines protection requirements for information flowed down to subcontractors. 

  • Assessment Requirement: CMMC assessments allow the Department to verify DIB implementation of foundational cybersecurity standards. 

  • Implementation through Contracts: DoW contractors and subcontractors entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award. 

Protected Information 

The CMMC model is designed to enforce the protection of FCI and CUI. 

  • Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” 

  • Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website. 

FAQs

Is CMMC the same as ITAR? 

No. The International Traffic in Arms Regulations (ITAR) require compliant companies to register with the Department of State Directorate of Defense Trade Controls (DDTC). ITAR aims to prevent the unauthorized transfer of strategic or sensitive defense technologies to foreign entities. Ruda is ITAR registered and will continue to renew its registration alongside its CMMC certification. 

How does CMMC apply to Ruda’s suppliers? 

CMMC requirements will flow down to suppliers with active CMMC certifications to ensure compliance. 

Where Can I Learn About CMMC? 

The DoW Chief Information Officer has published this website about CMMC: CIO - About CMMC 

Where Can I Find Ruda’s CMMC Certification? 

Any certification is available upon request, please reach out to us: Info@ruda.com