CMMC for Manufacturing: What Defense Suppliers Need to Know

CMMC for Manufacturing: What Defense Suppliers Need to Know

Manufacturers face unique CMMC challenges: CNC machines on networks, CUI on shop floors, legacy equipment without modern encryption. How to scope and certify.

Deep Fathom
CMMC

If your shop floor machines parts from DoD technical drawings, those drawings are Controlled Unclassified Information. The CNC controller that reads them is processing CUI. The workstation that stores the CAD files is storing CUI. And your compliance obligation under CMMC doesn’t care that your primary business is cutting metal, not managing data.

Manufacturers make up the single largest segment of the defense industrial base. Precision machining shops, electronics assemblers, composites fabricators, additive manufacturing facilities. They sit at every tier of the supply chain. Most handle CUI daily without thinking of it in those terms.

That’s about to change.

The enforcement has teeth now.

According to DOJ reports, the Department of Justice brought its first criminal charges for cybersecurity compliance fraud against a defense contractor in early 2026. Separately, DOJ settled its first False Claims Act case targeting a subcontractor in the supply chain, a precision machining supplier that misrepresented its compliance posture. Not a software company. Not a large prime. A manufacturer. The kind of company reading this article.

Per recent DOJ enforcement data, FCA recoveries in cybersecurity cases reached over $50 million in FY2025. Whistleblower qui tam filings numbered in the hundreds. The government is building a track record of prosecution, and manufacturers who self-certify compliance they haven’t achieved are the most exposed population in the DIB.

Why Manufacturing Environments Are Different

Most CMMC guidance assumes an office environment. Workstations, servers, cloud services, email. The 110 NIST 800-171 security requirements were written for information systems, not production systems.

Manufacturing floors break that assumption in specific ways.

OT/IT convergence. Modern manufacturing connects operational technology to information technology networks. CNC machines pull files from network shares. ERP systems feed production schedules to shop floor controllers. Quality inspection stations upload test results to shared databases. The air gap between the shop floor and the office network disappeared years ago in most facilities, but the security architecture didn’t adapt.

Legacy equipment. A CNC mill from 2008 runs Windows XP Embedded. It can’t support modern encryption, current antivirus agents, or MFA. Replacing it costs $200,000 or more, and it cuts parts perfectly well. Manufacturers face a tension that pure IT environments don’t: production equipment has a 15-to-25-year service life, but cybersecurity requirements assume systems that can be patched and upgraded.

Among manufacturers we’ve assessed, the average age of the oldest CUI-touching production equipment is north of 12 years. These aren’t systems you replace on a compliance timeline. They’re systems you scope around.

Physical CUI exposure. Technical drawings pinned to a machine station. Printed specifications on a clipboard in the QA area. Test data recorded on paper forms before digital entry. CUI in manufacturing isn’t just in databases and file shares. It’s physically present on the production floor, which means physical security controls matter as much as digital ones.

What Counts as CUI in Manufacturing

Manufacturers often underestimate their CUI footprint because they think of CUI as classified information. It isn’t. CUI is unclassified information that requires safeguarding under federal regulation. In manufacturing, the common categories include:

  • Technical Data Packages (TDPs) containing engineering drawings, material callouts, tolerances, and assembly instructions
  • Engineering drawings and CAD files received from primes or government customers
  • Material specifications and certifications for controlled alloys, composites, or coatings
  • Test and inspection data generated during production, including first article inspection reports
  • Procurement specifications that reveal defense program requirements
  • Manufacturing process parameters when they derive from controlled technical data
  • Export-controlled items under ITAR or EAR where CUI and export control overlap

The test is straightforward. Did the information originate from or get generated for a defense contract? Is it marked CUI, or should it have been marked CUI per the contract’s marking guide? If yes, it’s in scope.

A common gap: manufacturers generate CUI during production that they don’t recognize as controlled. When you inspect a part against a CUI drawing and record the measurements, those measurements are derived CUI. When your ERP system tracks production quantities against a CUI contract, that tracking data may qualify. The CUI boundary extends beyond what you receive to include what you create.

The Shop Floor Scoping Challenge

Here’s where manufacturing diverges from every other CMMC guide you’ll read.

How do you implement access controls on a CNC machine that runs a proprietary embedded OS? How do you encrypt data at rest on a controller with 512 MB of memory? How do you enforce session timeouts on a machine that runs 16-hour production cycles?

You don’t. Not on the machine itself.

The answer is boundary scoping.

Instead of trying to make every piece of production equipment comply with all 110 controls, you define a CUI processing enclave and enforce the controls at the boundary. The equipment inside the enclave is categorized as a Specialized Asset under the CMMC scoping guidance, which means it gets documented in your SSP and managed through risk-based policies rather than assessed against every individual requirement.

This approach works because it matches how manufacturing actually operates. CUI enters through defined channels, gets processed in specific areas, and produces outputs that follow traceable paths. The scoping exercise maps those channels and areas.

Where CUI Enters

Trace every path CUI takes into your facility:

  • Email attachments from primes containing drawings, specs, or contract modifications
  • Secure file transfer portals where primes share TDPs and engineering data
  • Physical media including USB drives, printed drawings, and shipped samples with documentation
  • ERP integrations that pull contract data, BOMs, or procurement specs from prime systems
  • Direct CAD downloads from government or prime collaboration platforms

Where CUI Lives

Map every location where CUI persists:

  • CAD workstations used by engineers and programmers
  • ERP and MRP systems containing contract data, BOMs, and production records
  • File servers and shared drives storing drawings, specs, and documentation
  • CNC controllers and machine memory after programs are loaded
  • Quality management systems storing inspection data and test results
  • Backup systems that capture any of the above
  • Physical locations where printed CUI is stored or displayed

Where CUI Gets Processed

Identify every system that transforms or acts on CUI:

  • CAM stations where engineers generate toolpaths from CUI drawings
  • CNC machines executing programs derived from CUI technical data
  • Coordinate measuring machines (CMMs) generating inspection data against CUI specifications
  • 3D printers producing parts from CUI design files
  • Shop floor terminals displaying work instructions derived from CUI

Manufacturers who complete this mapping exercise before touching a single control consistently reduce their assessment boundary. We’ve seen machine shops cut their in-scope asset count by 40% or more through segmentation, moving from “the entire facility is in scope” to “this defined enclave plus these boundary protections.” That reduction translates directly to lower assessment costs, less documentation, and faster certification timelines.

Building the CUI Enclave

Once you’ve mapped CUI flow, the architecture follows a pattern.

Segment the network. Place CUI-processing systems on a dedicated VLAN or network segment with controlled access points. The production floor network doesn’t need to reach the guest WiFi, the break room smart TV, or the sales team’s laptops. Firewall rules at the boundary enforce what crosses in and out.

Isolate where you can. Some manufacturers operate a “clean room” model for CUI work. Dedicated workstations in a controlled area handle all CUI-related CAD, CAM, and file management. CNC programs transfer to machines via controlled methods (dedicated USB workflow with write-once media, or a segmented transfer network). The machines themselves sit inside the enclave boundary but aren’t expected to enforce IT security controls independently.

Address the legacy equipment. For machines that can’t support modern security controls, document them as Specialized Assets in your System Security Plan. Describe the compensating controls you’ve placed around them: network isolation, physical access restrictions, controlled data transfer procedures, monitoring at the boundary. The assessor evaluates whether your risk-based approach to these assets is reasonable, not whether the machine itself runs current antivirus.

Control physical access. Badge readers or key control on the shop floor areas where CUI is processed. Visitor logs. Escort requirements. Printed CUI stored in locked cabinets when not in active use. These controls aren’t expensive, but they require consistent enforcement and documentation.

Manage the human layer. Train shop floor personnel on CUI handling. They don’t need to understand NIST 800-171 control families. They need to know: these drawings don’t leave this area, don’t photograph parts without authorization, lock the cabinet when you’re done, and report anything that looks wrong. Make the training specific to their daily work, not a generic cybersecurity awareness module.

Supply Chain Pressure Is Already Here

If you’re waiting for CMMC requirements to appear in your next contract renewal, you’re behind.

Prime contractors are already requiring CMMC readiness from their manufacturing subcontractors. Flow-down clauses in subcontracts mirror the prime’s CMMC obligations. Primes can’t certify their own compliance if their supply chain creates uncontrolled CUI exposure.

The DOJ’s first FCA settlement targeting a manufacturer sent a clear signal. The government will pursue subcontractors who misrepresent their cybersecurity posture, not just primes. Self-certifying a SPRS score that doesn’t match your actual implementation creates direct False Claims Act exposure. According to DOJ enforcement data, FCA recoveries in cybersecurity cases and nearly 1,300 qui tam lawsuits mean your own employees can trigger an investigation.

For manufacturers who rely on defense revenue, the commercial pressure may arrive before the regulatory deadline. Primes making sourcing decisions in 2025 and 2026 are factoring CMMC readiness into supplier selection. A machine shop that can demonstrate progress toward certification has a competitive edge over one that hasn’t started.

A Practical Path for Manufacturers

The path isn’t mysterious. It follows the same compliance framework as any CMMC preparation, adjusted for manufacturing realities. Here’s the sequence that works.

1. Complete your CUI mapping. Before anything else, trace CUI through your facility using the entry/storage/processing framework above. You can’t scope what you haven’t mapped. This exercise typically takes 2-4 weeks for a mid-size manufacturer and often reveals CUI in systems you didn’t expect.

2. Define your enclave boundary. Where does CUI processing stop and general business operations begin? Draw that line. Everything inside gets assessed, everything outside stays out of scope. The goal is the smallest defensible boundary that contains all CUI processing. Invest in network segmentation here. The upfront cost pays for itself many times over in reduced compliance scope.

3. Categorize your assets. Every system inside the boundary falls into one of the five CMMC asset categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope. Your CNC machines and legacy production equipment will likely fall under Specialized Assets. Your CAD workstations and file servers are CUI Assets. Get this taxonomy right early.

4. Conduct a gap assessment. Measure your current implementation against the 110 NIST 800-171 requirements within your defined boundary. This produces your realistic SPRS score and identifies exactly which controls need work. Don’t guess. Measure.

5. Remediate in priority order. Fix the high-impact, non-POA&M-eligible gaps first. Some requirements can’t be placed on a Plan of Action and Milestones. They must be fully met before assessment. Others carry higher point values. If a control is both non-POA&M-eligible and high-scoring, it moves to the top of the list regardless of implementation difficulty.

6. Build your documentation. Your SSP, policies, procedures, and evidence repository. For manufacturers, the SSP needs specific attention to how Specialized Assets are managed, how physical CUI is controlled, and how OT/IT boundary protections work. Generic SSP templates won’t cover manufacturing-specific scenarios. Write what’s true about your environment.

7. Engage an RPO or C3PAO for assessment preparation. A readiness assessment from a qualified organization identifies gaps you missed and prepares you for the assessor’s methodology. Based on typical engagement timelines, the assessment timeline for Level 2 certification runs 6-12 months from gap assessment to certified status, longer if significant remediation is needed.

Resources for Manufacturing Companies

Several programs exist specifically to help manufacturers with CMMC preparation.

Army NCODE Program. Per Army program announcements, the Army’s National Centers of Digital Excellence program allocates $26 million per year to help small businesses meet CMMC requirements. This includes direct technical assistance, tooling support, and guidance from compliance specialists familiar with manufacturing environments. If you’re a small manufacturer in the defense supply chain, this program exists for you.

Manufacturing Extension Partnership (MEP) Centers. The national MEP network includes centers in every state that provide CMMC guidance tailored to manufacturers. Many MEP centers have developed CMMC readiness programs specifically for their manufacturing clients, combining cybersecurity expertise with understanding of production environments.

State and regional programs. Several states offer grant funding or subsidized consulting for defense manufacturers pursuing CMMC certification. Check with your state’s economic development office and your regional MEP center for current programs.

Small business guidance. If you’re a manufacturer with fewer than 100 employees, the cost and resource dynamics of CMMC hit differently. Our guide for small defense contractors covers scope reduction, MSP strategies, and budgeting approaches that apply directly to small manufacturing operations.

Manufacturing CMMC Readiness Worksheet

We’ve built a downloadable worksheet specifically for manufacturers working through CMMC preparation. It covers the scoping exercise described in this article, structured as a step-by-step workbook.

The worksheet walks through:

  • CUI entry point identification for manufacturing environments
  • Shop floor asset inventory with CMMC category classification
  • OT/IT boundary documentation
  • Specialized Asset risk assessment template
  • Physical CUI handling controls checklist
  • Network segmentation planning guide
  • Gap tracking against the 110 NIST 800-171 requirements, filtered for manufacturing-relevant priorities

Start with the CUI mapping exercise. Most manufacturers complete the initial mapping in a single focused session with their IT lead, shop floor supervisor, and quality manager in the room.

What Happens If You Wait

The math is unforgiving. Assessment capacity is already constrained. Manufacturers who start preparation in 2025 have time to scope carefully, remediate methodically, and choose their C3PAO. Manufacturers who wait until a contract requires certification will compete for limited assessor availability alongside every other contractor who delayed.

Manufacturing environments take longer to prepare than pure IT environments. The legacy equipment issues, the OT/IT segmentation work, the physical security controls, the shop floor training. Manufacturers we’ve supported typically need 9-15 months from first gap assessment to assessment-ready status, and that assumes no major architectural changes.

The defense contracts aren’t waiting either. Primes are making supply chain decisions now based on who can demonstrate cybersecurity maturity. Your compliance posture is becoming a factor in whether you win work, before CMMC is formally required in the solicitation.

Map your CUI boundary. Understand your actual gap. Everything else follows from an honest baseline.