The Engineering Firm Challenge
Most industries have a clear answer to "where does your CUI live?" For a machine shop, it's the drawing files on the DNC server. For a welder, it's the weld procedure specs. For an engineering firm, the honest answer is: your entire work product is probably CUI.
When you're designing a defense system component — an airframe structural section, a propulsion mounting bracket, a sensor housing — the CAD model captures every dimension, material, tolerance, and design decision made to meet a controlled specification. Your FEA model captures how it performs under load. Your trade study documents why you made the choices you did. Your design review presentations compile all of it into one place.
Every file you create for a DoD program is a derivative of controlled requirements. And every system that stores, processes, or transmits those files is in scope for CMMC.
This creates a scoping problem that's harder than almost any other industry: you can't just ring-fence a DNC server and call it done. The CUI is everywhere — workstations, shared drives, collaboration tools, email, cloud storage, laptops engineers take home. Getting the scope right is the whole game.
How CUI Flows Through an Engineering Firm
Statement of work, performance requirements, interface control documents, design-to specs from the government or prime. This is where CUI first enters your firm — typically via email or a controlled portal.
Design alternatives, materials selection, performance analysis. Often done in Excel, MATLAB, or Python. Jupyter notebooks, spreadsheets, and analysis scripts derived from controlled specs are CUI.
SolidWorks, CATIA, NX, ANSYS, Abaqus. The model geometry, material properties, boundary conditions, and mesh all capture controlled design information. Your PDM/PLM server storing these files is a primary in-scope system.
PDR, CDR, TRR presentations. Shared via email, Microsoft Teams, Zoom screen-sharing, SharePoint. Every collaboration touchpoint that handles design data is in scope.
Engineering reports, ICD updates, test plans, design packages delivered to the government. The deliverable itself is CUI, as is the directory where you stage it before submission.
The Scoping Challenge: Everything Is In Scope
Here's the uncomfortable truth for engineering firms: if you do defense design work, your entire technical environment is probably in scope. Your workstations are in scope. Your PDM server is in scope. Your email system is in scope. Your Teams or Slack workspace is in scope. Your company shared drive is in scope.
This is why the enclave approach is so important for firms that mix defense and commercial work. If you can separate your defense design environment from your commercial work environment — different user accounts, different file storage, different email, enforced separation — you can limit what's in scope and reduce compliance costs significantly.
For firms that work exclusively on defense programs, the enclave is just your entire IT environment. There's nowhere to hide. You're doing a full company CMMC compliance program.
A 15-person engineering firm doing 100% defense work has a simpler compliance decision than a 40-person firm with 60% defense and 40% commercial: the mixed firm has to either build a real enclave or bring everything into scope. Getting that decision wrong — either direction — is the most expensive mistake in engineering firm CMMC.
The answer depends on your mix of defense vs. commercial work and how your systems are currently set up. The free readiness check helps you figure out where to start.
Take the Free Readiness Check →What's In Scope vs. Out of Scope
The Proposal Problem
Here's something that surprises almost every engineering firm we talk to: your proposals may contain CUI.
When a government agency releases an RFP that includes controlled technical data — specifications, interface requirements, system-level parameters — that data is CUI. Your technical proposal, which is written in response to that RFP and incorporates that data, may also be CUI.
This means your business development tools, the shared folders where proposals are drafted, and the email threads where engineers discuss technical approach with BD staff are potentially in scope. It's not just your PDM system — it's your entire technical communication environment.
The practical implication: if you receive a controlled RFP package, your proposal team needs to handle it within the same controlled environment as your design work. Sending an RFP's technical annex to personal email so an engineer can work on it at home is a problem.
Remote Work Complications
Engineering firms often have engineers working remotely, and this creates specific CMMC challenges. The laptop your structural engineer uses to access CATIA from home is in scope. The connection needs to go through a company-managed VPN with MFA. The laptop needs endpoint protection, encryption, and remote monitoring.
What doesn't work for CMMC compliance:
- Engineers using personal laptops to access CAD files via VPN (BYOD is a common assessment finding)
- Engineers using personal Dropbox or Google Drive to sync files for home access
- Unmanaged home machines with local copies of design files
- VPN without MFA on the authentication
- Personal email used to receive or send controlled design information
For fully remote firms, the entire IT stack needs to be compliant regardless of where engineers sit. That's actually easier to manage than a hybrid environment with some employees in office and some remote.
What CMMC Costs for Engineering Firms
Engineering firms in the 8–40 person range — the most common size for defense subcontractors — face cost structures that depend heavily on whether they can scope to an enclave or need to bring everything into compliance.
| Cost Item | 8-person (all defense) | 40-person (mixed) |
|---|---|---|
| Gap assessment & scoping strategy | $6,000–$12,000 | $15,000 |
| Technical remediation (enclave, MFA, endpoint) | $20,000–$40,000 | $50,000–$100,000 |
| Cloud migration / FedRAMP-authorized platforms | $5,000–$15,000 | $15,000–$35,000 |
| Policy & procedure documentation | $8,000–$18,000 | $18,000–$35,000 |
| C3PAO third-party assessment | $25,000–$45,000 | $45,000–$75,000 |
| Ongoing annual compliance | $10,000–$20,000/yr | $25,000–$50,000/yr |
| Estimated Total (Year 1) | $64,000–$130,000 | $143,000–$270,000 |
The 40-person mixed firm numbers assume a proper enclave build for the defense side. If that firm tried to bring the entire company into scope rather than building an enclave, costs would be significantly higher. See our full CMMC cost guide for more detail.
The Enclave Approach for Engineering Firms
If you have significant commercial work alongside your defense projects, building a formal CUI enclave is almost always worth the investment. Here's what that looks like in practice:
- Separate user accounts — Defense engineers log into enclave accounts. Same people, different credentials, different permissions.
- Isolated file storage — Defense CAD files live on a PDM server inside the enclave. Commercial CAD files live elsewhere. No cross-mounting of shares.
- Controlled email — Defense email (M365 GCC or similar) separate from commercial email. Engineers don't forward controlled content to commercial accounts.
- Network isolation — The enclave is a separate network segment (not just a VLAN) with enforced egress controls.
- Access logging — Every login, every file access, every connection from outside the enclave is logged and monitored.
This sounds complex, but for a firm of 15–40 engineers, a well-designed enclave is very manageable with the right MSP partner. The key is doing it right the first time so you're not rebuilding it for your assessment.
Getting Started: Steps for Engineering Firms
If you have meaningful commercial work (30%+), build an enclave. If you're 90%+ defense, full-scope compliance may be simpler. This decision drives every other decision — make it explicitly with your leadership team before touching anything technical.
What tools do your engineers use to share controlled data? Email, Teams, Slack, Zoom, SharePoint, Dropbox, shared drives? Each one is a potential scope item. You need a clear list before you can build a system boundary.
If your SolidWorks Vault or other PDM system lives on commercial cloud infrastructure, start the migration to FedRAMP-authorized hosting now. This takes time and often involves re-licensing. It's your longest-lead-time remediation item.
Implement company-managed laptops with MDM, endpoint detection, encryption, and VPN with MFA for all engineers accessing CUI remotely. No BYOD for defense work. No personal cloud sync. This is non-negotiable for Level 2.
Hire a CMMC Registered Practitioner who understands engineering firm environments — PDM/PLM systems, CAD tool licensing, engineering collaboration workflows. They should produce a System Security Plan (SSP) and a prioritized Plan of Action & Milestones (POA&M).
Most CMMC consultants are IT generalists. Engineering firms need someone who understands how SolidWorks Vault, Windchill, or Teamcenter actually works — and how to scope it correctly.
Find a Specialist →Frequently Asked Questions
If your CAD files were created for a DoD program and contain design information derived from controlled requirements or specifications, yes — they're CUI. This includes SolidWorks, CATIA, NX, and AutoCAD files. The model geometry, tolerances, material callouts, and assembly relationships all capture controlled technical information. Your PDM/PLM server, the workstations accessing those files, and any cloud sync tools touching them are in scope.
Often yes, and this surprises a lot of firms. If your technical proposal incorporates information from a government-provided RFP package that includes controlled technical data — performance requirements, interface specs, classified program context — your proposal document may itself be CUI. More importantly, the information you receive back as part of source selection and any pre-award design discussions is almost certainly CUI. Your business development tools, shared drives where proposals are stored, and email threads involving technical data are all in scope.
It depends on where the cloud server lives and who operates it. If your SolidWorks PDM vault is hosted on a standard cloud provider (AWS, Azure, GCP) without FedRAMP authorization, that's a problem for CMMC Level 2. Your options: move the PDM vault to FedRAMP-authorized cloud infrastructure, migrate to an on-premises server within your CUI enclave, or use a CMMC-compliant managed service provider. This is one of the most common remediations for engineering firms.
The laptop they use to access CUI is in scope — wherever it is. The home router and home ISP are typically not in scope (they're not part of your system boundary), but the connection needs to go through a company-managed VPN with MFA. Company-managed devices with endpoint detection, encryption, and monitored access are the standard approach for remote engineering teams. Personally-owned laptops (BYOD) accessing CUI from home are a major risk and a common finding in assessments.
Engineering firms doing defense design work are among the most likely to have both CMMC and ITAR obligations. If your design work involves technical data for defense articles (aircraft, weapons systems, electronics, space systems), that data is likely on the USML and ITAR-controlled. ITAR restricts access by foreign nationals — even employees at your own firm. CMMC requires you to protect that data from unauthorized access broadly. You need both. Speak with an export compliance attorney early if you haven't done so.
Find Out Where Your Firm Stands
Take the free 2-minute assessment and get a clear picture of your required CMMC level, your likely system boundary scope, and a realistic cost range for your firm size.
Take the Free Readiness Check →Takes 2 minutes · Free · No obligation
Or see pricing & packages →