Why CMMC Matters for Your Shop
The Department of Defense is done trusting contractors to self-report their cybersecurity posture. CMMC Phase 2, which kicks in November 2026, requires formal third-party certification before you can bid on contracts involving controlled technical data.
This isn't something your prime contractor made up. It's written into the Defense Federal Acquisition Regulation Supplement (DFARS). The primes — Lockheed, Raytheon, Northrop Grumman, Boeing, General Dynamics — are already flowing these requirements down to their supply chain. If you've heard anything about CMMC in the last year, it's because their compliance teams are working through their supplier lists right now.
If you make parts for any of those primes — or for their Tier 2 subs — and those parts involve controlled technical data, you need CMMC Level 2. Period. Not "probably." Not "eventually." Now.
The shops that wait until a prime formally demands it will find themselves scrambling for assessment slots that are already booked 12 months out. The deadline isn't the problem — the lead time is.
How CUI Actually Flows Through a Machine Shop
This is the section nobody else is writing for your industry. Most CMMC content is written for IT departments at defense contractors with proper network engineers and a full-time compliance staff. You have machinists, engineers, and a shop foreman. The way controlled data moves through your world is completely different — and understanding that flow is the foundation of everything else.
CUI stands for Controlled Unclassified Information. For your shop, the most common type is technical data — drawings, 3D models, material specifications, process specs. When Lockheed or Raytheon sends you a Technical Data Package so you can quote and produce a job, that entire package is CUI.
Here's what the flow looks like from the moment it arrives at your shop:
Drawings, 3D models (.STEP, .IGES, .SolidWorks), material specs, surface finish requirements, GD&T callouts — emailed or shared via a secure portal. Everything in this package is CUI.
A programmer or engineer imports the drawings into CAD/CAM software, creates toolpaths, and generates G-code. That G-code is derived from the controlled drawings — it's now CUI too. The workstation where this happens is in scope.
Whether you use a USB stick, a DNC server, or a shop network, the transfer path is in scope. The CNC machine that receives and runs that program is in scope. Yes — your Mazak or Haas is part of your CMMC boundary.
Work orders and travelers that reference controlled dimensions or specs are CUI in physical form. The printer that prints them is in scope. The filing cabinet where copies are kept is a physical CUI storage location.
First article inspection reports, in-process checks, final CMM data — if they reference controlled drawing dimensions, they're CUI. Your Renishaw probing outputs, ballooned prints, FAIRs — all of it.
Certificates of conformance, material certs, and shipping paperwork that references the controlled part number or drawing revision can carry CUI. How you package and transmit this matters.
Here's what catches most shops off guard: when your machinist loads a program derived from a controlled drawing onto the CNC, that machine becomes part of your CMMC boundary. Same with the tablet your foreman uses to view work orders. Same with the printer in the front office that prints the drawings. Every system that touches CUI is in scope.
The reason this matters so much is that most CMMC consultants who haven't worked in manufacturing will scope your entire network. They'll see your DNC server and your shop tablets and your file server and say "it all has to be compliant." That's the expensive path. There's a better one.
Our 2-minute readiness assessment asks about your actual shop setup — how you receive drawings, how programs get to your machines, how your shop floor is networked. You'll get a plain-English answer about where your boundary is.
Take the Free Readiness Check →What's Actually In Scope (And What's Not)
This is where shops waste the most money — putting the entire network into the CUI boundary when they don't have to. Before you spend a dollar on remediation, you need to know exactly which systems are in scope and which aren't.
The single best thing you can do to save money on CMMC: build a CUI enclave. That means putting all your CUI-touching systems on a separate, segmented network. Everything outside the enclave doesn't need to meet all 110 controls. This one decision alone can cut your compliance cost by 30–50%.
A CUI enclave doesn't have to mean physically separate computers in a locked room (though sometimes that's the right answer). It can be a VLAN, a separate wireless network, or cloud-hosted systems with the right access controls. The key is that your accounting computer can't reach your file server with the controlled drawings — and you have documentation proving it.
If you're doing significant defense work alongside commercial work, talk to a CMMC specialist before you spend anything on infrastructure changes. Scoping done right is worth more than any single control you implement.
What CMMC Level 2 Actually Requires
CMMC Level 2 maps to all 110 controls in NIST SP 800-171. That sounds overwhelming. But grouped into plain language, here's what those controls are actually asking your shop to do:
Individual accounts for everyone. No more shared "ShopFloor" or "Admin" passwords that six people know. Every person who touches a CUI system gets their own login.
Multi-factor authentication for remote access. If anyone logs into your systems from outside the shop — a remote engineer, a traveling manager checking job status — they need two-step verification.
Encryption for controlled data. Drawings and G-code stored on your file server need to be encrypted. Files sent via email need to be transmitted securely. This is mostly a software configuration, not a hardware purchase.
Access logging for 3 years. Your systems need to record who logged in, what they accessed, and when — and you need to keep those logs for three years. This is where a managed security service often earns its monthly fee.
Written policies for how you handle CUI. A System Security Plan (SSP) that documents every system in scope, what it does, and how it's protected. Policies for acceptable use, incident response, media handling, and more.
Annual security awareness training. Your machinists don't need to become IT experts. But they do need documented training on phishing, password hygiene, and what to do if something looks off. A 30-minute annual session covers the requirement.
An incident response plan. A written plan for what your shop does if you get hacked — who to call, how to contain it, how to notify the DoD within 72 hours. You need this written down before it happens, not after.
Regular patching and software updates. Your in-scope systems need to receive security updates on a documented schedule. No running Windows XP because "it works fine for the DNC." That machine needs to come into the modern era or get air-gapped with compensating controls.
USB and removable media controls. You need a documented policy — and ideally technical enforcement — around who can plug a USB drive into what. The machinist who loads programs from a thumb drive needs a process that limits what that drive can carry in and out.
Sound like a lot? It is, a little. But here's the honest truth: most shops are partially doing most of this already. You probably already require passwords. You probably don't let strangers walk into your server room. The hard part isn't the security. It's the documentation proving you do it.
Writing an SSP and policy package for a machine shop takes specific knowledge — how CUI moves through G-code, how DNC servers work, how to document physical media controls on a shop floor. Our Assessment-Ready Package is built for exactly this situation.
See the Assessment-Ready Package →What It Costs for a Shop Like Yours
Here are honest cost ranges for a typical 15–30 person machine shop going through CMMC Level 2 certification. These are real-world numbers, not the sanitized ranges you see in government reports.
| Item | Typical Range | Notes |
|---|---|---|
| Gap assessment | $5K – $15K | What controls you're missing. Should be shop-specific, not a generic checklist. |
| Technical remediation | $15K – $50K | New hardware, network segmentation, security tools, software configuration. Varies hugely depending on your starting point. |
| Documentation (SSP, policies, POA&M) | $12K – $35K | Traditional consultant. With MyCMMC's Assessment-Ready Package: $7.5K – $19.5K. |
| C3PAO assessment | $25K – $50K | The formal third-party assessment by a CMMC-authorized organization. Non-negotiable for Level 2. |
| Ongoing security tools & monitoring | $1K – $3K/mo | Endpoint detection, SIEM, log management. Usually bundled with an MSSP. |
| Total (first year) | $60K – $150K | Smaller scope and tighter enclave design = lower end. |
The documentation line is where most shops get hit hardest — and where the biggest savings opportunity is. A generalist consultant writing your SSP has to learn what a DNC server is, how G-code relates to your controlled drawings, what your shop floor network topology looks like. They're billing $200–$350/hour to get up to speed on your industry. That learning curve comes out of your budget.
If your consultant doesn't know what a DNC server is, you're paying them to learn on your dime. That's how a $20K documentation engagement turns into $45K.
That's why we built the Assessment-Ready Package specifically for manufacturers. Our system already understands how CUI moves through a machine shop — from Technical Data Package to G-code to the shop floor. The documentation it generates reflects your actual operation, not a template written for a software company's IT department. And every document is reviewed by a certified practitioner before delivery.
The Biggest Mistakes Machine Shops Make with CMMC
We hear the same ones over and over. Here's what to watch for:
Your shop floor is in scope. Your CNC machines are in scope. Your DNC server is in scope. Any CMMC approach that only looks at the front office computers and the file server is going to fail your assessment — or create serious liability when your C3PAO auditor shows up and asks to see your machine network.
This is expensive and often unnecessary. If your accounting computer, your marketing laptop, and your CNC machines are all on the same flat network, you need to fix that before you spend a dollar on compliance work. Network segmentation is an upfront investment that pays off enormously in reduced assessment scope.
CMMC is a niche. Manufacturing OT (operational technology) is an even deeper niche within that. A firm that's certified shops in industries like insurance or healthcare will struggle to scope your environment correctly. They'll miss the DNC server. They'll misunderstand the G-code relationship to CUI. And you'll find out at assessment time.
The timeline from zero to certified typically runs 9–18 months for a shop your size. C3PAO assessment slots are already booking out 6–12 months. If you wait until a prime says "we need to see your certification within 90 days," you won't have one. You'll lose the contract to a shop that started earlier.
CMMC Level 1 only applies if you handle Federal Contract Information (FCI) without any controlled technical data. If you receive drawings, 3D models, specs, or process sheets with Distribution Statements on them — even just "Distribution B" — you have CUI, and you need Level 2. Level 1's 17 controls won't get you there.
How to Get Started
Here's a practical roadmap. You don't need everything figured out before you start. You just need the next step.
Look at the drawings and specs your primes send you. Do they have "Controlled" markings, Distribution Statements (like "Distribution C — U.S. Government Agencies and their contractors only"), or other CUI indicators? If yes, you have CUI and you need Level 2. If you're not sure, your contracting officer can tell you.
It takes 2 minutes. It asks about your shop setup in plain language — how you receive drawings, how your network is laid out, what systems touch your defense work. You'll get a specific readiness snapshot and know where your biggest gaps are before you spend anything.
Walk the path CUI takes through your shop — from the moment a drawing arrives to the moment parts ship. Write it down. Sketch the network diagram. This exercise alone will show you exactly what's in scope and what's not — and it's the first thing your C3PAO is going to ask for.
Not a generic IT firm. Not a compliance consultant who usually works with government agencies. Someone who's walked into a machine shop, understood how the DNC server works, and has helped similar shops scope their environments correctly. Our network includes specialists who do exactly this.
Don't wait until every control is implemented before you start writing your SSP. Documentation takes months. Remediation takes months. Run them in parallel. Your SSP can describe what you're implementing — that's what the Plan of Action & Milestones (POA&M) is for. Starting both processes simultaneously cuts your timeline significantly.
Our compliance packages are built from your actual environment — CNC systems, shop floor networks, precision machining data flows — and verified by practitioners who know manufacturing. No templates. No guesswork.
Take the Free Readiness Check →Frequently Asked Questions
It depends on how your CNC machines receive programs. If your machinist loads G-code derived from controlled drawings — and that's almost always the case for defense work — then yes, the machine is in scope. That doesn't mean the machine itself needs antivirus software. It means the systems that transfer programs to the machine need to be secured and documented. The CNC is a receiver of CUI. How it receives programs, and what network it's connected to, is what matters.
You have two options. Build a CUI enclave — a separate, secured environment for your defense work — so your commercial side isn't in scope. That's the most common and cost-effective approach. Or, if the defense revenue isn't worth the compliance cost, stop pursuing that work. Either is a legitimate business decision. What you can't do is handle controlled drawings in a mixed environment and claim you don't need CMMC. The contract language is clear, and the penalties for non-compliance include False Claims Act exposure.
An air gap helps with some controls and reduces your attack surface, which is a good thing. But it doesn't get you to CMMC Level 2 compliance on its own. You still need multi-factor authentication, access controls, audit logging, an incident response plan, trained employees, and a complete documentation package. Air-gapping also creates its own controls challenges — how do you handle USB transfers into the gap? Those transfers are a major attack vector. You need documented procedures for all of it.
From zero to certified, typically 9–18 months for a 10–30 person shop. That breaks down as: gap assessment (4–8 weeks), remediation (3–9 months depending on your starting point), documentation (2–4 months, overlapping with remediation), and C3PAO assessment scheduling (add 2–4 months because qualified assessors are booking out far in advance). The shops that start in mid-2026 will be fighting for assessment slots against hundreds of other contractors. November 2026 is closer than it looks — and the deadline is for contracts signed after that date, but your primes will start asking for proof well before then.
They will. Phase 2 requires primes to flow CMMC requirements down to every subcontractor handling CUI. Your prime's own certification depends on their supply chain being compliant. If your contract involves controlled technical data, you'll eventually be required to show proof of certification. Primes who are working through this right now will need certified subs quickly once Phase 2 takes effect. The shops that started early get the work. The ones who wait get replaced.
With the right approach, yes. The key is keeping your CUI boundary tight. A 10-person shop with a well-defined enclave might have only 4–6 in-scope systems. That's very manageable. The shops that overpay are the ones who put their entire network in scope or hire consultants who don't understand manufacturing and scope too broadly. Build the enclave first. Use documentation tools built for your industry instead of paying a generalist $350/hour to figure out what a DNC server is. Your defense revenue needs to justify the cost — and for most shops doing meaningful defense work, it does.
Ready to Find Out Where Your Shop Stands?
Take the free 2-minute readiness assessment. It's built for manufacturers — not IT departments. No jargon, no sales pitch, just a clear picture of where you are and what needs to happen next.
Take the Free Readiness Check →Takes 2 minutes · Free · No obligation
Or see pricing & packages →