How CUI Shows Up in Welding Shops
Most welding and fabrication shops doing defense work handle controlled technical data without thinking much about it. The controlled drawings that show you what to weld. The weld procedure specifications (WPS) written to meet those drawings. The procedure qualification records (PQR) proving you qualified them. The material certifications confirming you used the right alloy. The nondestructive examination results showing the welds pass inspection.
If any of this was created for a defense program — and for most DoD subcontractors, it was — then much of it is CUI. The question CMMC asks is: what systems does that data live on, and how well are you protecting it?
Here's what's different about welding shops compared to, say, a machine shop: the CUI touches more people on the shop floor. A CNC operator runs programs from a DNC server. A welder needs access to the WPS, the drawing, the fit-up checklist, and sometimes the NDE reports. The data flows across more workstations, more tablets, more people.
Where CUI Flows in a Fabrication Shop
Joint designs, material callouts, weld symbol requirements, dimensional tolerances for critical weld features. Received from the prime, stored on a shared drive or job management system.
WPS documents written to meet the controlled drawings. Base metal groupings, filler metal classification, preheat requirements, PWHT procedures. If developed for a defense program, these are CUI. Displayed at welding stations on paper or tablet.
Mill test reports, heat/lot traceability, certified material test reports for controlled alloys (titanium, Inconel, armor steel). Required for defense programs with strict material traceability requirements.
UT, RT, MT, PT, and visual inspection results. Welder qualification records. First article inspection data. If these verify compliance with a controlled specification, they're CUI. Your quality management system storing them is in scope.
Weld maps, heat traceability records, certificates of conformance, packaging and shipping documentation. Required by AS9100/military specifications for defense hardware.
The Shop Floor Reality
Here's what makes welding shops different from an office-based defense contractor: the data shows up on the shop floor, where the people using it are focused on making good welds, not cybersecurity.
Think about how a typical defense weld job runs in your shop. The job traveler comes out with the drawing attached. The foreman pulls up the WPS on a shop computer or tablet. The welder reads the procedure, sets up the parameters, does the fit-up. The inspector walks over with a clipboard or tablet, records the results. The quality manager uploads everything to your job management system.
Every one of those touchpoints involves controlled data. The shop computer showing the WPS. The tablet the inspector uses. The job management system. The email where the drawing came in. All of it is in scope if the job involves CUI.
Your best welder has been welding for 25 years and has never thought about cybersecurity in his life. CMMC doesn't change what he does — it changes what happens to the data around him. The computer showing his weld procedure has to be as protected as any office workstation.
What's In Scope vs. Not In Scope
One important nuance: some modern welding machines are networked. Lincoln Electric, Miller, and ESAB all offer networked power sources that log welding parameters. If those machines are networked and logging data from defense weld jobs, the network they're on and the data they're generating may need to be addressed. Check whether your networked welders are storing job-specific data from controlled programs.
The free readiness check takes 2 minutes. Answer questions about your actual operation and we'll give you a clear picture of your scope and what Level you need.
Take the Free Readiness Check →Overlap with AWS and ASME Quality Requirements
If your shop is already certified to AWS D1.1, D1.6, ASME Section IX, or other welding standards, you already have a quality documentation culture. WPS, PQR, and welder qualification records are second nature. That discipline translates well to CMMC.
The main difference: AWS and ASME tell you what to document. CMMC tells you how to protect what you've documented. Your existing quality records are the content; CMMC is about securing the systems those records live on.
If you have an AS9100 quality management system, you're in even better shape from a documentation standpoint. AS9100 Rev D includes requirements for information security that overlap meaningfully with NIST SP 800-171. You're not starting from zero — but you're not finished either.
What It Costs for a Welding Shop
Welding and fabrication shops in the 10–40 person range typically have simpler IT environments than electronics or engineering firms, which helps keep costs down — if you scope carefully.
| Cost Item | 10-person Shop | 40-person Shop |
|---|---|---|
| Gap assessment & scoping | $5,000–$10,000 | $10,000–$20,000 |
| Technical remediation (MFA, endpoint, network) | $12,000–$30,000 | $30,000–$65,000 |
| Policy & procedure documentation | $6,000–$12,000 | $12,000–$25,000 |
| C3PAO third-party assessment (Level 2) | $25,000–$40,000 | $40,000–$65,000 |
| Ongoing annual compliance | $8,000–$18,000/yr | $18,000–$35,000/yr |
| Estimated Total (Year 1) | $48,000–$92,000 | $92,000–$175,000 |
These ranges assume a well-scoped CUI enclave. Shops that put the entire network in scope — including all commercial jobs — pay significantly more. See our complete CMMC cost guide for more detail.
Common Mistakes Welding Shops Make
Office computers get locked down. The shared shop floor computer showing weld procedures gets forgotten. CMMC assessors will find that computer. It's in scope the same as any other system that accesses CUI.
If you print controlled drawings and leave them at welding stations, CMMC requires physical access controls and a media destruction policy for those printed documents. This isn't just about computers.
Your welder qualification records (WQT, PQR) may be CUI if they demonstrate qualification on controlled materials or procedures. These often live in a filing cabinet or a simple spreadsheet — which then becomes an in-scope system.
CMMC Level 2 requires security awareness training for all users with access to the CUI environment. Your welders who log into the shop floor computer, your inspector who uses a tablet — they need basic security training. Brief, practical training that fits a manufacturing context is available; it doesn't have to be a burden.
Getting Started: Steps for Welding Shops
Start at the receiving dock where the drawing comes in. Follow it to the office computer where it's filed. Follow the WPS to the shop floor. Follow the inspection results to your QMS. Draw it out on a whiteboard. Every system it touches is potentially in scope.
How many computers are on the shop floor? Are they on the same network as the office? Who can log into them? Are they password protected? These are your most likely compliance gaps and your assessor will check them.
If you have Lincoln Power Wave, Miller Insight, or similar networked welders collecting job data from defense programs, understand what network they're on and whether that data includes anything derived from controlled specs.
Your WPS, PQR, and welder qualifications give you a head start on documentation. Build your CMMC policy and procedure documentation on the same structure — clear, controlled, version-managed, accessible to those who need it and restricted to those who don't.
Find a CMMC Registered Practitioner who has worked with welding or fabrication shops. They'll understand your QMS, know how to scope shop floor equipment, and won't be confused by the difference between a weld certification and a welder qualification.
Find Out Where Your Shop Stands
Take the free 2-minute assessment. It's built for manufacturers, not IT departments. Tell us about your operation and we'll give you a clear picture of your CMMC requirements and cost range.
Take the Free Readiness Check →Takes 2 minutes · Free · No obligation
Or see pricing & packages →Frequently Asked Questions
If your WPS was developed for a specific defense program and derived from controlled engineering requirements, it is likely CUI. The weld joint design, preheat requirements, interpass temperature limits, and filler metal specifications capture controlled design intent. This is different from a generic AWS D1.1 structural weld procedure — that's a commercial standard, not CUI. The question is always: was this procedure written to meet a controlled DoD specification? If yes, it's CUI.
CMMC requirements apply when your contract requires handling CUI — regardless of how small the defense portion of your business is. If 10% of your work is defense and that work involves controlled drawings or specifications, CMMC applies to that 10%. The smartest approach for shops with small defense percentages is often a well-designed CUI enclave: separate your defense files, limit access to a few machines, and keep the scope small. That way CMMC compliance costs stay proportional to the defense revenue.
Yes — but not the kind of training you might be imagining. Your welders don't need to become IT security experts. They need to know: don't share login credentials, lock the computer when walking away from the welding station, don't plug personal USB drives into company equipment, and report anything that looks suspicious. CMMC Level 2 requires security awareness training for all personnel with access to the CUI environment — that includes anyone who can see the tablet showing the weld spec.
Your AWS quality discipline helps with CMMC in one specific way: you already have documentation habits. Weld shops that maintain proper WPS, PQR, and welder qualification records understand the concept of controlled documentation. That discipline translates reasonably well to CMMC's requirements for documented policies and procedures. But AWS D1.1 compliance doesn't satisfy any specific CMMC controls — it's parallel to CMMC, not a substitute.
For a 10–40 person fabrication shop, plan on 9–15 months from gap assessment to certified. Welding shops often have simpler IT environments than electronics or engineering firms, which can work in your favor. The complexity usually comes from shop floor connectivity: networked welding machines, tablets with weld specs, quality management systems logging inspection data. If your CUI environment is limited to a few computers with drawings and an inspection database, your scope is very manageable.