The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Map my CMMC path
No CUI, drawings, or contract numbersStart →

CMMC Compliance for Manufacturers: Your Level, Your Scope, and the Real Cost

By The Defense Compliance Report Editorial Team
Last verified:

If a prime just flowed CMMC down to you — or you found a CMMC clause sitting in a new solicitation — here is the bottom line, before you scroll another inch. CMMC compliance for manufacturers handling Controlled Unclassified Information almost always lands at CMMC Level 2: the 110 security requirements in NIST SP 800-171 Revision 2. If your shop processes, stores, or transmits CUI — sensitive government information such as controlled engineering drawings, technical data packages, or specifications — Level 2 is your starting point. Whether you self-assess or need a certified third-party assessment (C3PAO) is set by your specific contract or prime flow-down, not by your industry or your headcount.

The part nobody tells you up front is where this gets expensive. It isn’t the assessment. We’ll show you exactly where it hides — on your shop floor, in your DNC server, and in a vendor’s standing login you forgot you granted.

Find yourself in this table. It’s the fastest way to know which version of “CMMC compliance for manufacturers” applies to you.

If your situation is…Your likely pathAssessment typeFirst moveWhat not to do first
You only receive FCI, no CUILevel 1Annual self-assessment + annual affirmation, posted in SPRSConfirm in writing that no CUI lives in your contracts, drawings, or portalsBuy Level 2 tooling before you’ve confirmed there’s no CUI
You handle CUI and the solicitation says Level 2 (Self)Level 2 (Self)Triennial self-assessment + annual affirmation, posted in SPRSMap where CUI flows, score yourself, post the scoreAssume “manufacturer” automatically means a third-party audit
You handle CUI and the contract or prime requires Level 2 (C3PAO)Level 2 (C3PAO)Independent C3PAO assessment every 3 years + annual affirmationGet scope and evidence clean before you call an assessorBook the assessor before you know your boundary
You support the most sensitive CUI / a critical program at Level 3Level 3 (DIBCAC)Government assessment by DCMA DIBCAC — Final Level 2 (C3PAO) required firstConfirm the requirement with your prime or contracting officerTry to skip the Level 2 (C3PAO) step
You genuinely don’t know whether your drawings or G-code are CUIUnknown — and that’s normalYou can’t decide this from your industry labelBuild a CUI-flow map (we give you one below)Treat the whole plant as in-scope by default

Not sure which row is yours?

That’s the single most common place manufacturers start — and it’s exactly what our Find My Pathtool is built to resolve. Tell us your level, scope, and timeline and we’ll point you to the right next step. Please don’t submit CUI, drawings, contract numbers, or export-controlled data — we only need the shape of your situation.

Find My Path →
Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency, and this page is educational editorial research — not legal, contractual, or compliance advice. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category recommendations.

We built this guide by reading the source documents, not vendor summaries: 32 CFR Part 170 (the CMMC Program Rule), the DFARS acquisition rule in the Federal Register, the DoD’s own CMMC Level 2 Scoping Guide, the NIST SP 800-171 and 800-172 publications, and the Cyber AB’s CMMC Assessment Process (CAP).

What does CMMC compliance for manufacturers actually mean?

CMMC compliance for manufacturers means proving that the systems and people handling FCI or CUI meet the CMMC level your contract requires. The Cybersecurity Maturity Model Certification (CMMC) program is the Department of Defense’s way of verifying that defense suppliers actually implement the cybersecurity controls they’ve been contractually required to follow for years. For a manufacturer, the hard part is never the acronym. It’s finding every place defense technical data travels in your shop.

CMMC follows the data, not the department.“Manufacturer” is not a CMMC level. “Machine shop” is not a scope. Your level depends entirely on whether you handle FCI, CUI, or neither — and on what your specific solicitation or prime flow-down requires.

This matters because the rule already has teeth. 32 CFR Part 170 became effective December 16, 2024, establishing CMMC as binding federal regulation. The companion DFARS acquisition rule took effect November 10, 2025, which is the date CMMC requirements began appearing in DoD contracts. The phase-in runs over three years and completes November 10, 2028.

FCI vs CUI vs CTI — the three terms that set your level

Get these three straight and half the confusion disappears.

TermPlain-English meaningManufacturing examplesWhy it matters
FCI (Federal Contract Information)Contract information not meant for public releaseDelivery schedules, non-public order data, basic procurement infoUsually Level 1 if there’s no CUI involved
CUI (Controlled Unclassified Information)Sensitive government information that requires safeguarding or dissemination controlsMarked technical data, controlled technical drawings, specs, test reportsUsually at least Level 2 when you process, store, or transmit it
CTI (Controlled Technical Information)A common type of CUI: technical data with military or space applicationBlueprints, drawings, process instructions, software used to design, produce, repair, or reproduce defense equipmentThe most common route a manufacturer falls into CUI scope

The DoD’s CUI program defines CUI as unclassified information that still requires protection. And DFARS 252.204-7012 — the clause that’s been in defense contracts since 2016 — spells out what “technical information” includes: engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, and more.

Which CMMC level does your shop actually need?

A manufacturer that only handles FCI may need Level 1; a manufacturer that processes, stores, or transmits CUI needs Level 2 at minimum; and the contract determines whether that Level 2 path is a self-assessment or a third-party C3PAO assessment. Level 3 is reserved for selected, higher-risk CUI work and requires you to achieve Final Level 2 (C3PAO) status first. This is the order of operations, set by 32 CFR Part 170.

Do not let a vendor tell you “all manufacturers need a C3PAO.” That overstates the rule. The federal solicitation provision DFARS 252.204-7025 lists four distinct status options — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC)— and your solicitation will name exactly one. Read it.

Level 1 — for FCI-only manufacturers

Level 1 covers the 15 basic safeguarding requirements from FAR 52.204-21. You self-assess annually, and a senior official affirms it. There is no Plan of Action and Milestones (POA&M) allowed at Level 1 — every requirement must be met. If you’ve confirmed your shop never touches CUI, this is your world, and it’s the most affordable path.

Level 2 (Self) — for some CUI manufacturers

Level 2 is the 110 requirements of NIST SP 800-171 Revision 2. A narrower set of contracts involving less-sensitive CUI allows you to self-assess every three years, post your score in SPRS (the Supplier Performance Risk System — the DoD database where your assessment score and CMMC status live), and affirm annually. The controls are identical to Level 2 (C3PAO). The difference is who checks.

Level 2 (C3PAO) — when the contract or prime requires independent assessment

Same 110 requirements, but an accredited Certified Third-Party Assessment Organization (C3PAO — an independent firm authorized to conduct official CMMC assessments) audits your implementation. Certification is valid for three years with annual affirmations in between. Which CUI contracts require the self-assessment versus the third-party assessment is set by the requiring activity, based on the sensitivity and category of the CUI, and named in your solicitation.

Level 3 (DIBCAC) — for the most sensitive CUI work

Level 3 adds 24 selected requirements from NIST SP 800-172 (February 2021 version) on top of the 110 from Revision 2. The assessment is performed by the government — specifically DCMA DIBCAC, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. You must hold Final Level 2 (C3PAO) status before a Level 3 assessment. The DoD expects fewer than 1% of the DIB to need it.

On NIST versions — because it trips people up:

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2. NIST published Revision 3 in 2024, which trimmed the count to 97 requirements — but the DoD has not adopted Rev. 3 for CMMC contract purposes. Build your program against Rev. 2 until DoD amends the rule. Implementing Rev. 3 early without confirming the controlling version is a classic way to budget against the wrong target.

Not sure whether your contract puts you at Level 2 (Self) or Level 2 (C3PAO)? That single answer sets your budget and your timeline. Tell us your contract type, the data you receive, and your timeline.

Match me with source-checked CMMC provider options →

Please don’t submit CUI, drawings, contract numbers, or export-controlled data — we only need your level, scope, and timeline.

Where does CUI hide in a manufacturing workflow?

In a manufacturing operation, CUI shows up in RFQs, engineering drawings, CAD models, CAM and CNC programs, work travelers, BOMs, process sheets, inspection and test reports, customer portals, and supplier packages. The reason CMMC is harder for manufacturers than for office-based contractors is that this data doesn’t sit politely in one file share. It moves from your estimator’s inbox, through engineering, out to the machines, into quality, and back out to your suppliers.

The Manufacturer CUI-Flow & CMMC-Scope Matrix

Last verified June 9, 2026, against 32 CFR §170.19, DFARS 252.204-7012, and the DoD CMMC Level 2 Scoping Guide. This matrix tells you where to look and what to verify — it does not, by itself, decide whether a specific file is CUI. That depends on contract markings and requiring-activity direction.

Manufacturing workflowData that may trigger a CUI analysisSystems it touchesLikely CMMC scope categoryMost common manufacturer mistakeFirst provider category
RFQ / quotingDrawings, specs, TDPs, statements of workEmail, file share, ERP, customer portalCUI Asset if CUI is handled; FCI-only if notTreating the quote inbox as “admin” and out of scopeReadiness / scoping (RPO), then MSP if email touches CUI
Engineering / CAD / PLMCAD models, drawings, design analysis, specsCAD workstations, PLM, file shares, VDICUI Asset when defense CUI is stored or processedSecuring the final repository but ignoring CAD cache and export foldersCUI enclave architect + readiness + MSP
CAM / CNC programmingNC code, G-code, setup sheets, derived instructionsCAM software, CNC controllers, USB media, shop-floor PCsCUI Asset or Specialized Asset, depending on machine’s limitsCalling CNC gear “out of scope” while it stores CUI-derived programsMSP/MSSP with OT segmentation experience
Travelers / BOM / routingsWork travelers, assembly and process instructionsERP, MES, paper travelers, shop terminalsCUI Asset if the traveler contains CUIPulling the entire ERP into scope with no field-level analysisReadiness/scoping + ERP/MES security help
Quality / inspection / QMSFirst-article and test reports, NCRs, CoCs tied to defense specsQMS, metrology systems, test equipment, portalsCUI Asset; test equipment may be a Specialized AssetAssuming QMS is “quality only” and CMMC-irrelevantReadiness + GRC/evidence workflow + MSP
Printers / scanners / plottersPrinted drawings, scanned travelers, inspection packetsNetwork MFPs, plotters, print servers (with hard drives)CUI Asset or Security Protection AssetIgnoring print queues, on-device storage, and disposalMSP/MSSP + physical/media-control readiness
Suppliers / special processorsFlowed-down drawings, specs, inspection requirementsSupplier portals, secure file transfer, purchasingScope follows CUI to subs; subs need appropriate statusSending CUI to a supplier without checking their required statusReadiness + contracts/procurement support
Vendor remote access / maintenanceRemote support into ERP, CAD, or machinesVPN, remote desktop, OEM support toolsSecurity Protection Asset, ESP, or CUI Asset by access levelLeaving a machine OEM’s standing login unmanagedMSP/MSSP + readiness
Shipping / deliveryCoCs, technical reports, portal uploadsCustomer portals, shipping systems, QMS exportsCUI Asset if technical CUI is transmittedTreating outbound delivery as “just logistics”Readiness + secure collaboration provider

If you’ve seen the questions real manufacturers ask in places like r/CMMC, you already know why this matters. “CUI on CNC machines?” “Is the G-code we send to the floor CUI?” “Our 10-to-14-year-old CNC machines don’t like encrypted USB drives.” “For office work there are hosted solutions — but this is a manufacturing facility.” Those aren’t edge cases. They’re the center of the problem, and almost no generic CMMC page answers them.

How do you scope CMMC without dragging the whole plant in?

Manufacturers define CMMC scope by identifying which assets process, store, transmit, or protect FCI/CUI, then sorting them into the categories defined in 32 CFR §170.19. For a Level 2 assessment, the rule sorts your environment into five asset categories. Get this right and you save a project. Get it wrong and you accidentally bring the entire shop floor into your assessment boundary. The DoD’s CMMC Level 2 Scoping Guide is the document your assessor uses, so it’s the one you should use too.

The five categories, translated for a shop:

CUI Assets

Anything that processes, stores, or transmits CUI: your CAD workstations, engineering file servers, the cloud tenant where customers drop drawings, ERP fields and reports that carry CUI, your CAM systems. These get the full 110 controls. They’re the core of your boundary.

Security Protection Assets (SPAs)

Systems that protect the CUI environment: identity and access management, your firewall, logging and SIEM, EDR, vulnerability scanning, backup. They’re in scope because they secure the rest, and they’re assessed against the requirements relevant to that protective role.

Contractor Risk Managed Assets (CRMAs)

Assets that could touch CUI but, by your written policy and configuration, are not intended to. The rule lets you manage these with risk-based policy instead of full implementation — but you must document them in your SSP and give an explicit written rationale. Assessors probe this. “We meant to keep CUI off it” is not enough; it has to be demonstrable.

Specialized Assets — the one manufacturers most want to be a loophole

Per §170.19, this category includes Government Furnished Equipment, IoT and Industrial IoT, Operational Technology (OT), Restricted Information Systems, and Test Equipment. Your legacy CNC controllers, PLCs, HMIs, and metrology gear often land here. Specialized status is NOT an exemption. You still have to document these assets in the SSP, show them on your network diagram, and manage them with risk-based policy. The assessor will check that you did.

Out-of-Scope Assets

Assets with no connectivity to the CUI environment and no role in protecting it. The rule is clear that “out of scope” must be true by architecture, not declared in a meeting. One useful detail straight from §170.19: a VDI endpoint configured so that only keyboard, video, and mouse signals reach it — no CUI processing, storage, or transmission — can be out of scope. That’s a real lever for shop-floor terminals.

The one thing we have to be honest about

We cannot tell you your exact CMMC level or your exact scope from your NAICS code, your headcount, or the fact that you’re “a machine shop.” Anyone who claims they can is guessing. Your level comes from your contract. Your scope comes from where your CUI actually flows.

But here’s the pivot: scoping before remediation is the single highest-leverage cost decision you make.A well-defined CUI enclave, drawn before the work begins, shrinks the number of users, endpoints, and machines inside your assessment boundary. Fewer systems in scope is a cheaper, faster, lower-risk assessment — that’s true by construction, not a promise. The shops that map first put fewer systems through the assessment. The ones that buy a tool first usually pay to secure things that never needed to be in scope at all.

Before you buy a single tool or license, map where CUI flows. Tell us your level, the systems that touch CUI, and your timeline, and we’ll point you to the provider category that fits — readiness, enclave, or managed compliance — not a sales pitch.

Point me to the right provider category →

No CUI, drawings, or export-controlled data, please.

Enclave, enterprise-wide, or hybrid: which architecture fits a shop?

A secure enclave reduces the number of users, endpoints, and applications in your assessment boundary, but it does not reduce the 110 Level 2 requirements — it reduces how many systems they apply to. Enterprise-wide compliance can be cleaner when CUI is already everywhere. A hybrid approach works when engineering and admin workflows can be isolated while shop-floor OT and specialized assets are documented and controlled. The wrong choice almost always traces back to deciding architecture before mapping CUI.

We go deeper in CMMC secure enclave and enclave vs enterprise-wide compliance.

ApproachBest forNot forManufacturing failure modeProvider category
Secure enclaveA limited set of CUI users and separable engineering/admin dataShops where CUI is already embedded across ERP, MES, QMS, and the floorCAD or printer workflows quietly leak CUI outside the enclaveEnclave / GCC High / GovCloud provider + readiness
Enterprise-wideCUI touching most users, systems, plants, and workflowsShops with a tiny CUI footprintCost and timeline explode without careful scopingMSP/MSSP + readiness / vCISO
Hybrid (segmented floor)Engineering/admin can be segmented; production needs controlled transferShops with unmanaged USB, printers, and old CNC with no process disciplineSpecialized assets documented poorly or not at allMSP/MSSP with OT experience + readiness
“Tool-first”Almost never the right first moveAny shop with an unmapped CUI flowThe tool doesn’t solve scope, evidence, or processStart with readiness/scoping, full stop

Cloud and FedRAMP — what the rule actually requires:

Handling CUI in the cloud generally requires a cloud service that is FedRAMP Moderate authorized, or that meets FedRAMP Moderate-equivalent requirementsunder DFARS 252.204-7012, with the shared-responsibility model and customer responsibility matrix documented in your SSP. Standard commercial Microsoft 365 does not meet that bar for CUI. Microsoft GCC High and AWS GovCloud (US) are the environments most defense manufacturers land on because they’re built to meet it — but they are examples, not the only compliant options. The “government” label is not the compliance; the documented FedRAMP Moderate (or equivalent) authorization and the responsibility split are. See Azure Government for CMMC for how that maps in practice.

What does CMMC actually cost a manufacturer — and what’s the deadline?

CMMC cost for a manufacturer depends far more on CUI scope, number of facilities, CAD/CAM/CNC exposure, ERP/QMS involvement, cloud architecture, and evidence maturity than on headcount — and the DoD’s published estimate covers the assessment, not the implementation that consumes most of the budget. Full picture in our CMMC Level 2 cost guide.

The DoD published official cost estimates inside the regulatory analysis for 32 CFR Part 170. These figures cover the assessment and affirmation portion only:

Cost elementDoD official estimate (assessment + affirmations only)What it leaves out
Level 1 (Self)~$4,000–$6,000 per yearImplementation, if you’re not already meeting FAR 52.204-21
Level 2 (Self)~$37,200 (small entity) to ~$48,800 (larger entity), over 3 yearsImplementing the 110 NIST SP 800-171 Rev. 2 requirements
Level 2 (C3PAO)~$104,670 (small entity) to ~$117,800 (larger entity), over 3 yearsRemediation, implementation, tooling, managed services, enclave work, evidence cleanup
Level 3 (DIBCAC)Level 2 (C3PAO) cost + government-assessment increment (low tens of thousands)Level 3 and NIST SP 800-172 implementation; Final Level 2 (C3PAO) is a prerequisite

The candid part — read before you budget:

That ~$104,670 number gets repeated everywhere, and it misleads nearly every small manufacturer who sees it, because the rule’s estimate assumes you’ve already implemented NIST SP 800-171 Rev. 2.Most shops starting from an unmanaged commercial IT and shop-floor environment haven’t.

Published 2026 cost analyses have put realistic first-year, all-in spend for a manufacturer — implementation plus remediation plus the assessment — in the broad range of roughly $98,000 to $305,000, depending on starting maturity and scope. That’s a market-reported planning range, not a DCR-verified figure: the only number that’s truly yours comes from scoped quotes against your actual boundary. Treat any single figure as a placeholder until you have quotes.

The deadline — and the scarcity that’s real (and the one that isn’t)

The phase-in is law, so the timing pressure is genuine, not manufactured. Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments, with DoD requiring third-party certification on more sensitive contracts at its discretion. Phase 2 begins November 10, 2026, when Level 2 (C3PAO) certification becomes a condition of award on applicable contracts. The rollout completes November 10, 2028.

The assessor pool issmall: as of the Cyber AB’s reporting in early 2026, the ecosystem had on the order of 103 authorized C3PAOs and roughly 759 certified assessors, with around 1,000 organizations certified to Level 2 so far— against a population the DoD estimates at 80,000-plus needing Level 2. (These counts move month to month. Confirm the current numbers at cyberab.org/marketplace.)

The constraint manufacturers should act on first is notassessor availability; it’s readiness. Monthly certification output hasn’t tracked the size of the assessor pool, which tells us most shops simply aren’t ready to be assessed yet. You’re not scrambling for a slot on an assessor’s calendar. You’re racing your own preparation time before Phase 2 — which means the move is to start scoping now.

Want a real number for a shop your size? Share your employee count, your CUI footprint, and whether you can run an enclave, and we’ll match you with provider categories that scope to control cost.

Match me with scope-to-cost provider options →

We don’t need any CUI to do this — just the shape of your environment.

Self-assessment vs C3PAO, SPRS, and the evidence you’ll need

Whether you self-assess or are certified by a C3PAO is set by your contract; your assessment results flow into different systems depending on which; and your evidence has to be final — not a draft plan — by the time an assessor arrives. Two manufacturers with identical controls can get different results purely on evidence quality.

Where your results go: SPRS vs eMASS

Assessment pathWhere the results goWhat the contracting officer checks
Level 2 (Self)You upload your scored self-assessment into SPRSSPRS, for your CMMC status, affirmation, and CMMC UIDs
Level 2 (C3PAO)The C3PAO submits results into the CMMC instantiation of eMASS, which then transmits automatically to SPRSSPRS, for status and affirmation; results originate in eMASS
Level 3 (DIBCAC)DCMA DIBCAC inputs the government assessment resultsSPRS, for status and affirmation

Per 32 CFR §170.16 and §170.17. In every case, your senior official’s affirmation of continuous compliance goes into SPRS, and that affirmation plus your current status is what makes you eligible for award.

How SPRS scoring works

You start at 110 points and subtract a weighted value — 1, 3, or 5 points— for every requirement you haven’t fully implemented, per the CMMC Scoring Methodology in 32 CFR §170.24. Most requirements are scored all-or-nothing. The score can run from +110 down to −203.

  • A score of 110 earns Final status.
  • A score of 88 to 109 can support Conditional status — but only if every remaining NOT-MET requirement is eligible for a POA&M under 32 CFR §170.21. Conditional status comes with a hard clock: you have 180 days to close every open POA&M item and pass a closeout assessment, or the status expires.
  • Below 88, you don’t have a passing status.

A useful planning detail: those 110 requirements break down into roughly 320 assessment objectivesunder NIST SP 800-171A — the determination statements an assessor actually checks. “We have MFA” isn’t one finding; it’s several objectives. Plan your evidence at the objective level, not the control level.

What primes also require: 7019, 7020, 7021, 7025

The DFARS clauses work as a set. DFARS 252.204-7019 requires a current NIST SP 800-171 assessment posted to SPRS before you can be considered for award on a CUI contract. 7020covers DoD’s assessment methodology and access for Medium and High assessments. 7021 is the contract clause that carries the CMMC obligation and the flow-down requirement. And 7025 is the solicitation provision that names your required level and requires you to provide your CMMC Unique Identifiers (CMMC UIDs) — the identifiers SPRS issues for each contractor information system that will process, store, or transmit FCI or CUI. When you see 7025 in a solicitation, expect 7021 in the contract.

The evidence a manufacturer needs before a Level 2 assessment

CMMC findings come back as Met, Not Met, or Not Applicable, and the evidence behind a “Met” has to be real and final. For a manufacturer:

System / workflowEvidence to have ready
CAD / CAMAccess list, storage paths, encryption settings, cache/export controls, backup process
CNC / shop floorMachine inventory, file-transfer process, removable-media controls, physical controls, SSP documentation of specialized assets
ERP / MESCUI field and report analysis, access roles, audit logs, retention policy
QMS / inspectionReport templates, customer-portal upload/download paths, test-data storage, access controls
Printers / scannersDevice inventory, print-queue config, secure-print settings, on-device storage and disposal process
SuppliersFlow-down clauses, transmission method, supplier status checks, purchasing procedure
Cloud / email / file sharingTenant config, FedRAMP/equivalency evidence, SSP and shared-responsibility matrix

You’ll also need the backbone documents every assessment turns on: a current SSP, an asset inventory by category, and a network diagram showing your assessment boundary. Inconsistencies between your SSP and your actual network diagram are one of the most common failure points.

If your scope is set and your SSP and evidence are clean, you’re ready to talk to a C3PAO. Before you sign with anyone, check their current authorization at cyberab.org/marketplace — only firms listed as authorized can issue a certificate.

How CMMC flows down to your suppliers and special processors

CMMC follows FCI and CUI down the supply chain, so if you send controlled technical data to a sub or a special processor, your flow-down obligation follows it. Under 32 CFR §170.23, a sub that only handles FCI can be required at Level 1, a sub handling CUI must be at least Level 2, and if the prime’s contract requires Level 2 (C3PAO), the sub minimum rises to Level 2 (C3PAO). If you’re a mid-tier manufacturer who both receives flow-down and sends it onward, you’re on both sides of this.

What to ask the suppliers and special processors you send CUI to:

  • What information will you receive from us, and is any of it CUI or CTI?
  • Which of your systems will process, store, or transmit it?
  • What CMMC status do you currently hold, and at what level?
  • How will you receive and transmit it securely?
  • Who downstream of you will also touch this data?

What to ask the prime that’s flowing CMMC down to you:

  • Which clause applies — and does the solicitation include 7025, 7021, or both?
  • What CMMC level and assessment type is required: Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3?
  • Is the data CUI, CTI, FCI, export-controlled, or some combination?
  • What markings and distribution statements apply?
  • Are you requiring Level 2 (C3PAO) even where we believe Level 2 (Self) would satisfy the rule?

That last question matters more than it looks. A prime can contractually require a higher assessment type than the rule’s floor. Knowing that early prevents you from scoping for a self-assessment and discovering at award that you needed a certified one.

Supplier CMMC Status Request

As part of our defense supply-chain compliance, please confirm the following so we can document flow-down for [program/PO reference]:

  1. Your current CMMC status and level (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3), and the date achieved.
  2. Your CMMC Unique Identifier(s) (CMMC UIDs), if applicable.
  3. The type of information you’ll receive from us (FCI, CUI/CTI, export-controlled).
  4. Your secure method for receiving and transmitting that information.
  5. Whether you will pass any of this data to lower-tier suppliers, and how you verify their status.

Please do not include CUI, drawings, or controlled technical data in your reply.

A word on ITAR, since it overlaps for so many shops:

If you handle export-controlled technical data, ITAR and CMMC are separate obligations that often apply to the same drawing — broadly, export-control rules govern who may access the data, while CMMC and NIST 800-171 govern howyou protect it. Strong CMMC controls support your export-control discipline, but they don’t replace it. Confirm export-control treatment with qualified counsel.

Which CMMC provider should a manufacturer hire first?

Most manufacturers should not start with a C3PAO unless they’re genuinely assessment-ready — the usual order is readiness and scoping first, technical implementation second, evidence and enclave support as needed, and a C3PAO only when the contract requires Level 2 (C3PAO) and your scope and evidence are clean. And there’s a hard rule behind this sequence: the conflict-of-interest rules set out in 32 CFR Part 170 and the Cyber AB’s CAP bar the firm that consults to prepare you for a Level 2 certification from also serving as the C3PAO that assesses you (generally a three-year window). Keep readiness help and formal assessment in separate hands.

Where your shop isHire firstHire secondA C3PAO now?Why
Unsure if your data is FCI or CUIReadiness / scoping (RPO)Contracts supportNoScope and level are still unknown
CUI touches email, files, and CAD onlyReadiness + enclave/cloud architectMSP/MSSPNot yetArchitecture decision comes before the assessment
CUI touches CAD/CAM/CNC/QMS/ERPReadiness + CMMC-capable MSP/MSSP (with OT experience)GRC/evidence + secure collaborationNot yetThe shop floor must be scoped and controlled first
Solicitation requires Level 2 (C3PAO) and evidence is nearly readyC3PAO selectionReadiness support, kept separateYesThe formal assessment is the contract-relevant step
You’re a Level 3 candidateSenior CMMC advisor + prime/CO clarificationDIBCAC-readiness supportNot until Final Level 2 (C3PAO) existsLevel 3 requires Final Level 2 (C3PAO) first

GRC and compliance software (evidence management, policy and control mapping, continuous-compliance workflow) is a powerful supporting layer— it organizes your SSP, POA&M, and evidence — but software alone does not make you CMMC compliant.It documents the work; it doesn’t do the scoping, the segmentation, or the shop-floor controls. Small shops with a limited CUI footprint may also want our best CMMC providers for small business.

Still unsure which type comes first? Tell us what you build, which systems touch CUI, your target level, and your timeline, and we’ll match you with source-checked CMMC provider options by category: readiness, MSP/MSSP, enclave/GRC, or assessment. We won’t route remediation work to an assessor as if independence didn’t matter.

Get matched with source-checked provider options →

The manufacturing-specific mistakes that derail CMMC — and your next 30 days

Manufacturing CMMC projects usually fail as workflow problems before they fail as cybersecurity problems: the team scopes too late, treats CUI as IT-only, ignores how data moves on the floor, forgets printers and physical drawings, underestimates ERP and QMS exposure, or sends CUI to suppliers without checking their status. Map the data flow early and every downstream decision gets easier.

  1. Assuming “manufacturer” automatically means Level 2 (C3PAO). Your contract decides. Read the 7025 provision.
  2. Securing email but ignoring CAD/CAM/CNC. The drawing that’s protected in your inbox is the same drawing sitting unprotected on a shop PC.
  3. Buying GCC High and declaring victory. A compliant cloud is one piece. Your floor, your printers, and your suppliers are still in the picture.
  4. Calling legacy CNC or test equipment “out of scope” with no support. Specialized assets still require SSP documentation and risk-based management.
  5. Forgetting printed drawings and shop-floor travelers. Physical CUI counts. So do print queues and the hard drive in your plotter.
  6. Sending flowed-down technical data to suppliers without status checks. Your obligation rides with the data.
  7. Booking a C3PAO before your evidence is final. Conditional-status math is real, and a rushed assessment is the expensive way to learn it.

Your 30-day plan

The goal isn’t “be compliant in 30 days.” It’s to stop guessing and build a defensible scope hypothesis you can hand to the right provider.

DaysActionOutput
1–3Collect clauses, flow-downs, prime requests, and any SPRS requestsA requirement packet
4–7Identify your FCI/CUI/CTI examplesA CUI inventory hypothesis
8–12Map the flow: quoting → engineering → production → quality → suppliers → deliveryA CUI-flow diagram
13–17Inventory the systems, users, devices, and facilities that touch that flowAn asset inventory
18–21Assign preliminary CMMC asset categories (the five from §170.19)A scope hypothesis
22–25Flag obvious gaps and your riskiest workflowsA gap list
26–30Decide your first provider category and next stepA readiness / enclave / MSP / C3PAO decision

Want the self-serve version? Work it at your own pace with our CMMC Readiness Checklist, mapped to all 14 NIST SP 800-171 control families. It’s free, and it’s built for shops, not for IT departments at primes.

Download the CMMC Readiness Checklist →

What we actually verified for this guide

What we verified against primary sources (as of ):

  • CMMC Program Rule — 32 CFR Part 170, effective December 16, 2024 (eCFR; Federal Register).
  • DFARS acquisition rule — effective November 10, 2025; phased rollout completing November 10, 2028 (Federal Register; Acquisition.gov subpart 204.75).
  • Five Level 2 asset categories and scope rules — 32 CFR §170.19 and the DoD CMMC Level 2 Scoping Guide.
  • SPRS vs eMASS submission paths, scoring, and Conditional status — 32 CFR §170.16, §170.17, §170.21, and §170.24.
  • Level 2 mapping to NIST SP 800-171 Revision 2 (110 requirements, 14 families); Level 3 referencing 24 selected requirements from NIST SP 800-172 (February 2021).
  • DFARS clause set — 7012, 7019, 7020, 7021, and 7025.
  • DoD assessment cost estimates from the 32 CFR Part 170 regulatory analysis.
  • Cyber AB CMMC Assessment Process (CAP) and conflict-of-interest rules separating readiness from assessment.

What is our editorial judgment, not the rule: which provider category to evaluate first; whether an enclave, enterprise-wide, or hybrid architecture is most practical; and any market cost ranges, which we’ve labeled as market-reported and recommend you confirm with scoped quotes. Ecosystem counts reflect the Cyber AB’s early-2026 reporting — re-check at cyberab.org/marketplace.

See our Methodology, Editorial Standards, and Corrections pages.

Frequently asked questions about CMMC compliance for manufacturers

Do all manufacturers need CMMC?

No. CMMC applies to manufacturers that handle FCI or CUI under a DoD contract or flow-down. A shop with no defense work and no controlled information isn’t subject to it. The trigger is the data and the contract, not the industry.

Do machine shops need CMMC?

Many do. A machine shop that receives marked or otherwise controlled defense technical data is generally processing CUI, which puts it at CMMC Level 2 at minimum. A shop handling only FCI may be Level 1, and the contract or flow-down is what confirms it.

What CMMC level do manufacturers need?

FCI-only shops may need Level 1; shops handling CUI need at least Level 2; and the contract determines whether Level 2 is self-assessed or requires a C3PAO. Level 3, assessed by DCMA DIBCAC, is for the most sensitive CUI and applies to fewer than 1% of the DIB.

Are engineering drawings CUI?

Often, but not automatically — it depends on markings and the requiring activity’s direction. DFARS 252.204-7012 lists engineering drawings among examples of technical information, and controlled drawings are a common route into CUI scope. Confirm against the contract’s markings.

Are CAD and CAM files in scope for CMMC?

They’re in scope when they contain or are derived from CUI. CAD models and the CAM programs generated from controlled drawings are typically CUI Assets, which puts the systems that store them inside your Level 2 boundary.

Is G-code or CNC machine data CUI?

NC code or G-code derived from controlled technical data should be treated as a CUI-scope candidate until the contract markings, CUI markings, or requiring activity confirm otherwise. That can bring the CAM software, transfer media, and the controller into scope — as CUI Assets, or for older machines that can’t be fully secured, as Specialized Assets that still require documentation.

Are printed drawings and travelers in scope for CMMC?

If they contain CUI, yes. Physical CUI counts, and so do the workflows and devices that produce, store, transmit, or dispose of it — including network printers, plotters, and the on-board storage in multifunction devices.

Does ERP or QMS count for CMMC?

They count when they store or transmit CUI. Use field-level analysis: an ERP traveler or QMS inspection report containing CUI brings that system into scope, while proper segmentation and documentation may keep parts of the system out.

Do suppliers and special processors need CMMC?

Yes, when you flow CUI down to them. A sub handling only FCI can be Level 1; a sub handling CUI must be at least Level 2; and if your contract requires Level 2 (C3PAO), the sub minimum rises accordingly. Document what you flow down and verify each supplier’s status.

What’s the difference between Level 2 (Self) and Level 2 (C3PAO)?

The 110 requirements are identical; the difference is who verifies them and where the results go. Level 2 (Self) is a self-assessment uploaded to SPRS for a narrower set of less-sensitive CUI contracts; Level 2 (C3PAO) is an independent third-party assessment whose results are submitted into CMMC eMASS and transmitted to SPRS, and it’s required on more sensitive contracts.

Can a manufacturer use a POA&M for Level 2?

Sometimes. If your SPRS score is at least 88 and the remaining NOT-MET requirements are POA&M-eligible under 32 CFR §170.21, you can earn Conditional status and close those items within 180 days. Certain critical, higher-weighted requirements must be fully met at assessment and cannot be deferred.

Can our C3PAO also prepare us for the assessment?

No. The CMMC ecosystem’s conflict-of-interest rules prohibit the firm that consulted to prepare you from also serving as your C3PAO for that Level 2 certification, looking back over a multi-year window. Keep readiness and assessment in separate hands.

Does GCC High make us CMMC compliant?

No. Microsoft GCC High or AWS GovCloud can be a suitable, FedRAMP Moderate-aligned environment for CUI, but the cloud is one component. Your shop-floor systems, printers, suppliers, evidence, and documentation still have to meet the requirements.

The prime says “be CMMC compliant” but didn’t specify a level. What do we do?

Ask. Request the specific clause, level, and assessment type in writing — Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3 — because the difference changes your scope, cost, and timeline. The DFARS 252.204-7025 provision in the solicitation is where the required level is named.

What should we ask a CMMC provider before signing?

Ask their provider category, their current Cyber AB Marketplace status (for assessors), their relevant manufacturing and OT experience, how they’ll scope to control cost, and — for any assessor — confirmation they did not also consult on your readiness. Verify authorization yourself at cyberab.org/marketplace before you sign.

Ready to make the move?

You came here because a decision is in front of you, and now you have the map: your likely level, where CUI hides in your shop, how to scope without dragging the whole plant in, what it really costs, and which provider category fits. The shops that act on this calmly — map first, scope tight, separate readiness from assessment — give themselves the strongest position: less wasted spend, fewer surprises at assessment, and a clear path to the right provider.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get matched with source-checked provider options →

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page is informational and is not legal, contractual, or compliance advice; confirm your specific requirements with your contracting officer, prime, or qualified counsel.

Related from The Defense Compliance Report

Editorial disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the Cyber AB, the DoD, DCMA DIBCAC, NIST, or any U.S. government agency. Read our editorial review process. Last verified: . Next scheduled verification: September 2026, or sooner if DoD, DFARS, NIST, or Cyber AB guidance changes.