No CUI uploads. No provider routing until your scope is clearer.Start →
CMMC Compliance for Machine Shops: What’s in Scope, What Level You Need, and What It Costs
If one of your primes just said “CMMC is coming” — or a new solicitation showed up with cybersecurity language you’ve never had to read before — here’s the two minutes to spend before you call a single vendor.
Here’s the part nobody tells you, and the reason this page exists: your CMMC cost is really your scope cost.Map where CUI actually enters and moves through your shop, and you can often wall it off — instead of dragging every CNC, every workstation, and every backup into the assessment boundary. Below, we’ll show you exactly which parts of a machine shop touch CUI, what you can keep out of scope, what it really costs, and who to talk to first.
In short: a machine shop usually becomes a CMMC Level 2 problem the moment it receives, stores, processes, or transmits Controlled Unclassified Information — typically defense drawings, CAD/CAM files, or specifications. Shops touching only Federal Contract Information may need just Level 1, and shops handling no DoD FCI or CUI may not be in scope yet.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find your likely path in one screen
| Your shop’s situation | Likely CMMC path to investigate | Verify this first | Best next step |
|---|---|---|---|
| No DoD work, no FCI, no CUI | CMMC may not apply | That you have no DoD contract or flow-down | Read the basics, move on |
| DoD work, FCI only (no controlled drawings) | Level 1, annual self-assessment | That you truly receive no CUI | Run a Level 1 gap check |
| You receive marked CUI drawings, CAD, specs, or process sheets | Level 2 | Whether the contract requires Self or C3PAO | Map your CUI pathway |
| Contract has DFARS 252.204-7012 and a prime wants an SPRS score | NIST SP 800-171 / SPRS already applies | Your current SPRS score and covered systems | Build or refresh your SSP |
| Subcontract says Level 2 (Self) | Triennial self-assessment + annual affirmation | SPRS posting and affirmation | Readiness + documentation |
| Subcontract says Level 2 (C3PAO) | Third-party certification | Scope, evidence, assessor timing | Get ready before the assessment |
| Prime flows CUI to your outside processor | A flow-down question | Whether the supplier gets CUI or only non-CUI work | Minimize data, flow down correctly |
| Most sensitive CUI / Level 3 stated | Level 3 (after Level 2 C3PAO), DIBCAC-assessed | The program/DoD requirement | Specialist help |
Do machine shops need CMMC compliance?
CMMC stands for Cybersecurity Maturity Model Certification — the Department of Defense program that verifies contractors protect defense information. A machine shop needs it when a DoD contract, subcontract, or prime flow-down requires a CMMC status because the shop handles FCI or CUI. FCI-only work points to Level 1; work involving CUI usually points to Level 2, and the assessment type — self-assessment or third-party — is dictated by the solicitation or subcontract under 32 CFR Part 170.
Most shops don’t get a memo that says “you are now subject to CMMC.” They get a purchase order with a clause, or a portal that asks for an SPRS score, or a drawing with a marking in the corner they’ve never had to think about. The trigger is almost always upstream: a prime says flow-down is coming, or a solicitation arrives with CMMC and DFARS language.
You’re usually a subcontractor — and the requirement flows down to you
Here’s the rule most shops get wrong: you are typically a subcontractor, and CMMC flows down to you directly. The regulation is explicit. Under 32 CFR §170.23, CMMC applies to prime contractors and subcontractors at every tier that will process, store, or transmit FCI or CUI in performance of the work, and primes are required to flow it down. What you specifically owe depends on what you touch.
DCR Level Decision Card — subcontractor flow-down (32 CFR §170.23):
| If your subcontract will… | Your minimum CMMC status |
|---|---|
| Process/store/transmit FCI only (no CUI) | Level 1 (Self) |
| Process/store/transmit CUI | Level 2 (Self), at minimum |
| Handle CUI, and the prime’s contract requires Level 2 (C3PAO) | Level 2 (C3PAO) |
| Handle CUI, and the prime’s contract requires Level 3 (DIBCAC) | Level 2 (C3PAO), at minimum |
That answers a question we hear constantly — “the prime holds the DoD contract, so don’t they handle the compliance?” No. If they send you controlled data, you carry your own obligation.
Do outside processors need CMMC?
If you send work to a heat treater, plating house, or NDT lab, the same logic applies. Whether your outside processor needs CMMC depends on what yousend them: if they receive CUI to perform the work, the requirement flows down to them too; if they only get non-CUI manufacturing instructions, it may not. The practical move is to send the minimum data necessary, flow down requirements correctly, and document what you sent — because their gap can become your problem on a shared part.
What CMMC level does a machine shop need?
For machine shops, the practical decision is between Level 1, Level 2 (Self), and Level 2 (C3PAO). Level 1 covers FCI with 15 basic safeguarding requirements from FAR 52.204-21 and an annual self-assessment. Level 2 covers CUI with the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, assessed either by self-assessment or by a C3PAO depending on the contract. Level 3 adds 24 selected requirements drawn from NIST SP 800-172 and is assessed by DIBCAC. Most precision and job shops will never see Level 3.
Level 1 — FCI only
Level 2 — CUI
Level 3 — the most sensitive CUI
“Isn’t it Revision 3 now?”
No — and this matters, because some competing guides get it wrong. NIST published SP 800-171 Revision 3 in May 2024, but DoD has notadopted it for CMMC. The CMMC program rule states plainly that “NIST SP 800-171 Revision 3 is not currently applicable to this rule,” and a standing DoD class deviation directs contractors to keep using Revision 2 for assessments today. Build your program around Rev. 2 until DoD amends the rule.
Already know your level? See our breakdown of CMMC Level 2 self-assessment vs. C3PAO so you know which path your contract is putting you on. Still not sure? Use the Find My CMMC Path tool to get to a starting point.
What counts as CUI in a machine shop?
In a machine-shop context, CUI most often appears as Controlled Technical Information (CTI) — technical information with military or space application that is subject to controls on access, use, or dissemination. DFARS 252.204-7012 lists examples including engineering drawings, specifications, standards, process sheets, manuals, technical reports, data sets, studies, and software code. A shop should still confirm markings, contract language, and customer direction before treating any file as CUI or not.
How to tell — look for these signals, in roughly this order of reliability:
- DFARS 252.204-7012 in the contract or PO.The strongest signal that covered defense information obligations are in play. It doesn’t automatically make every file in your shop CUI — you still confirm the specific package by its markings — but if 7012 is in your contract, treat CUI as part of the job until you’ve confirmed otherwise.
- A distribution statement on the drawing. Statement A is essentially public. Statements B through Fmean controlled — that’s your CUI flag.
- CUI markings— a banner and category marking (for example, “CUI//SP-CTI”) in the headers and footers.
- Contract attachments, CDRLs, or data-delivery and CUI-marking instructions — Contract Data Requirements Lists, delivery instructions, or written customer/contracting-officer direction that expressly identify CUI or the required CMMC level.
- Export-control language— “ITAR-controlled,” “export-controlled,” references to the U.S. Munitions List. This changes your cloud decision.
- A DD Form 254— a contract security classification specification. Treat this one as its own flag: if you get a DD 254, do a focused security review, because the contract carries specific security and handling requirements that go beyond an ordinary CUI marking.
What should a machine shop ask its prime before spending money?
Before you buy tools or hire a provider, ask the prime or customer to confirm in writing whether the RFQ package, drawings, generated CAM/G-code, inspection records, and outside-processor work are in scope, and exactly which CMMC level and assessment type are flowed down. Written answers reduce both over-scoping (building a six-figure environment you didn’t need) and under-scoping (mishandling marked data you didn’t realize you had).
The CUI clarification email — copy this:
Subject: CUI / CMMC clarification for [Program / PO #]
Hi [Name],
So we scope and handle your data correctly, can you confirm in writing:
- Is the RFQ/drawing package for [program/part] considered CUI? If so, which CUI category applies?
- Are documents we generatefrom your data — CAM files, G-code, inspection/CMM records — considered CUI for this program?
- May we send any of this information to outside processors (e.g., heat treat, plating, NDT)? If so, under what conditions?
- What markings or distribution controls are required on derived documents and printed travelers?
- What CMMC level and assessment type (Level 2 Self or Level 2 C3PAO) are flowed down to us, and by when?
- Who is the right point of contact for CUI questions on this program?
Thanks — we want to get this right the first time.
Which machine-shop systems are actually in scope?
A system is in scope when it stores, processes, transmits, or protects CUI. The CMMC scoping rules at 32 CFR §170.19sort your environment into five categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets — so “the office network” is rarely the whole boundary.
1. CUI Assets
2. Security Protection Assets (SPAs)
3. Contractor Risk Managed Assets (CRMAs)
4. Specialized Assets
5. Out-of-Scope Assets
The reason this taxonomy is your friend: the smaller your CUI footprint, the fewer assets carry the heavy requirements. That’s the whole game.
The Machine-Shop CUI Pathway & CMMC Scope Matrix
| Workflow / system | Why it’s a scope question | Likely §170.19 treatment | Scope-reduction move | Where to get help (category) |
|---|---|---|---|---|
| RFQ intake (portal/email) | Drawings and specs can be CTI before award | CUI Asset (if CUI lands here) | Route CUI to one controlled intake location; keep it out of general inboxes | Readiness + secure collaboration |
| Estimating workstation | Estimator opens marked drawings pre-award | CUI Asset | Dedicated CUI estimating workflow; no consumer cloud sync | RPO/MSP + enclave |
| CAD workstation | Holds controlled models, tolerances, design data | CUI Asset | Restrict users, isolate storage, log access | MSP / enclave |
| CAM workstation | Generates toolpaths from controlled geometry | CUI Asset (if derivatives are CUI) | Ask the customer; keep derivatives in the controlled pathway until answered | Readiness + technical scoping |
| G-code transfer to CNC | Moves derived technical data to the floor | Depends on the path | Controlled transfer station; no unmanaged USB; segment the floor | MSP/MSSP (OT-aware) |
| CNC controller (embedded Windows) | Legacy OS can’t run modern controls | May be a Specialized Asset | Segment, document, restrict, monitor; avoid storing CUI on it | MSP/MSSP + specialized-asset planning |
| CMM / inspection station | Records can reveal dimensions and performance | CUI Asset (if it holds CUI) | Store inspection packages in the controlled repository | Readiness + QMS integration |
| Printed travelers / shop packets | Paper CUI is still CUI | Physical CUI / media (Media Protection + Physical Protection) | Minimize printing, controlled storage, destruction logs | Readiness / documentation |
| ERP / MRP / QMS attachments | Job records become scope magnets if drawings are attached everywhere | CUI Asset (if CUI is attached) | Link to the controlled repository instead of attaching CUI | ERP/QMS scoping + MSP |
| Email & file sharing | Uncontrolled email spreads CUI fast | CUI Asset | Move CUI to controlled collaboration; train intake rules | Secure collaboration / enclave |
| Backups & disaster recovery | Backups inherit whatever they contain | Security Protection Asset | Encrypt, restrict, test restore, document | MSP/MSSP |
| MSP / RMM / SIEM tools | Providers that protect CUI systems are in scope | Security Protection Asset | Get a responsibility matrix; verify their evidence | CMMC-focused MSP/MSSP |
| Outside processors | Flow-down depends on what they receive | (Their environment) | Send minimum data; flow down correctly; document | Readiness + supplier management |
| Remote OEM machine support | Vendor access can reach CUI systems | Specialized / SPA | Just-in-time access, MFA, logging, segmentation | MSP/MSSP |
| Legacy XP VM / old CAM bridge | Common, hard to secure directly | May be a Specialized Asset | Isolate, remove CUI where possible, document risk treatment | OT-aware MSP + readiness |
Want this mapped to your shop?
Match me with the right provider →Are your CNC machines in scope for CMMC?
CNC machines are not automatically all in scope. A CNC machine becomes a scope question when it stores, processes, transmits, or is reachable from systems that handle CUI — for example, when it receives a G-code program derived from a controlled drawing. Legacy controllers and embedded-Windows machines may be treated as Specialized Assets under 32 CFR §170.19, handled through segmentation, documentation, and access control rather than full control implementation on the machine itself.
The honest part — the one hard truth:
For a lot of shops, the CNC workflow is messier than the office IT — and the assessment boundary is not just Microsoft 365. That program file that runs the part? If it was cut from a controlled drawing, it may be CUI, which means the share it lives on, the USB stick someone uses to walk it to the machine, and the controller itself are suddenly in the conversation. Older controllers running embedded Windows can’t take a modern security agent.
Now the pivot, and it’s genuinely good news: scope is a design decision.You don’t have to turn every machine into a hardened endpoint. A controller that can’t be patched can be treated as a Specialized Asset — you segment it onto its own network, document it, restrict who and what can reach it, and keep CUI off it where you can. A controlled transfer station replaces the free-for-all USB habit. The CAM file stays inside the same walled pathway as the drawing it came from.
Can a machine shop shrink CMMC scope with a CUI enclave?
Yes — if the enclave genuinely contains where CUI is stored, processed, transmitted, and protected. A CUI enclave is a separate, controlled environment that walls CUI off from the rest of the business, and it can reduce assessment scope and cost. But it only works if employees stop copying drawings, models, G-code, and inspection packages back into general email, ERP attachments, uncontrolled shares, USB drives, and shop-floor systems. An enclave reduces scope; it does not, by itself, satisfy all 110 Level 2 requirements.
The enclave strategy — practitioners call it “shrinking the box” — is the highest-leverage cost lever a small shop has. The fewer systems that ever touch CUI, the fewer systems an assessor has to evaluate, and the smaller your remediation bill.
What an enclave can do
Concentrate CUI into one controlled environment (secure collaboration, a hardened virtual desktop, or a dedicated cloud tenant), so your general business network, your accounting, and your non-defense work fall out of scope.
What an enclave cannot do
Enforce discipline for you. If your team keeps downloading drawings to local desktops, attaching specs in ERP, or emailing G-code to the floor, the box leaks. Budget for training, not just the license. And remember — even with a perfect enclave, you still implement the 110 NIST SP 800-171 Rev. 2 requirements inside that boundary.
If your goal is to keep CUI out of the rest of the shop
Compare provider categories →What does CMMC Level 2 actually require for machine shops?
CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. For machine shops, the demanding parts are usually identity and access control, media protection (including paper and shop-floor data), audit logging, configuration management, incident response, supplier flow-down, and producing evidence that controls actually work in the real shop environment — not just policies on paper.
| NIST SP 800-171 Rev. 2 family | What it looks like in a shop | Evidence an assessor expects |
|---|---|---|
| Access Control | Who can open controlled drawings, reach the CAM share, log into the enclave | Access lists, role definitions, periodic access reviews |
| Awareness & Training | Machinists and estimators know the CUI handling rules | Training records, intake-rules sign-off |
| Audit & Accountability | Logs of who touched CUI systems | Centralized logs, review cadence |
| Configuration Management | Hardened, documented baselines for CAD/CAM and servers | Baseline configs, change records |
| Identification & Authentication | MFA on systems holding CUI | MFA enforcement config |
| Incident Response | A plan if a controlled drawing leaks | IR plan, tabletop test records |
| Maintenance | Controlled remote support for machines and IT | Maintenance logs, vendor access controls |
| Media Protection | Marking, storing, destroying CUI — including printed travelers | Media inventory, destruction logs |
| Personnel Security | Screening for CUI access | Screening records |
| Physical Protection | Locking down where CUI is viewed and printed | Visitor/access logs, controlled-area policy |
| Risk Assessment | Knowing your gaps and vulnerabilities | Vulnerability scans, risk register |
| Security Assessment | Your SSP and POA&M | System Security Plan, POA&M |
| System & Communications Protection | Encryption, network segmentation (including the floor) | Encryption config, network diagram |
| System & Information Integrity | Patching, malware protection where feasible | Patch records, endpoint protection |
The DFARS clauses in your contract, decoded
Four DFARS clauses drive defense cybersecurity obligations, and they predate the CMMC clause. DFARS 252.204-7012 requires safeguarding covered defense information and cyber-incident reporting (effective 2016). DFARS 252.204-7019 and 252.204-7020 (both 2020) require a current NIST SP 800-171 self-assessment score posted in SPRS and give DoD assessment rights, with flow-down to subcontractors. DFARS 252.204-7021 is the CMMC requirement clause, effective November 10, 2025.
DCR Clause-to-Action Table:
| Clause | What it requires | Where it shows up | What to save |
|---|---|---|---|
| DFARS 252.204-7012 (Safeguarding) | Protect covered defense information per NIST SP 800-171; report cyber incidents; meet cloud requirements | Most DoD contracts/POs involving CUI | Your SSP, incident-response plan, cloud agreements |
| DFARS 252.204-7019 (Notice) | Have a current (within 3 years) NIST SP 800-171 self-assessment score posted in SPRS before award | Solicitations; pre-award checks; prime requests for your “SPRS score” | SPRS posting confirmation, assessment date |
| DFARS 252.204-7020 (Assessment requirements) | Allow DoD to verify your assessment; flow the requirement to subcontractors | Same contracts as 7012/7019 | Subcontract flow-down records |
| DFARS 252.204-7021 (CMMC requirement) | Achieve and maintain the required CMMC status + annual affirmations in SPRS, as a condition of award | New solicitations during phased rollout | CMMC status, annual affirmations |
Do machine shops need GCC High, AWS GovCloud, or a CUI enclave?
No single platform is automatically required. If CUI touches a cloud service, the controlling requirement is FedRAMP Moderate authorization — or documented FedRAMP Moderate equivalency — for that service, plus your own configuration, customer responsibility matrix (CRM), and System Security Plan. In the Microsoft stack, GCC may support some CUI use cases when configured appropriately, while export-controlled CUI (such as ITAR data) typically drives GCC High, Azure Government, or an AWS GovCloud-style choice. No license, by itself, makes the shop compliant.
DCR Cloud Decision Evidence Block:
| If your data is… | Likely environment | Why | What to verify before buying |
|---|---|---|---|
| FCI only (no CUI) | Microsoft 365 Commercial or GCC | No CUI in play | That you truly handle no CUI |
| Standard CUI, not export-controlled | Microsoft 365 GCC (FedRAMP Moderate), configured for CUI | Meets the baseline for many CUI use cases | FedRAMP authorization, your CRM, your SSP, configuration |
| Export-controlled CUI (ITAR/EAR) | Microsoft 365 GCC High, Azure Government, or AWS GovCloud | U.S.-person access restrictions; Microsoft’s own guidance says GCC is not appropriate for export-controlled CUI | Authorization, U.S.-person access controls, body of evidence |
| Custom or hosted systems with CUI | GovCloud-style environment | Sovereign cloud for sensitive workloads | The provider’s evidence + your shared-responsibility split |
What does CMMC really cost a machine shop?
There is no single machine-shop CMMC price because scope drives cost — user count, CAD/CAM systems, CNC transfer paths, cloud tools, ERP exposure, legacy systems, current maturity, and assessment type all matter. DoD’s published rulemaking estimate for a small entity is $37,196 over three years for a Level 2 self-assessment and affirmation, and $104,670 over three years for a Level 2 certification assessment and affirmation. Those are assessment and affirmation burden estimates, not turnkey remediation prices.
| Cost component | DoD rulemaking estimate (small entity, 3-yr) | Market range (compiled from 2026 sources) | What to know |
|---|---|---|---|
| Level 1 self-assessment | ~$4,000–$6,000 | Often DIY | No assessor; no POA&Ms allowed |
| Level 2 self-assessment | $37,196 | Varies | Only if your contract permits self-assessment |
| Level 2 C3PAO certification | $104,670 | C3PAO fee alone ~$30k–$80k | DoD’s figure assumes controls are already implemented |
| Gap / readiness assessment | — | ~$10,000–$20,000 | Your first real spend — do it early |
| SSP + documentation | — | ~$12,000–$60,000 | The paperwork is most of the work |
| Remediation / implementation | — | ~$20,000–$150,000+ | Usually the biggest line item |
| CUI enclave | — | ~$300–$400/user/mo (or ~$3k–$4k/mo) | “Shrink the box” to cut this |
| GCC vs. GCC High licensing | — | GCC High carries a meaningful premium | ITAR data forces the higher tier |
| Consultant / vCISO | — | ~$250–$400/hour | |
| All-in first cycle (small shop, Level 2) | — | ~$50,000–$150,000+ | Scope and starting maturity drive the spread |
Free and low-cost help — and potential cost recovery:
Cost is the objection that stops most shops cold
Get matched with a readiness provider →How long does CMMC take — and why November 10, 2026 is the deadline that matters
Plan on roughly 6 to 18 monthsfor Level 2 readiness, depending on starting maturity and scope. The date that matters for most shops is not Phase 1 — it’s Phase 2, which begins November 10, 2026, when CMMC Level 2 (C3PAO) certification becomes the standard for applicable contracts under 32 CFR §170.3(e). With a limited pool of authorized assessors and assessment lead times that industry reporting describes as months to more than a year, a shop starting today is cutting it close for Phase 2.
- Phase 1 (Nov. 10, 2025 – Nov. 9, 2026): Level 1 and Level 2 self-assessments appear as conditions of award. DoD can require Level 2 (C3PAO) on select contracts at its discretion.
- Phase 2 (begins Nov. 10, 2026):Level 2 (C3PAO) certification becomes the standard for applicable contracts. For contracts that require it, a self-assessment will not be enough — you’ll need a current Level 2 (C3PAO) status.
- Phase 3 (begins Nov. 10, 2027): Level 2 (C3PAO) extends to more contracts; Level 3 (DIBCAC) is introduced for high-priority programs.
- Phase 4 (begins Nov. 10, 2028): Full implementation across applicable contracts.
State of the Cyber AB Marketplace — what we found
As of early-to-mid 2026, the Cyber AB Marketplace listed roughly 100 authorized C3PAOs, and industry analyses estimate only about 1% of the defense industrial base (out of an estimated 80,000+ organizations expected to need Level 2) has reached Level 2 certification. (These figures move — verify the current count directly at cyberab.org before you rely on them.) A shop that starts its readiness work today is already racing the clock if it needs a C3PAO for a Phase 2 contract. That’s not a sales tactic. It’s arithmetic.
A realistic timeline by where you’re starting:
- 0–30 days: Gather clauses, map CUI, send the prime-clarification email, run an initial gap check.
- 30–90 days: Make the scope decision (enclave vs. broader remediation), draft the SSP, select tools/providers.
- 90–180 days: Remediate, collect evidence, train staff, sort out supplier flow-down.
- 180+ days: Assessment prep, C3PAO scheduling, POA&M closeout.
Which type of CMMC provider does a machine shop need?
Most machine shops should not start with a C3PAO unless they are already assessment-ready. The usual sequence is readiness and scoping first, then implementation or managed compliance, then evidence workflow, and only then a C3PAO if the contract requires Level 2 certification. This is where shops waste money: they call an assessor first, when they actually need a roadmap.
| If your shop is… | Start with… | Don’t start with… |
|---|---|---|
| Unsure whether files are even CUI | Readiness / scoping (RPO) | A C3PAO quote |
| Running with no internal IT | A CMMC-focused MSP/MSSP | A GRC tool by itself |
| Drowning in drawings everywhere | Enclave + workflow redesign | A whole-shop tool purchase |
| Already implemented the 110 controls | C3PAO readiness review, then assessor selection | Another generic gap assessment |
| Strong on tech, weak on documentation | GRC / evidence workflow | Assuming folders of screenshots suffice |
| Sending CUI to outside processors | A supplier flow-down plan | Ignoring subcontractor scope |
RPO / readiness consultant
CMMC-focused MSP/MSSP
CUI enclave / secure collaboration provider
GRC / evidence software
C3PAO
The independence rule is not optional
Per the Cyber AB CMMC Assessment Process (CAP v2.0), a C3PAO must manage impartiality and identify conflicts of interest. An assessor who helped an organization prepare can’t also assess that same organization. The CAP also prohibits assessment agreements that guarantee a result or tie payment to issuing a certificate. If anyone guarantees you’ll pass, that’s a red flag — walk away. (See RPO vs. C3PAO.)
This is the decision most shops get backwards
Match me with source-checked provider options →Your first 30 days: what to do before you spend a dollar
The first 30 days should not start with buying software. They should start with collecting clauses, identifying CUI, mapping where that data enters and moves through the shop, separating CUI from general systems where possible, and choosing the right provider category for your actual stage. Mapping before buying is what prevents both an over-built environment and a non-compliant one.
Work this list in order:
- Gather the paperwork. Contracts, POs, RFQs, flow-down letters, CUI markings, and any SPRS requests. Put them in one place.
- Identify who opens customer technical data. Estimators, programmers, quality — anyone who receives drawings.
- Map the data path.RFQ → estimating → CAD/CAM → CNC transfer → inspection → shipment. Draw it.
- Mark which systems store, process, or transmit CUI. Use the five §170.19 categories above.
- Send the prime-clarification email (the template is above). Get answers in writing.
- Decide your scope strategy— enclave, managed compliance, or broader remediation.
- Build or refresh your SSP and asset inventory.
- Run a gap assessment before you hire a C3PAO.
- Create a supplier/outside-processor flow-down plan.
- Set a 90-day remediation plan with owners and dates.
Want a head start you can use today?
Download the Machine Shop Readiness Checklist →The biggest CMMC mistakes machine shops make
The most expensive machine-shop CMMC mistakes are under-scoping CUI (missing controlled drawings), over-scoping the whole business, buying tools before mapping data, treating CNC machines as either fully in scope or fully invisible, confusing readiness with certification, and hiring a C3PAO before evidence is ready. Inflating your SPRS score also carries real legal exposure under the False Claims Act.
- “We don’t have CUI”— said without ever checking the drawings, specs, or flow-down. Check first.
- Letting CUI sprawl through email, ERP attachments, and shared drives until the whole network is in scope.
- Treating CNC machines as all-in or all-out.Many are Specialized Assets — segment and document, don’t ignore.
- Mistaking a policy binder for implementation. Assessors test, interview, and ask for evidence.
- Hiring the assessor first. Readiness and remediation come before the C3PAO.
- Using a generic MSP with no CUI/CMMC experience. The shared-responsibility gaps surface during assessment.
- Sending CUI to outside processors without flow-down clarity.
- Pasting controlled drawings into public AI tools or unapproved quoting apps. That’s an uncontrolled transmission of CUI.
Inflating your SPRS score carries False Claims Act risk
The U.S. Department of Justice runs a Civil Cyber-Fraud Initiative (launched in 2021) that uses the False Claims Act to pursue contractors who misrepresent their cybersecurity compliance. In 2025, DoD contractor MORSE Corp agreed to a $4.6 million settlementafter, among other things, submitting a NIST SP 800-171 score in SPRS far higher than a third-party consultant later calculated and using a third-party email host that didn’t meet FedRAMP-equivalent security. When a senior official affirms your status in SPRS, that’s a representation to the government. Affirm what’s true, document it, and don’t round up your score.
What if your shop only has one defense customer?
A single defense customer can still trigger full Level 2 obligations if the shop handles CUI, but the business decision is different. The right question isn’t only “what does CMMC require?” — it’s “is this defense revenue worth the scope, remediation, operating cost, and customer-concentration risk?” As the rules take effect, some small suppliers are reaching exactly that decision point.
If defense work is a small slice of your revenue and it brings full Level 2 (C3PAO) obligations, you have a real decision to make. Two honest paths:
Stay in, but shrink the box
Walk away — deliberately
What you should not do is freeze. Map your CUI, get a real scoped number, and decide with eyes open. See our CMMC cost for small defense contractors breakdown, then use a readiness match for a scoped estimate.
Public case studies: shops and manufacturers that documented a CMMC path
| Company | Type | Starting point | What they did | Outcome (as publicly reported) | Source |
|---|---|---|---|---|---|
| JD Machine (Ogden, UT) | Precision machine shop | Needed Level 2 for defense work | Kept Microsoft 365, added a FedRAMP-authorized data-security platform + on-prem; data-centric scope | Announced CMMC Level 2 certification (Jan. 2026) | Company announcement |
| Nelson Engineering (AZ) | Aerospace manufacturer, limited internal IT | Needed Level 2 readiness | Fixed-price Arizona MEP engagement: gap assessment, SSP, draft POA&M, roadmap | Readiness work completed; retained sales and jobs | NIST MEP case study |
| embeddedTS (AZ) | Embedded-systems manufacturer | Expected to harden the whole facility | Used an MEP gap assessment to find where FCI/CUI actually lived | Reduced, streamlined path; certification a future step | NIST MEP case study |
| Certified Manufacturing Inc. | Woman-owned, AS9100, no full-time IT | Needed NIST 800-171/CMMC readiness | FloridaMakes / NIST MEP pilot support | Readiness assistance reported | NIST MEP case study |
CMMC compliance for machine shops: FAQ
Does a small machine shop need CMMC?
What CMMC level does a machine shop need?
Are CAD drawings CUI?
Are G-code files CUI?
Are CNC machines in scope for CMMC?
Can a machine shop use Level 1 only?
Do subcontractor machine shops need CMMC?
Do outside processors need CMMC?
Is CMMC Level 2 always a C3PAO assessment?
Do I need to post an SPRS score?
Is NIST SP 800-171 Revision 3 required for CMMC?
Do I need GCC High?
Can an enclave reduce CMMC cost?
Can my C3PAO help me fix my gaps?
What should I do first if a prime asks about CMMC?
Need help deciding what type of CMMC provider you need?
Find My CMMC Path →Which provider category fits your situation
- RPO/RP (Registered Provider Organization / Registered Practitioner) — if you need to map where CUI enters your shop, scope CNC and specialized assets, and build readiness before any assessment.
- MSSP / MSP (Managed Security Service Provider)— if you need someone to run and sustain the IT and security controls a small shop can’t staff internally.
- CUI enclave— if you can wall off drawings, CAD/CAM, and specs so the whole floor isn’t dragged into scope.
- GRC platform— if you need to keep your SSP and control evidence in one system of record.
- C3PAO (Certified Third-Party Assessment Organization) — engage for a Level 2 (C3PAO) certification once you’re assessment-ready. You don’t need a C3PAO yet if you’re FCI-only, still scoping, or have only a Level 2 (Self) requirement.
Related guides
- CMMC Managed Enclaves: Scope Reduction Guide
- CMMC Compliance for Manufacturers
- CMMC for Engineering Firms
- CMMC Level 1 vs Level 2: Which One Applies?
- CMMC Level 2 Cost: What Small Contractors Actually Pay
- CMMC for Small Defense Contractors
- CMMC Gap Assessment: What to Expect
- CMMC External Service Provider Requirements
- GCC High for CMMC: When You Need It and When You Don’t
- The CMMC Phases and What They Mean for Your Contracts
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →