The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find my machine shop CMMC path
No CUI uploads. No provider routing until your scope is clearer.
Start →
Phase 1 (Nov. 10, 2025–Nov. 9, 2026): Level 1 and Level 2 self-assessments required; DoD may add Level 2 C3PAO at its discretion. Phase 2 (begins Nov. 10, 2026): Level 2 C3PAO certification becomes the standard for applicable contracts. Phase details →

CMMC Compliance for Machine Shops: What’s in Scope, What Level You Need, and What It Costs

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

Last verified: · Published:

General information for the defense industrial base — not legal, contractual, audit, or compliance advice. Not affiliated with DoD, The Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Your solicitation, contract, subcontract, and contracting officer guidance control what applies to you.


If one of your primes just said “CMMC is coming” — or a new solicitation showed up with cybersecurity language you’ve never had to read before — here’s the two minutes to spend before you call a single vendor.

Bottom line up front: CMMC compliance for machine shops usually becomes a Level 2problem the moment your shop receives, stores, processes, or transmits Controlled Unclassified Information (CUI) — most often defense technical drawings, CAD/CAM files, specifications, or inspection data tied to a controlled program. If your shop only touches Federal Contract Information (FCI) — basic non-public contract information, no controlled drawings — Level 1 may be all you need. And if you handle no DoD FCI or CUI at all, CMMC may not apply to you yet.

Here’s the part nobody tells you, and the reason this page exists: your CMMC cost is really your scope cost.Map where CUI actually enters and moves through your shop, and you can often wall it off — instead of dragging every CNC, every workstation, and every backup into the assessment boundary. Below, we’ll show you exactly which parts of a machine shop touch CUI, what you can keep out of scope, what it really costs, and who to talk to first.

We’re an independent trade publication on CMMC 2.0 and DIB compliance, and everything here is checked against the primary sources — the Federal Register, 32 CFR Part 170, the DFARS clauses, NIST, the DoD CIO’s CMMC materials, and the Cyber AB — and dated so you can verify it yourself.

Last reviewed June 2026

In short: a machine shop usually becomes a CMMC Level 2 problem the moment it receives, stores, processes, or transmits Controlled Unclassified Information — typically defense drawings, CAD/CAM files, or specifications. Shops touching only Federal Contract Information may need just Level 1, and shops handling no DoD FCI or CUI may not be in scope yet.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

Find your likely path in one screen

Your shop’s situationLikely CMMC path to investigateVerify this firstBest next step
No DoD work, no FCI, no CUICMMC may not applyThat you have no DoD contract or flow-downRead the basics, move on
DoD work, FCI only (no controlled drawings)Level 1, annual self-assessmentThat you truly receive no CUIRun a Level 1 gap check
You receive marked CUI drawings, CAD, specs, or process sheetsLevel 2Whether the contract requires Self or C3PAOMap your CUI pathway
Contract has DFARS 252.204-7012 and a prime wants an SPRS scoreNIST SP 800-171 / SPRS already appliesYour current SPRS score and covered systemsBuild or refresh your SSP
Subcontract says Level 2 (Self)Triennial self-assessment + annual affirmationSPRS posting and affirmationReadiness + documentation
Subcontract says Level 2 (C3PAO)Third-party certificationScope, evidence, assessor timingGet ready before the assessment
Prime flows CUI to your outside processorA flow-down questionWhether the supplier gets CUI or only non-CUI workMinimize data, flow down correctly
Most sensitive CUI / Level 3 statedLevel 3 (after Level 2 C3PAO), DIBCAC-assessedThe program/DoD requirementSpecialist help

Not sure which row is you? Our Find My CMMC Path tool asks a handful of questions about how your shop quotes, programs, and ships work — no file uploads, no CUI — and points you to your likely level and the right kind of help to call first.

What we verified, and when

We read 32 CFR Part 170 in the eCFR (including the scoping rules at §170.19 and the phase schedule at §170.3(e)); FAR 52.204-21; the DFARS final rule in the Federal Register (DFARS Case 2019-D041, published Sept. 10, 2025, effective Nov. 10, 2025); the DoD CIO’s CMMC materials; and recent Cyber AB Marketplace data. Last verified: . General information for the defense industrial base — not legal, contractual, audit, or compliance advice.

Do machine shops need CMMC compliance?

CMMC stands for Cybersecurity Maturity Model Certification — the Department of Defense program that verifies contractors protect defense information. A machine shop needs it when a DoD contract, subcontract, or prime flow-down requires a CMMC status because the shop handles FCI or CUI. FCI-only work points to Level 1; work involving CUI usually points to Level 2, and the assessment type — self-assessment or third-party — is dictated by the solicitation or subcontract under 32 CFR Part 170.

Most shops don’t get a memo that says “you are now subject to CMMC.” They get a purchase order with a clause, or a portal that asks for an SPRS score, or a drawing with a marking in the corner they’ve never had to think about. The trigger is almost always upstream: a prime says flow-down is coming, or a solicitation arrives with CMMC and DFARS language.

The instinct — “we just make parts, this is an IT thing” — is exactly the trap. CMMC doesn’t care that you run mills and lathes. It cares about the information that rides along with the work. If your customer’s data lands in your shop and that data is controlled, you’re in the program.

You’re usually a subcontractor — and the requirement flows down to you

Here’s the rule most shops get wrong: you are typically a subcontractor, and CMMC flows down to you directly. The regulation is explicit. Under 32 CFR §170.23, CMMC applies to prime contractors and subcontractors at every tier that will process, store, or transmit FCI or CUI in performance of the work, and primes are required to flow it down. What you specifically owe depends on what you touch.

DCR Level Decision Card — subcontractor flow-down (32 CFR §170.23):

If your subcontract will…Your minimum CMMC status
Process/store/transmit FCI only (no CUI)Level 1 (Self)
Process/store/transmit CUILevel 2 (Self), at minimum
Handle CUI, and the prime’s contract requires Level 2 (C3PAO)Level 2 (C3PAO)
Handle CUI, and the prime’s contract requires Level 3 (DIBCAC)Level 2 (C3PAO), at minimum

That answers a question we hear constantly — “the prime holds the DoD contract, so don’t they handle the compliance?” No. If they send you controlled data, you carry your own obligation.

Do outside processors need CMMC?

If you send work to a heat treater, plating house, or NDT lab, the same logic applies. Whether your outside processor needs CMMC depends on what yousend them: if they receive CUI to perform the work, the requirement flows down to them too; if they only get non-CUI manufacturing instructions, it may not. The practical move is to send the minimum data necessary, flow down requirements correctly, and document what you sent — because their gap can become your problem on a shared part.


What CMMC level does a machine shop need?

For machine shops, the practical decision is between Level 1, Level 2 (Self), and Level 2 (C3PAO). Level 1 covers FCI with 15 basic safeguarding requirements from FAR 52.204-21 and an annual self-assessment. Level 2 covers CUI with the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, assessed either by self-assessment or by a C3PAO depending on the contract. Level 3 adds 24 selected requirements drawn from NIST SP 800-172 and is assessed by DIBCAC. Most precision and job shops will never see Level 3.

Level 1 — FCI only

The floor. Fifteen basic requirements, drawn straight from FAR clause 52.204-21, across six areas like access control and media protection. You self-assess once a year, a senior official affirms it in SPRS, and you move on. One catch worth knowing: at Level 1, no Plans of Action and Milestones (POA&Ms) are allowed. You either meet all 15 or you don’t.

Level 2 — CUI

This is where most defense machine shops land. All 110 requirements from NIST SP 800-171 Revision 2, across 14 families — multi-factor authentication, encryption of CUI, audit logging, configuration management, incident response, and more. Whether you can self-assess or must pass a C3PAO assessment is set by the contract, not by your size or preference. POA&Ms are allowed at Level 2, but only for limited items, and they must be closed within 180 days.

Level 3 — the most sensitive CUI

You first achieve Level 2 (C3PAO), then meet 24 additional requirements selected from NIST SP 800-172, assessed by DIBCAC. Most precision and job shops will never see Level 3 unless they’re deep into a sensitive program.

The single most important thing to internalize: your level is set by the data you touch, not by your headcount or revenue. A five-person shop handling CUI faces the same 110 requirements as a billion-dollar prime. There is no “small-business lite” version.

“Isn’t it Revision 3 now?”

No — and this matters, because some competing guides get it wrong. NIST published SP 800-171 Revision 3 in May 2024, but DoD has notadopted it for CMMC. The CMMC program rule states plainly that “NIST SP 800-171 Revision 3 is not currently applicable to this rule,” and a standing DoD class deviation directs contractors to keep using Revision 2 for assessments today. Build your program around Rev. 2 until DoD amends the rule.

Already know your level? See our breakdown of CMMC Level 2 self-assessment vs. C3PAO so you know which path your contract is putting you on. Still not sure? Use the Find My CMMC Path tool to get to a starting point.


What counts as CUI in a machine shop?

In a machine-shop context, CUI most often appears as Controlled Technical Information (CTI) — technical information with military or space application that is subject to controls on access, use, or dissemination. DFARS 252.204-7012 lists examples including engineering drawings, specifications, standards, process sheets, manuals, technical reports, data sets, studies, and software code. A shop should still confirm markings, contract language, and customer direction before treating any file as CUI or not.

CUI is not a vibe. It’s a category the government defines and, ideally, marks. Don’t assume every document in your shop is CUI, and don’t assume none of it is. The disciplined move is to ask — in writing.

How to tell — look for these signals, in roughly this order of reliability:


What should a machine shop ask its prime before spending money?

Before you buy tools or hire a provider, ask the prime or customer to confirm in writing whether the RFQ package, drawings, generated CAM/G-code, inspection records, and outside-processor work are in scope, and exactly which CMMC level and assessment type are flowed down. Written answers reduce both over-scoping (building a six-figure environment you didn’t need) and under-scoping (mishandling marked data you didn’t realize you had).

This single step has saved shops more money than any tool purchase. Copy the template below.

The CUI clarification email — copy this:

Subject: CUI / CMMC clarification for [Program / PO #]


Hi [Name],


So we scope and handle your data correctly, can you confirm in writing:

  1. Is the RFQ/drawing package for [program/part] considered CUI? If so, which CUI category applies?
  2. Are documents we generatefrom your data — CAM files, G-code, inspection/CMM records — considered CUI for this program?
  3. May we send any of this information to outside processors (e.g., heat treat, plating, NDT)? If so, under what conditions?
  4. What markings or distribution controls are required on derived documents and printed travelers?
  5. What CMMC level and assessment type (Level 2 Self or Level 2 C3PAO) are flowed down to us, and by when?
  6. Who is the right point of contact for CUI questions on this program?

Thanks — we want to get this right the first time.


Which machine-shop systems are actually in scope?

A system is in scope when it stores, processes, transmits, or protects CUI. The CMMC scoping rules at 32 CFR §170.19sort your environment into five categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets — so “the office network” is rarely the whole boundary.

1. CUI Assets

Anything that stores, processes, or transmits CUI: the drawing repository, the CAD station holding controlled models, the share where toolpaths live. These get the full set of Level 2 requirements.

2. Security Protection Assets (SPAs)

Things that protect CUI even if they don’t hold it: your firewall, your SIEM, your identity provider, your backup system, your managed IT provider’s tools. In scope for requirements relevant to their protective function.

3. Contractor Risk Managed Assets (CRMAs)

Assets that can, but are not intended to, process, store, or transmit CUI because of your security policies. You document them in your asset inventory, SSP, and network diagram. If documentation is sufficient, assessors review the plan rather than testing the asset against every Level 2 requirement.

4. Specialized Assets

Assets that can process, store, or transmit CUI but can’t be fully secured: IoT, operational technology, government-furnished equipment, restricted information systems, test equipment. Many older CNC controllers and embedded shop-floor systems fit here — but don’t assume every CNC is automatically a Specialized Asset; it depends on whether it touches CUI and how it’s managed.

5. Out-of-Scope Assets

Assets that can’t process, store, or transmit CUI and don’t protect CUI assets. Be ready to justify that inability.

The reason this taxonomy is your friend: the smaller your CUI footprint, the fewer assets carry the heavy requirements. That’s the whole game.

Now trace the data path: Customer portal / RFQ → estimating → CAD → CAM → controlled transfer → CNC → CMM/inspection → ERP/QMS → delivery package. How we built this matrix: we cross-checked the scoping categories in 32 CFR §170.19, the covered-defense-information and CTI definitions in DFARS 252.204-7012, the DoD/NARA CUI Registry, and the Cyber AB CMMC Assessment Process (CAP v2.0), then mapped them to a real machine-shop workflow.

The Machine-Shop CUI Pathway & CMMC Scope Matrix

Workflow / systemWhy it’s a scope questionLikely §170.19 treatmentScope-reduction moveWhere to get help (category)
RFQ intake (portal/email)Drawings and specs can be CTI before awardCUI Asset (if CUI lands here)Route CUI to one controlled intake location; keep it out of general inboxesReadiness + secure collaboration
Estimating workstationEstimator opens marked drawings pre-awardCUI AssetDedicated CUI estimating workflow; no consumer cloud syncRPO/MSP + enclave
CAD workstationHolds controlled models, tolerances, design dataCUI AssetRestrict users, isolate storage, log accessMSP / enclave
CAM workstationGenerates toolpaths from controlled geometryCUI Asset (if derivatives are CUI)Ask the customer; keep derivatives in the controlled pathway until answeredReadiness + technical scoping
G-code transfer to CNCMoves derived technical data to the floorDepends on the pathControlled transfer station; no unmanaged USB; segment the floorMSP/MSSP (OT-aware)
CNC controller (embedded Windows)Legacy OS can’t run modern controlsMay be a Specialized AssetSegment, document, restrict, monitor; avoid storing CUI on itMSP/MSSP + specialized-asset planning
CMM / inspection stationRecords can reveal dimensions and performanceCUI Asset (if it holds CUI)Store inspection packages in the controlled repositoryReadiness + QMS integration
Printed travelers / shop packetsPaper CUI is still CUIPhysical CUI / media (Media Protection + Physical Protection)Minimize printing, controlled storage, destruction logsReadiness / documentation
ERP / MRP / QMS attachmentsJob records become scope magnets if drawings are attached everywhereCUI Asset (if CUI is attached)Link to the controlled repository instead of attaching CUIERP/QMS scoping + MSP
Email & file sharingUncontrolled email spreads CUI fastCUI AssetMove CUI to controlled collaboration; train intake rulesSecure collaboration / enclave
Backups & disaster recoveryBackups inherit whatever they containSecurity Protection AssetEncrypt, restrict, test restore, documentMSP/MSSP
MSP / RMM / SIEM toolsProviders that protect CUI systems are in scopeSecurity Protection AssetGet a responsibility matrix; verify their evidenceCMMC-focused MSP/MSSP
Outside processorsFlow-down depends on what they receive(Their environment)Send minimum data; flow down correctly; documentReadiness + supplier management
Remote OEM machine supportVendor access can reach CUI systemsSpecialized / SPAJust-in-time access, MFA, logging, segmentationMSP/MSSP
Legacy XP VM / old CAM bridgeCommon, hard to secure directlyMay be a Specialized AssetIsolate, remove CUI where possible, document risk treatmentOT-aware MSP + readiness

Want this mapped to your shop?

Tell us your level, your systems, and where CUI flows, and we’ll match you with source-checked provider categories that fit your scope — not the wrong tool for the wrong stage. No CUI uploads.

Match me with the right provider →

Are your CNC machines in scope for CMMC?

CNC machines are not automatically all in scope. A CNC machine becomes a scope question when it stores, processes, transmits, or is reachable from systems that handle CUI — for example, when it receives a G-code program derived from a controlled drawing. Legacy controllers and embedded-Windows machines may be treated as Specialized Assets under 32 CFR §170.19, handled through segmentation, documentation, and access control rather than full control implementation on the machine itself.

The honest part — the one hard truth:

For a lot of shops, the CNC workflow is messier than the office IT — and the assessment boundary is not just Microsoft 365. That program file that runs the part? If it was cut from a controlled drawing, it may be CUI, which means the share it lives on, the USB stick someone uses to walk it to the machine, and the controller itself are suddenly in the conversation. Older controllers running embedded Windows can’t take a modern security agent.

Now the pivot, and it’s genuinely good news: scope is a design decision.You don’t have to turn every machine into a hardened endpoint. A controller that can’t be patched can be treated as a Specialized Asset — you segment it onto its own network, document it, restrict who and what can reach it, and keep CUI off it where you can. A controlled transfer station replaces the free-for-all USB habit. The CAM file stays inside the same walled pathway as the drawing it came from.

This is exactly what one Arizona manufacturer found. As documented in a NIST Manufacturing Extension Partnership (MEP) case study, embeddedTS initially believed it would have to “harden” its entire facility — a cost-prohibitive path. A structured gap assessment instead pinpointed where FCI and CUI actually lived, and the result was a streamlined, lower-cost plan that protected the data without rebuilding the whole company. That’s the difference between scoping and panicking.


Can a machine shop shrink CMMC scope with a CUI enclave?

Yes — if the enclave genuinely contains where CUI is stored, processed, transmitted, and protected. A CUI enclave is a separate, controlled environment that walls CUI off from the rest of the business, and it can reduce assessment scope and cost. But it only works if employees stop copying drawings, models, G-code, and inspection packages back into general email, ERP attachments, uncontrolled shares, USB drives, and shop-floor systems. An enclave reduces scope; it does not, by itself, satisfy all 110 Level 2 requirements.

The enclave strategy — practitioners call it “shrinking the box” — is the highest-leverage cost lever a small shop has. The fewer systems that ever touch CUI, the fewer systems an assessor has to evaluate, and the smaller your remediation bill.

What an enclave can do

Concentrate CUI into one controlled environment (secure collaboration, a hardened virtual desktop, or a dedicated cloud tenant), so your general business network, your accounting, and your non-defense work fall out of scope.

What an enclave cannot do

Enforce discipline for you. If your team keeps downloading drawings to local desktops, attaching specs in ERP, or emailing G-code to the floor, the box leaks. Budget for training, not just the license. And remember — even with a perfect enclave, you still implement the 110 NIST SP 800-171 Rev. 2 requirements inside that boundary.

A recent concrete example: JD Machine, a precision component manufacturer in Ogden, Utah, announced its CMMC Level 2 certification in January 2026. Per the company’s announcement, it met the 110 controls by keeping its existing Microsoft 365 tools and adding a FedRAMP-authorized data-security platform plus on-premises infrastructure — focusing on controlling the datarather than rebuilding everything. (One company’s publicly announced outcome, not a typical or guaranteed result — but a useful illustration of the strategy.)

If your goal is to keep CUI out of the rest of the shop

Compare enclave and managed-compliance provider categories before you buy a single tool — the right scope decision comes first.

Compare provider categories →

What does CMMC Level 2 actually require for machine shops?

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. For machine shops, the demanding parts are usually identity and access control, media protection (including paper and shop-floor data), audit logging, configuration management, incident response, supplier flow-down, and producing evidence that controls actually work in the real shop environment — not just policies on paper.

A policy binder is not compliance. An assessor confirms that controls are implemented, through documentation, interviews, and testing.

NIST SP 800-171 Rev. 2 familyWhat it looks like in a shopEvidence an assessor expects
Access ControlWho can open controlled drawings, reach the CAM share, log into the enclaveAccess lists, role definitions, periodic access reviews
Awareness & TrainingMachinists and estimators know the CUI handling rulesTraining records, intake-rules sign-off
Audit & AccountabilityLogs of who touched CUI systemsCentralized logs, review cadence
Configuration ManagementHardened, documented baselines for CAD/CAM and serversBaseline configs, change records
Identification & AuthenticationMFA on systems holding CUIMFA enforcement config
Incident ResponseA plan if a controlled drawing leaksIR plan, tabletop test records
MaintenanceControlled remote support for machines and ITMaintenance logs, vendor access controls
Media ProtectionMarking, storing, destroying CUI — including printed travelersMedia inventory, destruction logs
Personnel SecurityScreening for CUI accessScreening records
Physical ProtectionLocking down where CUI is viewed and printedVisitor/access logs, controlled-area policy
Risk AssessmentKnowing your gaps and vulnerabilitiesVulnerability scans, risk register
Security AssessmentYour SSP and POA&MSystem Security Plan, POA&M
System & Communications ProtectionEncryption, network segmentation (including the floor)Encryption config, network diagram
System & Information IntegrityPatching, malware protection where feasiblePatch records, endpoint protection

The two artifacts everything hangs on are the System Security Plan (SSP)— your documented description of scope, systems, and how each requirement is met — and the POA&M— your plan to close any remaining gaps. If you build nothing else first, build these two. See our CMMC Level 2 requirements guide.


The DFARS clauses in your contract, decoded

Four DFARS clauses drive defense cybersecurity obligations, and they predate the CMMC clause. DFARS 252.204-7012 requires safeguarding covered defense information and cyber-incident reporting (effective 2016). DFARS 252.204-7019 and 252.204-7020 (both 2020) require a current NIST SP 800-171 self-assessment score posted in SPRS and give DoD assessment rights, with flow-down to subcontractors. DFARS 252.204-7021 is the CMMC requirement clause, effective November 10, 2025.

DCR Clause-to-Action Table:

ClauseWhat it requiresWhere it shows upWhat to save
DFARS 252.204-7012 (Safeguarding)Protect covered defense information per NIST SP 800-171; report cyber incidents; meet cloud requirementsMost DoD contracts/POs involving CUIYour SSP, incident-response plan, cloud agreements
DFARS 252.204-7019 (Notice)Have a current (within 3 years) NIST SP 800-171 self-assessment score posted in SPRS before awardSolicitations; pre-award checks; prime requests for your “SPRS score”SPRS posting confirmation, assessment date
DFARS 252.204-7020 (Assessment requirements)Allow DoD to verify your assessment; flow the requirement to subcontractorsSame contracts as 7012/7019Subcontract flow-down records
DFARS 252.204-7021 (CMMC requirement)Achieve and maintain the required CMMC status + annual affirmations in SPRS, as a condition of awardNew solicitations during phased rolloutCMMC status, annual affirmations

The takeaway shops miss: even if the CMMC clause (7021) isn’t in your contract yet, the 7012/7019/7020 stack may already obligate you to a NIST SP 800-171 self-assessment and a posted SPRS score — that obligation has existed since November 2020. Many shops are non-compliant on requirements they already had. For more, see our guides to the SPRS score.


Do machine shops need GCC High, AWS GovCloud, or a CUI enclave?

No single platform is automatically required. If CUI touches a cloud service, the controlling requirement is FedRAMP Moderate authorization — or documented FedRAMP Moderate equivalency — for that service, plus your own configuration, customer responsibility matrix (CRM), and System Security Plan. In the Microsoft stack, GCC may support some CUI use cases when configured appropriately, while export-controlled CUI (such as ITAR data) typically drives GCC High, Azure Government, or an AWS GovCloud-style choice. No license, by itself, makes the shop compliant.

DCR Cloud Decision Evidence Block:

If your data is…Likely environmentWhyWhat to verify before buying
FCI only (no CUI)Microsoft 365 Commercial or GCCNo CUI in playThat you truly handle no CUI
Standard CUI, not export-controlledMicrosoft 365 GCC (FedRAMP Moderate), configured for CUIMeets the baseline for many CUI use casesFedRAMP authorization, your CRM, your SSP, configuration
Export-controlled CUI (ITAR/EAR)Microsoft 365 GCC High, Azure Government, or AWS GovCloudU.S.-person access restrictions; Microsoft’s own guidance says GCC is not appropriate for export-controlled CUIAuthorization, U.S.-person access controls, body of evidence
Custom or hosted systems with CUIGovCloud-style environmentSovereign cloud for sensitive workloadsThe provider’s evidence + your shared-responsibility split

Don’t let a vendor sell you GCC High if all you have is standard CUI — it typically carries a meaningful licensing and migration premium over Commercial (often roughly 30–50% more per user per market estimates). But if your drawings are export-controlled, the U.S.-person access restriction usually points you to GCC High or GovCloud. Read our GCC High for CMMC breakdown and AWS GovCloud for CMMC, then get matched with a provider category before you commit to a license.


What does CMMC really cost a machine shop?

There is no single machine-shop CMMC price because scope drives cost — user count, CAD/CAM systems, CNC transfer paths, cloud tools, ERP exposure, legacy systems, current maturity, and assessment type all matter. DoD’s published rulemaking estimate for a small entity is $37,196 over three years for a Level 2 self-assessment and affirmation, and $104,670 over three years for a Level 2 certification assessment and affirmation. Those are assessment and affirmation burden estimates, not turnkey remediation prices.

Cost componentDoD rulemaking estimate (small entity, 3-yr)Market range (compiled from 2026 sources)What to know
Level 1 self-assessment~$4,000–$6,000Often DIYNo assessor; no POA&Ms allowed
Level 2 self-assessment$37,196VariesOnly if your contract permits self-assessment
Level 2 C3PAO certification$104,670C3PAO fee alone ~$30k–$80kDoD’s figure assumes controls are already implemented
Gap / readiness assessment~$10,000–$20,000Your first real spend — do it early
SSP + documentation~$12,000–$60,000The paperwork is most of the work
Remediation / implementation~$20,000–$150,000+Usually the biggest line item
CUI enclave~$300–$400/user/mo (or ~$3k–$4k/mo)“Shrink the box” to cut this
GCC vs. GCC High licensingGCC High carries a meaningful premiumITAR data forces the higher tier
Consultant / vCISO~$250–$400/hour
All-in first cycle (small shop, Level 2)~$50,000–$150,000+Scope and starting maturity drive the spread

DoD figures from the CMMC program rule’s Regulatory Impact Analysis; cover assessment and affirmation burden only — treat as a floor, not a turnkey quote. Market ranges compiled from published 2026 provider and industry cost analyses; directional planning figures, not quotes. Last verified .

Free and low-cost help — and potential cost recovery:

  • The NIST MEP National Network.Every state has an MEP center, and many run fixed-price, sometimes-subsidized CMMC engagements for small manufacturers. In documented NIST MEP case studies, an Arizona aerospace manufacturer (Nelson Engineering) worked through a fixed-price MEP engagement that produced a gap assessment, SSP, draft POA&M, and roadmap; a Florida woman-owned shop (Certified Manufacturing Inc., via FloridaMakes) received pilot support to address NIST 800-171/CMMC readiness despite having no full-time IT staff. Start here before you call a turnkey vendor.
  • Allowable / recoverable costs. CMMC-related costs may be allowable or recoverable depending on your contract type, cost accounting treatment, and contracting guidance. Confirm with your contracting officer.
  • State grants.Some states offer small-business cybersecurity assistance. Check what’s available where you operate.

Cost is the objection that stops most shops cold

Before you accept a six-figure quote, get matched with a readiness provider category that can scope your actualCUI footprint — and ask about your state’s MEP center first. Our CMMC cost breakdown goes deeper.

Get matched with a readiness provider →

How long does CMMC take — and why November 10, 2026 is the deadline that matters

Plan on roughly 6 to 18 monthsfor Level 2 readiness, depending on starting maturity and scope. The date that matters for most shops is not Phase 1 — it’s Phase 2, which begins November 10, 2026, when CMMC Level 2 (C3PAO) certification becomes the standard for applicable contracts under 32 CFR §170.3(e). With a limited pool of authorized assessors and assessment lead times that industry reporting describes as months to more than a year, a shop starting today is cutting it close for Phase 2.

State of the Cyber AB Marketplace — what we found

As of early-to-mid 2026, the Cyber AB Marketplace listed roughly 100 authorized C3PAOs, and industry analyses estimate only about 1% of the defense industrial base (out of an estimated 80,000+ organizations expected to need Level 2) has reached Level 2 certification. (These figures move — verify the current count directly at cyberab.org before you rely on them.) A shop that starts its readiness work today is already racing the clock if it needs a C3PAO for a Phase 2 contract. That’s not a sales tactic. It’s arithmetic.

A realistic timeline by where you’re starting:


Which type of CMMC provider does a machine shop need?

Most machine shops should not start with a C3PAO unless they are already assessment-ready. The usual sequence is readiness and scoping first, then implementation or managed compliance, then evidence workflow, and only then a C3PAO if the contract requires Level 2 certification. This is where shops waste money: they call an assessor first, when they actually need a roadmap.

If your shop is…Start with…Don’t start with…
Unsure whether files are even CUIReadiness / scoping (RPO)A C3PAO quote
Running with no internal ITA CMMC-focused MSP/MSSPA GRC tool by itself
Drowning in drawings everywhereEnclave + workflow redesignA whole-shop tool purchase
Already implemented the 110 controlsC3PAO readiness review, then assessor selectionAnother generic gap assessment
Strong on tech, weak on documentationGRC / evidence workflowAssuming folders of screenshots suffice
Sending CUI to outside processorsA supplier flow-down planIgnoring subcontractor scope

RPO / readiness consultant

Scopes you, runs the gap assessment, builds the SSP and POA&M, plans your evidence. The “what do we actually need” partner.

CMMC-focused MSP/MSSP

Implements and manages the technical controls: identity, endpoints, logging, backups, network, the GCC High environment.

CUI enclave / secure collaboration provider

Gives you the walled environment that shrinks scope.

GRC / evidence software

Organizes and tracks evidence. A supporting layer. It does not implement controls or “make you compliant” on its own — be wary of any tool sold as the whole solution.

C3PAO

Performs the formal Level 2 certification assessment, when you’re ready.

The independence rule is not optional

Per the Cyber AB CMMC Assessment Process (CAP v2.0), a C3PAO must manage impartiality and identify conflicts of interest. An assessor who helped an organization prepare can’t also assess that same organization. The CAP also prohibits assessment agreements that guarantee a result or tie payment to issuing a certificate. If anyone guarantees you’ll pass, that’s a red flag — walk away. (See RPO vs. C3PAO.)

This is the decision most shops get backwards

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider categories — readiness, MSP/MSSP, enclave, GRC, or C3PAO — so you start with the right help, in the right order. No CUI uploads.

Match me with source-checked provider options →

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with DoD, The Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.


Your first 30 days: what to do before you spend a dollar

The first 30 days should not start with buying software. They should start with collecting clauses, identifying CUI, mapping where that data enters and moves through the shop, separating CUI from general systems where possible, and choosing the right provider category for your actual stage. Mapping before buying is what prevents both an over-built environment and a non-compliant one.

Work this list in order:

  1. Gather the paperwork. Contracts, POs, RFQs, flow-down letters, CUI markings, and any SPRS requests. Put them in one place.
  2. Identify who opens customer technical data. Estimators, programmers, quality — anyone who receives drawings.
  3. Map the data path.RFQ → estimating → CAD/CAM → CNC transfer → inspection → shipment. Draw it.
  4. Mark which systems store, process, or transmit CUI. Use the five §170.19 categories above.
  5. Send the prime-clarification email (the template is above). Get answers in writing.
  6. Decide your scope strategy— enclave, managed compliance, or broader remediation.
  7. Build or refresh your SSP and asset inventory.
  8. Run a gap assessment before you hire a C3PAO.
  9. Create a supplier/outside-processor flow-down plan.
  10. Set a 90-day remediation plan with owners and dates.

Want a head start you can use today?

Download our free Machine Shop CMMC Readiness Checklist — the 14 NIST SP 800-171 Rev. 2 families mapped to real shop-floor examples (CNC, CAM, QC tablets, email, ERP).

Download the Machine Shop Readiness Checklist →

The biggest CMMC mistakes machine shops make

The most expensive machine-shop CMMC mistakes are under-scoping CUI (missing controlled drawings), over-scoping the whole business, buying tools before mapping data, treating CNC machines as either fully in scope or fully invisible, confusing readiness with certification, and hiring a C3PAO before evidence is ready. Inflating your SPRS score also carries real legal exposure under the False Claims Act.

Inflating your SPRS score carries False Claims Act risk

The U.S. Department of Justice runs a Civil Cyber-Fraud Initiative (launched in 2021) that uses the False Claims Act to pursue contractors who misrepresent their cybersecurity compliance. In 2025, DoD contractor MORSE Corp agreed to a $4.6 million settlementafter, among other things, submitting a NIST SP 800-171 score in SPRS far higher than a third-party consultant later calculated and using a third-party email host that didn’t meet FedRAMP-equivalent security. When a senior official affirms your status in SPRS, that’s a representation to the government. Affirm what’s true, document it, and don’t round up your score.


What if your shop only has one defense customer?

A single defense customer can still trigger full Level 2 obligations if the shop handles CUI, but the business decision is different. The right question isn’t only “what does CMMC require?” — it’s “is this defense revenue worth the scope, remediation, operating cost, and customer-concentration risk?” As the rules take effect, some small suppliers are reaching exactly that decision point.

If defense work is a small slice of your revenue and it brings full Level 2 (C3PAO) obligations, you have a real decision to make. Two honest paths:

Stay in, but shrink the box

A tightly scoped enclave can make a single defense line viable without rebuilding the company. Read the scope and enclave sections above and price it against the contract.

Walk away — deliberately

If the math doesn’t work, it’s better to know now than to spend six figures chasing a contract that can’t cover it. Some shops will rationally exit certain defense work, and there is no shame in that.

What you should not do is freeze. Map your CUI, get a real scoped number, and decide with eyes open. See our CMMC cost for small defense contractors breakdown, then use a readiness match for a scoped estimate.


Public case studies: shops and manufacturers that documented a CMMC path

Small and mid-size shops are working through CMMC — typically with outside help and a tightly scoped CUI environment. These are individual, publicly reported outcomes — not typical or guaranteed results, and not all are completed certifications.

CompanyTypeStarting pointWhat they didOutcome (as publicly reported)Source
JD Machine (Ogden, UT)Precision machine shopNeeded Level 2 for defense workKept Microsoft 365, added a FedRAMP-authorized data-security platform + on-prem; data-centric scopeAnnounced CMMC Level 2 certification (Jan. 2026)Company announcement
Nelson Engineering (AZ)Aerospace manufacturer, limited internal ITNeeded Level 2 readinessFixed-price Arizona MEP engagement: gap assessment, SSP, draft POA&M, roadmapReadiness work completed; retained sales and jobsNIST MEP case study
embeddedTS (AZ)Embedded-systems manufacturerExpected to harden the whole facilityUsed an MEP gap assessment to find where FCI/CUI actually livedReduced, streamlined path; certification a future stepNIST MEP case study
Certified Manufacturing Inc.Woman-owned, AS9100, no full-time ITNeeded NIST 800-171/CMMC readinessFloridaMakes / NIST MEP pilot supportReadiness assistance reportedNIST MEP case study

The common thread isn’t budget. It’s sequence: scope first, get the right help, wall off CUI, then assess.


CMMC compliance for machine shops: FAQ

Does a small machine shop need CMMC?

Yes, if a DoD contract, subcontract, or prime flow-down requires it because you handle FCI or CUI. Size doesn’t exempt you — a five-person shop handling CUI faces the same 110 Level 2 requirements as a prime. (32 CFR Part 170; §170.23.)

What CMMC level does a machine shop need?

FCI-only work points to Level 1 (15 requirements, annual self-assessment). CUI points to Level 2 (110 NIST SP 800-171 Rev. 2 requirements). The assessment type — self or C3PAO — is set by the contract.

Are CAD drawings CUI?

They can be. Defense engineering drawings are commonly Controlled Technical Information when they carry a distribution statement (B–F), a CUI marking, or fall under a DFARS 252.204-7012 contract. Verify the markings and ask your prime if it’s unclear.

Are G-code files CUI?

Possibly. A program file derived from a controlled drawing can inherit CUI status. Treat derivatives as CUI within your controlled pathway until your customer confirms otherwise in writing.

Are CNC machines in scope for CMMC?

Not automatically. A CNC machine is in scope if it stores, processes, transmits, or is reachable from systems handling CUI. Legacy controllers may be treated as Specialized Assets under 32 CFR §170.19 — segmented and documented rather than fully hardened.

Can a machine shop use Level 1 only?

Only if it handles FCI and no CUI. The moment controlled drawings or specs enter the environment, Level 2 applies.

Do subcontractor machine shops need CMMC?

Yes. Requirements flow down to all tiers. An FCI-only sub needs Level 1 (Self); a CUI sub needs at least Level 2 (Self); if the prime requires Level 2 (C3PAO), the sub does too. (32 CFR §170.23.)

Do outside processors need CMMC?

It depends on what you send them. If they receive CUI to do the work, the requirement flows down to them; if they only get non-CUI instructions, it may not. Send the minimum data necessary and document it.

Is CMMC Level 2 always a C3PAO assessment?

No. Level 2 can be a self-assessment or a C3PAO certification, depending on what the contract requires.

Do I need to post an SPRS score?

If your contract includes DFARS 252.204-7019, yes — a current NIST SP 800-171 self-assessment score posted in SPRS has been required since November 2020, independent of the CMMC clause.

Is NIST SP 800-171 Revision 3 required for CMMC?

No. CMMC Level 2 currently maps to Revision 2. NIST published Rev. 3 in May 2024, but the CMMC rule states Rev. 3 “is not currently applicable,” and a DoD class deviation keeps assessments on Rev. 2.

Do I need GCC High?

Usually only if your CUI is export-controlled (ITAR/EAR). Standard CUI may be handled in Microsoft 365 GCC (FedRAMP Moderate), properly configured. Plain Commercial Microsoft 365 is not compliant for CUI.

Can an enclave reduce CMMC cost?

Yes — by shrinking how many systems touch CUI. But it doesn’t satisfy the 110 controls by itself, and it only works if your team stops copying CUI back into general systems.

Can my C3PAO help me fix my gaps?

Not for the same engagement. Cyber AB rules require readiness and the formal assessment to stay separate. Use an RPO or MSP to prepare, and a C3PAO to assess.

What should I do first if a prime asks about CMMC?

Don’t buy software. Gather your clauses, identify and map your CUI, send your prime the clarification questions in writing, and run a gap assessment to size the real scope.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — readiness, MSP/MSSP, enclave, GRC, or C3PAO. No CUI uploads. No provider routing until your scope is clearer.

Find My CMMC Path →

Sources

  • Federal Register (32 CFR Part 170; DFARS Case 2019-D041); eCFR Title 32 Part 170 (incl. §§170.3(e), 170.14–170.17, 170.19, 170.23)
  • FAR 52.204-21; DFARS 252.204-7012, -7019, -7020, -7021 (Acquisition.gov)
  • NIST SP 800-171 Rev. 2, SP 800-171A, and SP 800-172 (NIST CSRC)
  • DoD CIO CMMC materials; Cyber AB CMMC Assessment Process v2.0 and Marketplace
  • U.S. Department of Justice Civil Cyber-Fraud Initiative; NIST MEP case studies; company announcements as cited

Published by The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance. Last verified: . General information for the defense industrial base, not legal, contractual, audit, or compliance advice. Your solicitation, contract, subcontract, prime/customer written direction, and contracting officer guidance control what applies to you.

Which provider category fits your situation

Related guides

Editorial disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Read our editorial review process. Last verified: .

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →