No CUI uploads. No vendor routing until your scope is clearer.Start →
CMMC for Shipbuilders: What Shipyards and Naval Suppliers Actually Owe in 2026
CMMC for shipbuilders is set by your contract and your data — not by your trade. If a Navy solicitation, contract, subcontract, or prime purchase order requires a CMMC status for systems that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), it applies to you. As of July 18, 2026, the only levels the Department can designate are Level 1 (Self) and Level 2 (Self).
Four questions before you spend a dollar
These are free, they take a week, and they determine every number you will ever be quoted.
- Which document actually requires CMMC of us— the solicitation, the contract, a subcontract, or a prime’s purchase order terms?
- What information really enters our systems— FCI, CUI, U-NNPI, export-controlled data, or paper only?
- Which of our systems and workflows touch that information, including the shop floor and the file cabinet?
- Has our requirement changed in writingsince July 13, 2026?
Start where you are
| Your situation right now | Go here first |
|---|---|
| “I saw the headline. Is CMMC over?” | What paused and what didn’t |
| “My prime is still pushing us. Who’s right?” | Prime terms vs. the pause |
| “We got a drawing and we don’t know what it is.” | What counts as CUI in a yard |
| “Our purchase order mentions NN-801 or NAVSEA 08.” | The second gate |
| “We have a quote in hand and we don’t know if it’s fair.” | Cost, and what to stop paying for |
Is this guide for you?
| Your organization | Use this guide? |
|---|---|
| Shipyards, ship-repair and overhaul yards, module builders | Yes |
| Naval architecture and marine engineering firms | Yes |
| Marine fabricators, pipe/valve/electrical/HVAC suppliers to Navy programs | Yes |
| Shipboard systems integrators, sea-trial and test support | Yes |
| Suppliers working through shipyard portals (Exostar, SPARS) or prime flow-downs | Yes |
| Multi-facility organizations with more than one CAGE code | Yes |
| A small CNC job shop with no yard, no waterfront, no U-NNPI | No — read CMMC for machine shopsinstead. It’s shorter and built for you. |
| An aerospace supplier with no naval work | No — read CMMC for aerospace suppliers. |
| You handle classified information | CMMC does not apply to classified systems. That’s a separate program-security conversation. |
Does CMMC for shipbuilders still apply after the July 2026 suspension?
Yes. The Department suspended one verification mechanism, not the underlying obligation. CMMC is the Department’s program for verifying that contractors protect FCI and CUI. The July 13, 2026 action paused the third-party certification phase; it did not pause self-assessments, DFARS safeguarding duties, or any naval requirement that lives outside CMMC.
During the suspension, program managers may include only CMMC Level 1 (Self) or Level 2 (Self) in procurement documents. They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC). Where a solicitation already carries those levels, the contracting officer is directed to amend “as soon as practicable.” Existing contracts carrying those requirements are to be removed by modification at the next option or administrative modification. No waivers are being granted during the review period.
The Department also stood up a CMMC Reform Task Force with 60 days to report back, and opened a public Request for Information — Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base — with responses due 12:00 p.m. ET, Friday, August 14, 2026.
What paused and what didn’t — the naval supplier version
| Obligation | Status right now | Who sets it | Where we checked |
|---|---|---|---|
| Level 2 (C3PAO) as a new procurement designation | Suspended | DoW CIO | Memo 26-P-1023, Attachment 1 |
| Level 3 (DIBCAC) as a new procurement designation | Suspended | DoW CIO | Memo 26-P-1023, Attachment 1 |
| A solicitation that still shows C3PAO or DIBCAC | To be amended “as soon as practicable” | Contracting officer | Memo 26-P-1023, Attachment 1 |
| Existing contract carrying those requirements | Removed by modification at next option or admin mod | Contracting officer | Memo 26-P-1023, Attachment 1 |
| CMMC waivers | None granted during the review | DoW CIO | Memo 26-P-1023, Attachment 1 |
| Level 1 (Self) — 15 requirements, annual, no POA&Ms | Active | 32 CFR § 170.15 | eCFR; DoW CMMC FAQ |
| Level 2 (Self) — 110 requirements, three-year cycle, annual affirmation | Active | 32 CFR § 170.16 | eCFR; DoW CMMC FAQ |
| NIST SP 800-171 Rev. 2 as the assessed baseline | Active | Class deviation to DFARS 252.204-7012 | DoW CMMC FAQ B-A3 |
| DFARS 252.204-7012 safeguarding and 72-hour incident reporting | Unchanged | Your contract | DoW release, July 13, 2026 |
| U-NNPI safeguarding and NAVSEA 08 approval | Never part of CMMC. Unaffected. | Naval Reactors / your contract | 32 CFR 117.23(f); OPNAVINST N9210.3 |
| Your prime’s purchase order cyber terms | Unchanged until your prime changes them | The prime | Published prime supplier requirements |
| Coast Guard MTS cybersecurity rule (if MTSA-regulated) | Active, separate schedule | 33 CFR Part 101, Subpart F | eCFR |
| Program-specific additional protections | Expressly preserved | Requiring activity | Memo 26-P-1023, Attachment 1 |
What actually changed for you
- You cannot currently be told to hire a C3PAO by a Department requiring activity. If a live solicitation still says so, that is now an amendment question — put it in writing to the contracting officer.
- Your self-assessment just became the whole ballgame. With independent verification paused, the score and affirmation you post in SPRS carry the full legal weight. Nobody is checking your homework before award. Somebody may check it after.
- Nothing about NIST SP 800-171 Rev. 2 got easier. The Department said plainly that during the interim it will enforce compliance against Rev. 2 through self-assessments and select government-led assessments.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Which CMMC level does a shipbuilder need right now?
Your level comes from the solicitation and the resulting contract, not from your industry. The Department’s own FAQ states that during Phase 1 the intent is for solicitations to carry CMMC Level 1 when only FCI will be processed, stored, or transmitted, and CMMC Level 2 (Self) when any CUI will be handled in contractor-owned systems. Level 3 cannot be designated during the suspension.
| Your situation | Path to investigate | What it involves | Verified against |
|---|---|---|---|
| Only FCI enters your systems (POs, schedules, non-public quantities) | Level 1 (Self) | 15 requirements from FAR 52.204-21(b)(1); annual self-assessment and affirmation; no POA&Ms permitted | 32 CFR § 170.15 |
| Any CUI enters contractor-owned systems (drawings, specs, technical data) | Level 2 (Self) during the suspension | All 110 NIST SP 800-171 Rev. 2 requirements across 14 families; assess every 3 years; affirm annually; score to SPRS | 32 CFR § 170.16; DoW FAQ D-A5 |
| CUI handled only on paper | Safeguarding still required; third-party assessment not required | See the paper section — the moment you scan it, this changes | DoW CMMC FAQ C-A11 |
| Your document still says Level 2 (C3PAO) or Level 3 | Amendment or modification analysis | Request the written change. Don’t act on a press release. | Memo 26-P-1023 |
| You receive no FCI and no CUI | CMMC may not apply to that environment | Verify against the actual procurement and data flow — document why | 32 CFR § 170.3 |
| Solely COTS items | Specific treatment applies | Confirm the actual procurement and flow-down language | DFARS CMMC rule |
Level 2 does not automatically mean “hire an assessor.” This is the single most expensive misreading in the entire program. The 110 requirements are identical whether you self-assess or a C3PAO assesses you. What differs is who signs. Right now, only you can.
What flows down to you as a subcontractor
The Department’s FAQ confirms CMMC requirements flow down per 32 CFR § 170.23, and that the required level is driven by the type of data — FCI or CUI — that will be processed, stored, or transmitted during performance. Newport News Shipbuilding reproduced the rule’s minimum flow-down table for its own suppliers in February 2025:
| If the prime holds… | And the sub handles FCI | And the sub handles CUI |
|---|---|---|
| Level 1 (Self) | Level 1 (Self) | N/A |
| Level 2 (Self) | Level 1 (Self) | Level 2 (Self) |
| Level 2 (C3PAO) | Level 1 (Self) | Level 2 (C3PAO) |
| Level 3 (DIBCAC) | Level 1 (Self) | Level 2 (C3PAO) |
The right CMMC provider isn’t the same for every contractor — the category you need depends on your required level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
Map your level and assessment type before you price anything →What actually counts as CUI in a shipyard?
Ship drawings, specifications, models, work packages, and test records can contain CUI — but naval subject matter alone does not make a document CUI, and neither does a distribution statement. The DoD CUI Program states plainly that applying a distribution statement does not automatically mean the document is CUI, because under DoDI 5230.24 distribution statements go on technical documents whether they are classified, unclassified, or CUI. The determination runs on content and category, not on the stamp.
This is where most shipyard programs go wrong in the first week — in both directions.
The over-scoping trap
The instinct, when a drawing shows up with legends all over it, is to declare the whole yard a CUI environment and move on. Newport News Shipbuilding tells its own suppliers not to do that. NNS answers directly that treating all documents as CUI drives up cost by securing systems that don’t handle CUI, expands scope unnecessarily, lengthens C3PAO assessments, requires extra evidence for unrelated systems, adds controls to non-CUI work, and misaligns with CMMC’s own emphasis on scoping boundaries.
When the prime that sends you the drawings is telling you to scope tighter, the vendor telling you to scope wider deserves a hard question.
The under-scoping trap
The mirror-image error is assuming that no marking means no obligation. FCI is typically not labeled at all. And Distribution Statement D is what NNS calls a legacy marking that falls under the CUI umbrella — existing documents carrying it should be treated as CUI//EXPT, and Distribution D information can only be shared with contractors certified under the Joint Certification Program (JCP), the DLA-administered program that authorizes U.S. and Canadian firms to receive unclassified export-controlled technical data.
The question nobody answers: does your work package inherit CUI status?
This is the shipbuilding question. You receive a controlled drawing. Your planners build a bill of materials, a traveler, a router, a weld procedure, an NC program, and a set of assembly and test instructions from it. Do those inherit the designation?
There is no universal rule. But Newport News Shipbuilding states that when technical information from a Distribution Statement D document is incorporated into a new document, the new document should be marked CUI//EXPT. That gives you a workable test rather than a guess:
- Does the derived record actually reproduce or reveal controlled content — dimensions, tolerances, materials, performance characteristics, signatures, program detail? Or is it a routing card that says “weld per procedure, see drawing”?
- What category and authority applies to the source information?
- Did the prime or the Government issue derivation or marking instructions? Ask. In writing.
- Can the work instruction be rewritten to omit the controlled content — referencing the drawing rather than restating it? For many yards this single design decision moves entire ERP and shop-floor systems out of the boundary.
- Who is authorized to resolve the ambiguity? It is not your IT vendor. It is the information owner, your buyer, or your contracting officer.
One more practical note from NNS: the most common CUI document attached to their purchase orders isn’t the drawing at all — it’s Appendix B, which isn’t attached to the PO and has to be requested from the buyer. Other common CUI items include other appendices, some drawings, P-Specs, and some Mil-specs. If your CUI inventory started and stopped at “the drawings,” it’s incomplete.
The second gate: U-NNPI, NN-801, and NAVSEA 08
If your work touches Unclassified Naval Nuclear Propulsion Information, CMMC is a floor, not a permission slip. U-NNPI is a CUI Specified category with a safeguarding regime that predates CMMC and sits on top of it. Meeting NIST SP 800-171 does not authorize you to process U-NNPI on your systems. A separate Naval Reactors approval does. Nothing in the July 13 suspension touched it.
This is the single biggest blind spot in the CMMC coverage aimed at shipbuilders, and it is not close.
Where the requirement comes from
Under 32 CFR § 117.23(f), NNPI is governed by OPNAVINST N9210.3; all contracts granting access to NNPI must require compliance with the specific safeguarding requirements in that instruction; and any waiver or deviation from NNPI security requirements needs Naval Reactors’ concurrence. The security requirements for this category exceed the baseline standards and are applied through specific contract requirements.
Translation for a valve shop in Connecticut: your CMMC status and your NNPI authorization are two different things, granted by two different authorities, and one does not substitute for the other.
What the primes actually require
Bechtel Plant Machinery, Inc. (BPMI)— the Naval Reactors prime for propulsion plant components — states on its supplier cybersecurity page that it will continue to require contractors to comply with NN-801 Revision 5for physical and cybersecurity controls protecting U-NNPI. BPMI describes NN-801’s Section 10 cybersecurity controls as aligned with and complementary to NIST SP 800-171, with more stringent criteria approved by Naval Reactors, such that supplier systems BPMI approves for U-NNPI under NN-801 Rev. 5 are also compliant with NIST SP 800-171 Revision 2. BPMI also tells suppliers to keep their U-NNPI plans, policies, procedures, and their NN-801 security plan approval letter current and on file.
HII–Newport News Shipbuilding publishes a procedure for suppliers to obtain NAVSEA 08 approvalto process NNPI on non-federal information systems, requiring a letter identifying applicable contract numbers and statements of work, buyer and seller cybersecurity points of contact, the type of information involved, and the affected systems. NNS stated in its February 2025 supplier FAQ that hard copies cannot be phased out for U-NNPI unless and until the supplier obtains an Authority to Operate from NAVSEA 08. For a nuclear-side supplier, an ATO from NAVSEA 08 is what unlocks electronic handling. A CMMC certificate does not.
The two-gate model
| Gate 1 — CMMC / DFARS | Gate 2 — U-NNPI | |
|---|---|---|
| What it verifies | That you implemented FAR 52.204-21 or NIST SP 800-171 Rev. 2 | That Naval Reactors approves your specific system for U-NNPI |
| Who grants it | You (self-assessment) or a C3PAO when authorized | NAVSEA 08 / Naval Reactors, via your prime |
| Governing document | 32 CFR Part 170; DFARS 252.204-7012 | OPNAVINST N9210.3; NN-801 Rev. 5 |
| Evidence you hold | SPRS status, affirmation, SSP | NN-801 security plan approval letter; NAVSEA 08 approval |
| Suspended July 13, 2026? | The C3PAO/DIBCAC designation was | No |
| Does Gate 1 satisfy Gate 2? | — | No |
If you just realized this applies to you
Send your buyer these three questions this week:
- Does this purchase order involve U-NNPI? Which document establishes that?
- What is our current NNPI handling authorization — hard copy only, or approved for electronic processing?
- If we want electronic handling, what does NAVSEA 08 approval require of us, and who sponsors the request?
Which shipyard systems belong in the CMMC boundary?
The entire yard is not automatically in scope. Under 32 CFR § 170.19, Level 2 assets fall into five categories, and each carries a different documentation and assessment burden. Most shop-floor equipment — burn tables, weld cells, cranes, metrology, test sets — lands in Specialized Assets, which must be inventoried, documented in the System Security Plan, and drawn on the network diagram, but is not assessed against the rest of the control set.
That distinction is worth real money, and most yards have never been told it exists.
The five categories, in plain terms
| Category | What it means in a yard | Documentation required | How it’s assessed at Level 2 |
|---|---|---|---|
| CUI Assets | Anything that processes, stores, or transmits CUI | Asset inventory, SSP treatment, network diagram | Against all Level 2 requirements |
| Security Protection Assets | Things that provide security functions to your scope — EDR, SIEM, VPN, your MSSP’s people | Asset inventory, SSP, network diagram | Against the Level 2 requirements relevant to what they provide |
| Contractor Risk Managed Assets | Could handle CUI but are prevented from doing so by documented policy and practice | Asset inventory, SSP, network diagram | SSP reviewed. If documentation is thin, the assessor may run a limited check |
| Specialized Assets | OT, IIoT, Government Furnished Equipment, Restricted Information Systems, Test Equipment | Asset inventory, SSP showing risk-based management, network diagram | SSP reviewed. Not assessed against other CMMC requirements |
| Out-of-Scope Assets | Cannot process, store, or transmit CUI; provide no protection to CUI assets; separated | None | None — but be ready to justify it |
The Shipyard Boundary Matrix
Real yard workflows and equipment mapped to the § 170.19 categories, the evidence you’ll need, and the mistake that quietly expands your scope. Treat this as a first-pass investigative classification, not a compliance determination. A workflow belongs in your final boundary only after you verify the contract, the information type, the actual data flow, and your separation controls.
| Workflow / asset | Typical systems | First category to investigate | Evidence to hold | The mistake that expands scope |
|---|---|---|---|---|
| Bid and contract admin | Solicitations, POs, clause matrices, supplier terms | Level 1 scope if FCI-only; CUI Asset if CUI attachments live there | Contract register, clause inventory, amendments, prime instructions | Missing the CUI appendix that isn’t attached to the PO |
| Naval engineering and design | CAD, CAE, PLM, hull models, arrangement drawings | CUI Asset | Repository permissions, drawing provenance, export paths, audit logs | Local caches, personal drives, and “temporary” desktop copies |
| Production planning | ERP, MES, BOMs, travelers, routers, work instructions | CUI Asset if derived records carry controlled content; otherwise FCI or out-of-scope | Field-level review, sample work package, derivation process | Restating controlled dimensions in a traveler when a reference would do |
| CAM / CNC / DNC | Toolpaths, NC code, controllers, programming stations, machine servers | CUI Asset or Specialized Asset depending on function and securability | Program lineage, connectivity map, removable-media path, controller inventory | Treating the programming workstation like the machine. It isn’t. |
| Welding, NDT, QA | Weld procedures, radiographs, inspection databases, portable test units | CUI Asset; test equipment may be Specialized | Marking procedure, inspection data flow, equipment inventory, media custody | Inspection databases nobody remembered were on the network |
| Cranes, dry dock, environmental, access control | PLCs, SCADA, pump and caisson controls, badge systems, paint/blast monitoring | Specialized Asset (OT) in most cases | OT topology, data-flow evidence, risk-based policy, segmentation proof | Assuming “it’s OT” ends the analysis — the documentation is still required |
| Deckplate paper | Printed drawings, build books, redlines, binders | Physical handling process; any device that digitizes it is assessed separately | Check-out logs, storage controls, print/scan policy, destruction records | The multifunction printer with a hard drive |
| Supplier portals and subtier exchange | Exostar, SPARS, secure file transfer, email | CUI Assets plus External Service Provider scoping | Flow-down records, portal responsibility matrix, tenant ownership, access records | Assuming the portal owner carries your compliance |
| On-vessel and field work | Laptops, tablets, removable media, portable test units, sea-trial systems | CUI Asset or Specialized Asset | Device custody, remote-access config, media controls, field inventory | The laptop that goes aboard and never gets re-imaged |
| Email, cloud, backup, security tooling | M365 tenant, file storage, backups, SIEM, EDR, identity | CUI Asset, Security Protection Asset, and CSP/ESP scope | FedRAMP or equivalency evidence, service description, customer responsibility matrix | Forgetting that your MSSP is in scope |
| Government Furnished Equipment | Government-owned test sets, loaned systems | Specialized Asset (GFE) | Inventory, custody, SSP entry | Leaving it out of the inventory because “it’s theirs” |
Four scoping facts that save yards real money
- VDI endpoints can be out of scope — under conditions. An endpoint hosting a virtual desktop client is an Out-of-Scope Asset if it is configured to permit no processing, storage, or transmission of CUI beyond keyboard, video, and mouse. Block copy-paste and file transfer across the session, disable client drive mapping and print redirection, keep all CUI handling inside the session, and use MFA to the VDI server that is separate from the unmanaged client. Configuration must be verified.
- Encryption alone does not create logical separation. The Department says so directly. Logical separation is achieved by software or network controls — firewalls, routers, VPNs, VLANs. Encryption protects confidentiality; it does not enforce a boundary.
- An enclave that routes encrypted CUI through your enterprise network does not automatically drag that network into scope. Per the Department’s scoping FAQ, so long as the enclave is otherwise logically separated, transmitting properly encrypted CUI across enterprise networking components does not extend the assessment scope to those components.
- Your MSP and MSSP are in scope even when you send them no CUI — but they don’t need their own certification. The Department’s answer is unambiguous: where an MSP handles IT support and an MSSP handles security tooling, both qualify as External Service Providers and are assessed as part of your assessment scope against applicable requirements, without needing their own CMMC certification.
→ Build your shipyard scope worksheet
Pre-loaded with the § 170.19 categories and the yard asset classes above, so your first pass takes an afternoon instead of a quarter. It captures system categories only — never upload CUI, drawings, or technical data.
Does paper-only CUI keep a yard out of a CMMC assessment?
Yes — narrowly, and only until someone scans it. The Department states that organizations handling only hard-copy CUI are not required to complete a CMMC third-party assessment, though they may choose a self-assessment or third-party assessment for greater assurance. The paper itself must still be safeguarded. And the moment that CUI is placed on an information system digitally, that system is expected to satisfy applicable CMMC assessment requirements first.
The Department’s list of what counts as digitizing is broad: scanning, entering, photographing, uploading, printing, or emailing. When DFARS 252.204-7012 is in the contract and flowed down, every organization that processes, stores, or transmits CUI — including in hard copy — remains obligated to safeguard it under NIST SP 800-171 and DoD Instruction 5200.48.
Newport News Shipbuilding runs a hard-copy transmission status for suppliers. NNS buyers mail drawings to a supplier when that supplier hasn’t submitted its NIST SP 800-171 control implementation in Exostar, or when the NNS cybersecurity team’s review says the supplier should receive hard copy only. NNS then states plainly: loading the document into the supplier’s information system negates the hard-copy-only posture. The paper isn’t a loophole. It’s a holding pattern with a documented exit.
The deckplate checklist
Walk this list before you claim paper-only:
- No scanning of received drawings, ever, to any network location
- No phone photography of controlled documents on the deck
- No transcription of controlled content into email, chat, ERP, or a traveler
- Multifunction printer and copier storage accounted for and sanitized
- No cloud sync from any folder that touches a scanned document
- Check-out, issue, return, and destruction logged
- Controlled work areas defined and access-limited
- An incident process that covers a lost binder, not just a phished mailbox
Miss one and you aren’t paper-only — you’re a yard with an undocumented CUI system. The most common failure is the shop scanner nobody put on the network diagram. Walk the floor with the scope worksheet and find it before somebody else does.
Your prime says you need CMMC. Who is right?
Both of you can be. The suspension memo directs Department contracting officers and requiring activities. It does not automatically rewrite a prime’s purchase order terms, supplier portal requirements, or fiscal-year conditions. Until your prime issues something in writing, its requirements stand on their own contractual footing.
BPMIstates on its supplier cybersecurity page that CMMC requirements will be incorporated into its fiscal year 2027 terms and conditions, and that by the start of FY27 suppliers must confirm and provide evidence of CMMC Level 2 certification status to be eligible for contract awards — including a certificate with the CMMC Unique Identifier and applicable CAGE codes, or an SPRS report showing the final status, UID, assessment date, scope, and expiration.
NNSrequires suppliers to register and maintain an active Exostar Onboarding Module account and complete its cybersecurity questionnaire, per the cybersecurity provision in the DoD appendices to its purchase orders. Neither prime’s page had been rewritten for the suspension when we checked. That is not an accusation; it’s five days. But it is exactly why “the Pentagon paused it” is not an answer you can give your buyer.
Get it in writing — the twelve questions
Send these to your buyer, prime supplier quality contact, or contracting officer. Copy them verbatim. The written answers become your scope file, and your scope file is what protects you if anyone ever questions your affirmation.
- Which clause or flow-down establishes the CMMC requirement for this solicitation, contract, subcontract, or purchase order?
- What CMMC level and assessment type are required?
- Has that requirement been amended following the July 13, 2026 Phase 2 suspension? If so, please provide the amendment or modification.
- Which information we will receive or create is expected to be FCI, and which is expected to be CUI?
- What CUI category and safeguarding authority applies?
- Which drawings, appendices, specifications, portals, or data exchanges contain that information?
- Are we authorized to operate hard-copy-only, or to use a designated portal or Government-furnished environment?
- Does this work involve U-NNPI? If so, what is required for NAVSEA 08 approval, and what is our current status?
- What must we flow to each sub-tier supplier, based on the information each receives?
- Which CMMC Unique Identifier, SPRS status, or assessment evidence must we provide, and at what point in the procurement?
- Who is authorized to resolve a conflicting or unclear CUI marking?
- Please provide the answer, and any applicable attachment or handling instruction, in writing.
A detail with teeth: the Department states that offerors must identify every CMMC Unique Identifier in the proposal that will be used to process, store, or transmit FCI or CUI, and that any company information systems not represented by the UIDs provided are considered non-compliant and cannot be used to process, store, or transmit FCI or CUI during performance. For a multi-yard organization or a company with several CAGE codes, that sentence is a bid-killer if you get it wrong.
→ Get the shipbuilder clause-and-scope question set
The twelve questions above, formatted to send today, plus the evidence list that opens your scope file. Free, no obligation. Never include CUI, drawings, or contract attachments in anything you send us.
Which clause numbers should a shipbuilder look for in 2026?
Clause numbers changed in February 2026, and both old and new numbers are circulating. A Department class deviation under the FAR overhaul took effect February 1, 2026: DFARS 252.204-7019 is no longer prescribed, DFARS 252.204-7020 appears as DFARS 252.240-7997 under a new DFARS Part 240, and FAR 52.204-21 was relocated to FAR 52.240-93. DFARS 252.204-7012 and the CMMC clause DFARS 252.204-7021 are unchanged.
This matters more for shipbuilders than for most, because a yard is often running work under contracts issued across four or five different procurement vintages at the same time.
| What you may see in the document | What it addresses | How to read it in July 2026 |
|---|---|---|
| FAR 52.204-21 (now FAR 52.240-93) | Basic safeguarding for systems containing FCI — the 15 requirements behind CMMC Level 1 | Still the Level 1 substance. Numbering moved under the overhaul. |
| DFARS 252.204-7012 | Safeguarding covered defense information, NIST SP 800-171 implementation, 72-hour cyber incident reporting, cloud conditions, subcontract flow-down | Unchanged and fully in force. The July suspension did not touch it. |
| DFARS 252.204-7019 / -7020 | The prior structure for NIST SP 800-171 DoD assessment notice and requirements | You may still see them in older instruments. Their absence from a new solicitation does not mean you have no assessment obligation. |
| DFARS 252.240-7997 | The renumbered assessment-requirements clause under Part 240; “Basic” assessment references removed | Expect it in newer solicitations governed by the deviation. |
| DFARS 252.204-7021 | The CMMC clause — ties eligibility to your CMMC status in SPRS and requires flow-down | Unchanged. Became effective November 10, 2025. |
| DFARS 252.204-7025 | Notice of CMMC level requirements, appearing with 7021 | Read it. It’s where the required level shows up. |
| Memo 26-P-1023 (July 13, 2026) | Limits current designations to Level 1 (Self) or Level 2 (Self); directs amendments | Procurement direction, not a contract modification. Get the written amendment. |
The Rev. 2 versus Rev. 3 question, settled
The Department’s FAQ is direct: CMMC assessments are conducted against NIST SP 800-171 Revision 2, held in place by a class deviation to DFARS 252.204-7012, until Revision 3 is incorporated into the CMMC Program rule through rulemaking. Contractors mayimplement Revision 3 — using the Department’s Organization-Defined Parameters from the April 2025 memorandum — but must ensure any gaps between Rev. 2 and Rev. 3 are addressed, because Rev. 2 is what gets assessed. If a vendor is selling you a Rev. 3 build as “future-proofing,” that’s a legitimate strategy. It is not a substitute for Rev. 2 traceability.
If the assessment is paused, what should a yard actually do?
The Department published its own answer the same week it paused Phase 2. The DoW CIO launched the “Brilliant at the Basics” campaign, which includes a Top 10 list for information technology and a separate Top 10 specifically for Operational Technology. It is guidance, not a new compliance requirement — but for a shipyard, it is a better-prioritized to-do list than most gap reports.
The OT Top 10, translated to a shipyard
| Department OT priority | What it looks like in your yard | NIST SP 800-171 Rev. 2 family it reinforces |
|---|---|---|
| Identity and access control | Who can log into the burn table controller, the crane HMI, the paint booth PLC — and whether that’s a shared password taped to the panel | Access Control (3.1), Identification & Authentication (3.5) |
| Validated, as-operated asset inventory | An inventory of PLCs, RTUs, HMIs, engineering workstations, DCS and safety instrumented systems — including firmware versions, protocols, transient assets, and remote-access points, validated by passive monitoring and physical walk-downs | Configuration Management (3.4) |
| Strict network segmentation | The business LAN and the production network genuinely separated, not just on a slide | System & Communications Protection (3.13) |
| OT-specific incident response | A plan where the answer isn’t “unplug it” — because you can’t shut a dry dock pump mid-evolution. Offline backups, isolated safety systems, joint sign-off from cyber and process engineering to restart | Incident Response (3.6) |
| Compensating controls where patching is impossible | Firewall rules, micro-segmentation, and application allowlisting around the 2009 controller running the plate line until its next scheduled window | Risk Assessment (3.11), System & Information Integrity (3.14) |
| Constrained remote access | Killing always-on vendor tunnels and cellular gateways into machinery | Access Control (3.1) |
| Continuous monitoring | Extending logging to the production floor, then actually reading it | Audit & Accountability (3.3) |
| System resiliency | Grouping assets by physical location and sensitivity; local manual overrides so one compromise doesn’t stop the line | System & Communications Protection (3.13) |
| Supply chain security | Holding your equipment vendors to the standard you’re being held to; a replacement schedule for undefendable legacy hardware | Risk Assessment (3.11) |
| Formal change review | A safety-and-security review before any change — so a hardening step doesn’t create an unsafe condition on the deck | Configuration Management (3.4) |
The asset inventory line is the highest-leverage week of work available to you right now. It satisfies the Department’s interim guidance, it produces the § 170.19 inventory you need for any CMMC assessment, and if you’re MTSA-regulated it feeds the Coast Guard cybersecurity assessment covered below. One artifact, three regimes.
The seven-step sequence
- Inventory the controlling documents. Solicitation, award, subcontracts, POs, amendments, prime notices. Not your vendor’s summary — the documents.
- Identify the required status and assessment type separately. “Level 2” is not a complete answer.
- Identify the information owner and the data categories. FCI, CUI, U-NNPI, export-controlled, paper, or unresolved.
- Trace the workflows. Engineering → planning → fabrication → inspection → supplier → field and vessel → archive.
- Classify assets under § 170.19 and write down why, including the out-of-scope calls.
- Update the SSP, asset inventory, and network diagram. Not optional — if you mark security requirement CA.L2-3.12.4 (System Security Plan) as Not Met, SPRS returns no score at all.
- Complete and maintain the applicable self-assessment and affirmation.
What not to do
- Don’t cancel the program. The standard didn’t move.
- Don’t delete evidence. Retention obligations survive.
- Don’t treat a press release — including this article — as a contract modification.
- Don’t hire a C3PAO because that was the pre-July-13 plan.
- Don’t migrate systems before you’ve mapped the workflow. Migration is the most expensive way to discover your scope was wrong.
Free resources, since you’re paying for enough already
The Department’s own FAQ points to no-cost help: the Cyber AB Marketplace for finding assessors and practitioners; free CMMC training through the Warfighting Acquisition University; the no-cost cybersecurity capabilities listed by DoD Cyber Crime Center’s DIB Collaborative Information Sharing Environment; and Project Spectrum, which provides no-cost tools and training for small DIB businesses. We don’t receive anything from any of them. Use them before you buy anything.
The other clock: the Coast Guard rule nobody suspended
If your facility holds a security plan under 33 CFR Part 105, you are also inside the Coast Guard’s Marine Transportation System cybersecurity rule — and its next hard deadline is closer than anything on the CMMC calendar. The rule took effect July 16, 2025 and applies to owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities required to have a security plan under 33 CFR Parts 104, 105, and 106. Nothing about the CMMC suspension touched it.
The self-test is simple: do you have a Facility Security Officer and an approved Facility Security Plan? If yes, this section is yours. If you’re an inland shop with no waterfront operations, skip to the cost section.
Two clocks, one yard
| Date | Regime | What happens |
|---|---|---|
| July 16, 2025 | USCG | Rule effective; reportable cyber incidents go to the National Response Center |
| November 10, 2025 | CMMC | Phase 1 began; DFARS 252.204-7021 effective; Level 1 and Level 2 self-assessment requirements appear in applicable solicitations |
| January 12, 2026 | USCG | All personnel must complete the training in 33 CFR 101.650 — and annually after |
| February 1, 2026 | CMMC | Class deviation renumbers 7019/7020 and FAR 52.204-21 |
| July 13, 2026 | CMMC | Phase 2 suspended; Phases 3 and 4 frozen |
| August 14, 2026, 12:00 p.m. ET | CMMC | CMMC Reform Task Force RFI responses due |
| ~Mid-September 2026 | CMMC | Task Force report due to the DoW CIO |
| July 16, 2027 | USCG | Designate the Cybersecurity Officer, complete the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval under 33 CFR 104.410, 105.410, or 106.410 |
Where the two overlap: your asset inventory, your network segmentation project, and your OT incident response plan can serve both. Where they don’t: a CMMC System Security Plan is not a Cybersecurity Plan, and the Coast Guard will not accept it as one. Plan approval takes time. Working backward from July 16, 2027 is not a scare tactic — it’s a calendar.
What does CMMC cost a shipbuilder, and what should you stop paying for?
There is no defensible universal shipyard price, and the Department says so. Its FAQ states that the cost of achieving CMMC compliance depends on the level required, the complexity of the company’s unclassified network, its existing cybersecurity posture, and market forces — and that costs to implement existing safeguarding requirements like DFARS 252.204-7012 are not counted as CMMC compliance costs. Those were already yours.
What the Department actually estimated
The regulatory impact analysis accompanying 32 CFR Part 170 put per-entity figures on assessment and affirmation only— not on building your environment:
- Level 1, small entity: roughly $6,000 per year
- Level 2 (Self), small entity: roughly $37,000 over three years
- Level 2 (C3PAO), small entity: $104,670 over three years; other-than-small, roughly $118,000
Every one of those numbers assumes the security work is already done. For a yard that hasn’t built its boundary, they’re the tip, not the bill.
Defer, keep, accelerate
| Line item | Call | Why |
|---|---|---|
| C3PAO booking and assessment fees | Defer | It cannot currently be designated as a requirement. Your money is idle until the Task Force reports. |
| Certification-only tooling and “audit readiness” retainers | Defer | Buying for an audit that isn’t scheduled |
| System Security Plan, asset inventory, network diagram | Keep | Required for any assessment, any level, any future version of this program. A missing SSP zeroes your score. |
| SPRS accuracy and the annual affirmation | Keep | This is now the only external checkpoint |
| Incident response capability and 72-hour reporting readiness | Keep | DFARS 252.204-7012 never paused |
| CUI identification and boundary documentation | Keep | Reduces every downstream cost you’ll ever pay |
| OT asset inventory and IT/OT segmentation | Accelerate | Serves the Department’s interim OT guidance, your future CMMC scope, and your Coast Guard obligations at once |
| NNPI approval paperwork (NN-801, NAVSEA 08) | Accelerate | Independent of CMMC, gates electronic handling, and takes time |
| USCG Cybersecurity Plan work, if MTSA-regulated | Accelerate | July 16, 2027 with an approval cycle in front of it |
Some yards should walk away instead
If DoD work is a thin slice of your revenue, your margins are tight, and your CUI exposure is small enough to contain, the smart move may be to reduce scope, sharpen your flow-down questions, or decline low-margin CUI workrather than spend into a full Level 2 program. That is a business decision, not a compliance failure, and good suppliers make it every year. If that’s you, start with the Level 1 path and scope reduction.
How to compare quotes without a price benchmark
Require every proposal to state:
| Quote line | What must be specified |
|---|---|
| Scoping | Systems, users, locations, workflows, and stated assumptions |
| Gap assessment | Standard assessed against, methodology, interview depth, deliverable |
| Remediation | Actual implementation, or recommendations only? |
| Documentation | SSP, policies, procedures, diagrams, inventory — and who owns them afterward |
| Technology | Licenses, migration, configuration, and recurring fees, itemized |
| Managed services | Coverage hours, response commitments, evidence produced, systems excluded |
| Assessment prep | Mock assessment, evidence review, personnel preparation |
| Formal assessment | A separate engagement, with the conflict-of-interest position stated |
| Ongoing support | Annual affirmation support, change management, evidence maintenance |
Red flags, in order of severity:a guaranteed certification outcome; a fixed timeline quoted before any scope discovery; “our platform makes you CMMC compliant”; a C3PAO fee bundled into a readiness engagement; no distinction between readiness and assessment; no recurring cost line; no OT or paper analysis anywhere in the proposal; and no customer responsibility matrix.
→ Compare provider categories before you request scoped quotes
What each category actually does, what it can’t do, and what to verify before you sign — so the quotes you collect are for the same work. No forms, no email.
Build, buy, or share your CUI environment?
Naval suppliers have a fourth option the rest of the Defense Industrial Base doesn’t: a Navy-provided shared engineering environment. Whether it beats a private enclave depends on how much CAD and PLM work you do and whether U-NNPI is in play. No architecture choice removes your own on-premises systems from scope.
| Option | Best fit | Handles U-NNPI? | The honest catch |
|---|---|---|---|
| Harden what you have | Small CUI footprint, decent IT already, no waterfront OT complexity | Only with separate NAVSEA 08 approval | Scope creeps to everything that touches CUI — which in a yard is usually more than you think |
| M365 GCC High or a private CUI enclave | Contained, document-centric CUI; engineering separated from production | Only with separate NAVSEA 08 approval | Licensing is not compliance. The on-prem side connecting to it stays in scope, and the responsibility matrix has to be referenced in your SSP. |
| AWS GovCloud (US) at IL5 | Heavy CAD, large models, simulation | AWS states GovCloud (US) at Impact Level 5 handles CUI and unclassified NNPI | Company-stated. Your Naval Reactors approval for the workflow is still separate. |
| Maritime Cloud Environment (MCE) | Suppliers who’d rather not build IT infrastructure at all | See disclosure below | Company-stated program claims. Verify eligibility, cost, and data ownership yourself. |
For the broader architecture decision, see our GCC High guidance and managed enclave breakdown.
Which CMMC provider category should a shipbuilder hire first?
For most yards right now, the first call is not an assessor. With third-party assessment suspended, the categories producing durable value are readiness and scoping, OT-capable managed security, evidence workflow, and environment design — roughly in that order. A C3PAO belongs in the formal assessment lane, when that assessment is contractually relevant and you’re ready for it.
| Category | Hire when | Don’t confuse it with | Verify before you sign | Shipyard-specific question to ask |
|---|---|---|---|---|
| RP / RPO (Registered Practitioner / Registered Provider Organization) | Level, scope, gap analysis, SSP, or POA&M planning is unclear | A certifying assessor | Cyber AB Marketplace status, named personnel, deliverables, conflict-of-interest position | Will you walk the shop floor before you quote? |
| CMMC-focused MSP / MSSP | Controls need to be implemented and operated continuously | Proof that you’re compliant | Shared responsibility split, External Service Provider scope, evidence produced, tenant ownership | Have you worked in an OT environment where downtime isn’t an option? |
| CUI enclave provider | CUI workflows can credibly be contained | A universal answer for a yard | Integrations, export paths, printing, backups, admin model, recurring cost | How does CAD, PLM, and shop-floor file transfer actually work across your boundary? |
| GRC platform | Evidence, SSP and POA&M workflow, and recurring operations need structure | Implementation of the security requirements | Evidence export, accurate Rev. 2 mapping, data ownership, user burden | Can it hold OT and Specialized Asset documentation, not just IT? |
| Federal-contracts attorney | Clause, amendment, flow-down, or liability is disputed | Technical implementation | Relevant federal procurement and cybersecurity contract experience | Have you handled a prime flow-down dispute mid-performance? |
| OT security specialist | Legacy machinery, IIoT, or test equipment materially affects scope | A whole CMMC program owner | OT experience, coordination with your CMMC lead, safe implementation practice | How do you validate an inventory without disrupting live processes? |
| C3PAO | A formal Level 2 certification assessment is contractually relevant and you’re ready | A readiness implementer | Current authorization in the Cyber AB Marketplace, scope, assessor assignment, conflicts, fees | Not the first call during the suspension |
The independence rule, stated precisely
Under 32 CFR § 170.8, the CMMC ecosystem must prohibit a member from participating in a Level 2 certification assessment where that member served as a consultant preparing the organization for a CMMC assessment within the previous three years. Verify the specific people, organizations, and roles — a marketing claim about “Chinese walls” does not resolve a conflict, and the burden of getting this wrong lands on you, not on them.
The Department’s FAQ also notes that while DCMA DIBCAC may assess certain high-priority contractors, the official certification path runs through a C3PAO authorized by the Cyber AB. Before you engage anyone claiming C3PAO authorization, check the Cyber AB Marketplace yourself.
At the July 13 briefing, the DoW CIO cited more than 100,000 Defense Industrial Base businesses still needing third-party assessment against roughly 100 available assessors. That imbalance is real, and it’s part of why Phase 2 got suspended. It is not a reason to book an assessment slot this month. If a vendor tells you to lock in before the pause ends, ask them to put the contractual basis for that urgency in writing.
Tell us your required level, FCI/CUI scope, environment, and timeline. You’ll see the category logic before you see any provider names.
Get matched with source-checked provider options →What goes wrong in shipyard CMMC programs
The expensive failures happen before a single control gets implemented. They are scoping, sequencing, and interpretation failures — an overbroad CUI assumption, an outdated phase schedule, an architecture bought before the workflow was traced, or the wrong provider category hired first.
| Failure | Why it happens | What it costs | The fix |
|---|---|---|---|
| Treating every naval document as CUI | Fear plus vague prime instructions | The whole yard in scope; longer assessments; evidence for systems that don’t matter | Verify category, authority, and content — the prime itself says this approach isn’t acceptable |
| Assuming no marking means no obligation | Weak designation process; FCI is rarely labeled | Under-scoped environment; a false affirmation | Escalate to the information owner and contracting officer, in writing |
| Running an old Phase 2 countdown | Stale templates and vendor decks | Buying an assessment nobody can currently require | Replace with the dated suspension status and the actual amendment |
| Hiring a C3PAO first | Certification framed as the whole problem | Independence conflicts, wasted fees, or a failed assessment | Resolve scope and implementation first |
| Ignoring paper, printers, and scanners | IT-only analysis | An uncontrolled deckplate workflow that voids a hard-copy-only posture | Map the full media lifecycle, including MFP storage |
| Calling every OT asset “specialized” and stopping there | Misreading § 170.19 | Undocumented assets that fail an SSP review | Test each asset’s actual function and securability, then document it |
| Leaving out EDR, SIEM, backup, and administrators | Scope focused only on where CUI sits | Missing Security Protection Assets and ESPs | Map security functions and the responsibility split |
| Blanket supplier flow-down | Procurement convenience | Sub-tier confusion, inflated quotes, supplier attrition | Flow requirements according to the information each sub actually receives |
| Believing a product claim | Wanting a shortcut | False confidence and a failed self-assessment | Get the customer responsibility matrix; map what stays yours |
| Affirming without current evidence | Deadline pressure | False Claims Act exposure on a signature you own | Require evidence-owner sign-off before the affirming official signs |
| Legacy ERP on unsupported Windows | Real operational constraint | Unpatchable systems inside the boundary | Document compensating controls in the SSP and build a transition plan |
| CMMC UIDs that don’t match the systems doing the work | Multi-site, multi-CAGE complexity | Systems not covered by a UID cannot be used for FCI or CUI during performance | Reconcile UIDs to actual performance systems before you submit a proposal |
What we actually verified
We don’t ask you to take our word for any of this. Here is what we read and cross-checked on , and what each source supports.
| Source | What it supports |
|---|---|
| DoW CIO memo 26-P-1023, Attachment 1 (July 13, 2026) | Suspension of the Phase 2 transition; Level 1 (Self) and Level 2 (Self) as the only permitted designations; solicitation amendments and contract modifications; waiver suspension; preservation of additional protections |
| DoW press release, “Forging the Arsenal of Freedom” (July 13, 2026) | Phase 1 requirements remain; interim enforcement against NIST SP 800-171 Rev. 2 via self-assessment and select government-led assessments; DFARS 252.204-7012 unchanged; 60-day Reform Task Force |
| DoW CIO CMMC Program FAQs (revision history updated July 13, 2026) | Phase 1 designation intent; flow-down under § 170.23; Rev. 2 as the assessed baseline; paper-only CUI position; CMMC UID and CAGE rules; SPRS “no score”/“no status” conditions; POA&M closeout mechanics; VDI scoping; encryption vs. logical separation; ESP and CSP treatment |
| 32 CFR Part 170 (eCFR §§ 170.14–170.24) | Level definitions and counts; assessment types; scoping categories; POA&M rules; affirmation requirements; ecosystem conflict-of-interest restriction at § 170.8 |
| DoD CIO CMMC Level 2 Scoping Guide, v2.13 | The five asset categories and their documentation and assessment treatment; Specialized Asset definitions; separation guidance |
| DoD CUI Program FAQ, Use of Distribution Statements | A distribution statement does not automatically make a document CUI |
| DFARS 252.204-7012, -7021, -7025 (Acquisition.gov) and the Feb. 1, 2026 class deviation | Safeguarding and incident reporting obligations; CMMC status requirements; clause renumbering |
| DoW CIO “Brilliant at the Basics” (retrieved July 18, 2026) | The IT and OT Top 10 lists issued as interim guidance |
| 32 CFR § 117.23(f) | NNPI governed by OPNAVINST N9210.3; contracts granting NNPI access must require compliance; waivers require Naval Reactors concurrence |
| BPMI supplier cybersecurity page (retrieved July 18, 2026) | NN-801 Rev. 5 requirement; relationship to NIST SP 800-171 Rev. 2; approval letter retention; FY27 supplier expectations |
| HII–Newport News Shipbuilding supplier webinar FAQs (Feb. 3, 2025) | Hard-copy transmission status and Exostar; minimum flow-down table; NAVSEA 08 ATO gate for U-NNPI; the position against treating all documents as CUI; Distribution D and CUI//EXPT treatment; NNPI marking status |
| 33 CFR Part 101, Subpart F (eCFR) and USCG guidance | Effective date, training deadline, and the July 16, 2027 Cybersecurity Officer, assessment, and plan submission requirements |
| 32 CFR Part 170 regulatory impact analysis (Federal Register) | The Department’s published per-entity assessment and affirmation cost estimates |
CMMC for shipbuilders: frequently asked questions
- Do all shipbuilders need CMMC?
- No. Applicability depends on the procurement, the written requirement, and whether your contractor-owned systems process, store, or transmit FCI or CUI. A supplier receiving neither may have no CMMC requirement — but should confirm it against the contract rather than assume it.
- Did the July 2026 suspension cancel CMMC?
- No. The Department suspended the transition to Phase 2 and paused new Level 2 (C3PAO) and Level 3 (DIBCAC) designations. Phase 1 self-assessment requirements remain in force and DFARS 252.204-7012 is unchanged. A CMMC Reform Task Force is reviewing the program, with a report due to the DoW CIO within 60 days of the July 13, 2026 announcement.
- What CMMC level does a shipyard need?
- The level comes from the solicitation and resulting contract. During Phase 1, the Department’s stated intent is Level 1 when only FCI is involved and Level 2 (Self) when any CUI is processed, stored, or transmitted in contractor-owned systems.
- Are naval ship drawings automatically CUI?
- No. Drawings can contain Controlled Technical Information or other CUI categories, but naval subject matter alone is not a determination. The DoD CUI Program states that applying a distribution statement does not automatically make a document CUI.
- Does a work package created from a CUI drawing become CUI?
- There is no universal rule, and the answer depends on the content, category, and any derivation instructions from the information owner. Newport News Shipbuilding advises that when technical information from a Distribution Statement D document is incorporated into a new document, the new document should be marked CUI//EXPT. Ask your buyer for derivation guidance in writing.
- Does CMMC cover U-NNPI?
- No. Unclassified Naval Nuclear Propulsion Information is a CUI Specified category with additional safeguarding requirements applied through contract. Under 32 CFR § 117.23(f), NNPI is governed by OPNAVINST N9210.3 and all contracts granting access must require compliance with its specific safeguarding requirements. A CMMC status does not authorize U-NNPI processing.
- What is NN-801, and do I need it?
- NN-801 is the Naval Reactors requirements document for controlling and protecting U-NNPI. BPMI states that it requires supplier compliance with NN-801 Revision 5 for physical and cybersecurity controls, and that suppliers should retain their NN-801 security plan approval letter. Whether it applies to you depends on your purchase order — confirm with your buyer.
- Do I need NAVSEA 08 approval to process NNPI on my systems?
- If your work involves NNPI, yes — approval to process NNPI on a non-federal information system comes from NAVSEA 08 / Naval Reactors. HII–Newport News Shipbuilding publishes a supplier procedure for obtaining it, and states that hard copies cannot be phased out for U-NNPI until the supplier obtains an Authority to Operate from NAVSEA 08.
- My prime still requires CMMC. Do I have to comply?
- Probably, until they tell you otherwise in writing. The suspension memo directs Department contracting officers and requiring activities; it does not automatically rewrite a prime’s purchase order terms or supplier portal requirements. Ask your prime, in writing, whether its requirement has changed post-July 13.
- Are CNC machines and shop-floor equipment in CMMC scope?
- Not automatically, and not in the way most people assume. Under 32 CFR § 170.19, Operational Technology, IIoT, Government Furnished Equipment, Restricted Information Systems, and Test Equipment can qualify as Specialized Assets — which must be documented in the asset inventory, the SSP, and the network diagram, but are not assessed against the other CMMC security requirements at Level 2. The programming workstation that generates the toolpath is usually the higher-risk asset.
- Does paper-only CUI keep us out of a CMMC assessment?
- The Department’s FAQ states that organizations handling only hard-copy CUI are not required to complete a CMMC third-party assessment, though the CUI must still be safeguarded under NIST SP 800-171 and DoD Instruction 5200.48. If that CUI is later scanned, entered, photographed, uploaded, printed, or emailed, the information system involved is expected to satisfy applicable CMMC assessment requirements first.
- Is encrypted CUI still CUI?
- Yes. Under 32 CFR Part 2002, CUI remains controlled until formally decontrolled, and the Department confirms that encrypted CUI retains the designation of its plaintext counterpart. Encryption is a safeguarding measure, not a reclassification.
- Can an enclave keep the rest of the yard out of scope?
- It can, when the separation and workflow containment are real and documented. Two Department clarifications matter: encryption alone does not create logical separation, and an enclave that transmits properly encrypted CUI across otherwise logically separated enterprise networking components does not automatically extend scope to those components.
- Do we need Microsoft GCC High?
- No regulation names a specific commercial product. Under DFARS 252.204-7012, a cloud service provider storing, processing, or transmitting CUI must meet security requirements equivalent to the FedRAMP Moderate baseline. The right product depends on your workflows and your contract. See our GCC High for CMMC guide for the full comparison.
- Does our MSP need its own CMMC certification?
- No. The Department’s FAQ states that an MSP providing a non-cloud system storing CUI is not required to have its own CMMC assessment, though it may elect one. But where an MSP handles IT support and an MSSP handles security tooling, both qualify as External Service Providers and are assessed as part of your assessment scope.
- Do the prime and subcontractor need the same CMMC level?
- No. A lower level may apply to the subcontractor if the prime flows down only limited information. The rule’s minimum flow-down table sets the floor based on whether the sub will process, store, or transmit FCI or CUI.
- Are COTS suppliers exempt?
- Procurements solely for commercially available off-the-shelf items receive specific treatment under the CMMC acquisition rule, but a supplier should still review the actual procurement, the data received, and the flow-down language rather than assume every commercial sale eliminates all safeguarding obligations.
- Is NIST SP 800-171 Revision 3 the CMMC baseline now?
- No. The Department’s FAQ states that CMMC assessments are conducted against Revision 2, held in place by a class deviation to DFARS 252.204-7012, until Revision 3 is incorporated through rulemaking. Contractors may implement Revision 3 using the Department’s Organization-Defined Parameters, but must address any gaps against Revision 2, because Revision 2 is what gets assessed.
- Can we still get a Level 2 (C3PAO) certification voluntarily?
- Existing certifications remain valid — the Cyber AB reported 1,391 Final Level 2 certificates issued as of its May 2026 town hall, and nothing invalidates them. But the Department has not issued comprehensive guidance on assessments already scheduled or under contract. Talk to your C3PAO and your contracting officer before you change anything.
- What is the first CMMC step for a shipbuilder?
- Obtain the exact solicitation, contract, subcontract, amendment, and prime flow-down. Then identify what FCI and CUI actually enter each yard workflow. Do both before you request a single technology or assessment quote.
Your next step
You don’t need to memorize 110 controls this week. You need four things, in this order: the written requirement, the data types entering your yard, the boundary around them, and the right kind of help.
The first three are free. We’ve given you the method for all of them above. The fourth is where most yards lose six figures, and it’s the one decision you can make in the next ten minutes.
Related reading
- CMMC Phase 2 suspended: what changed on July 13, 2026
- CMMC Level 1 vs Level 2 vs Level 3
- Self-assessment vs C3PAO assessment
- CMMC scoping guide
- CMMC Level 2 cost guide
- SPRS score: what contractors need to know
- CMMC for machine shops
- CMMC for cybersecurity companies
- CMMC for subcontractors
- CMMC for manufacturers
- GCC High for CMMC
- CMMC managed enclaves