The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find My CMMC Path
No CUI uploads. No vendor routing until your scope is clearer.
Start →
Status alert — July 13, 2026: The Department of War suspended the transition to Phase 2 of the CMMC program. Program managers may currently designate only CMMC Level 1 (Self) or Level 2 (Self). New Level 2 (C3PAO) and Level 3 (DIBCAC) designations are paused. Phase 1 self-assessment requirements remain in force, and DFARS 252.204-7012 safeguarding obligations are unchanged. (Source: DoW CIO memo 26-P-1023, Attachment 1; DoW CMMC Program FAQs, revision history updated July 13, 2026.)

CMMC for Shipbuilders: What Shipyards and Naval Suppliers Actually Owe in 2026

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

Published: · Last reviewed:

Educational research for the Defense Industrial Base — not legal, contractual, assessment, or compliance advice. Confirm contract interpretation with a qualified federal-contracts attorney, and confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) before acting.


CMMC for shipbuilders is set by your contract and your data — not by your trade. If a Navy solicitation, contract, subcontract, or prime purchase order requires a CMMC status for systems that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), it applies to you. As of July 18, 2026, the only levels the Department can designate are Level 1 (Self) and Level 2 (Self).

Bottom line:For a naval supplier, the pause stopped one clock and left the others running. DFARS 252.204-7012 never paused. Your prime’s purchase order terms never paused. If you touch U-NNPI, the NAVSEA 08 approval gate never paused. And if your facility is MTSA-regulated, the Coast Guard’s July 16, 2027 cybersecurity deadline is a separate clock nobody at the Pentagon touched.

Four questions before you spend a dollar

These are free, they take a week, and they determine every number you will ever be quoted.

  1. Which document actually requires CMMC of us— the solicitation, the contract, a subcontract, or a prime’s purchase order terms?
  2. What information really enters our systems— FCI, CUI, U-NNPI, export-controlled data, or paper only?
  3. Which of our systems and workflows touch that information, including the shop floor and the file cabinet?
  4. Has our requirement changed in writingsince July 13, 2026?

Answer those four and you’ve done more than most yards will do this quarter. Everything below is the method.


Start where you are

Your situation right nowGo here first
“I saw the headline. Is CMMC over?”What paused and what didn’t
“My prime is still pushing us. Who’s right?”Prime terms vs. the pause
“We got a drawing and we don’t know what it is.”What counts as CUI in a yard
“Our purchase order mentions NN-801 or NAVSEA 08.”The second gate
“We have a quote in hand and we don’t know if it’s fair.”Cost, and what to stop paying for

Is this guide for you?

Your organizationUse this guide?
Shipyards, ship-repair and overhaul yards, module buildersYes
Naval architecture and marine engineering firmsYes
Marine fabricators, pipe/valve/electrical/HVAC suppliers to Navy programsYes
Shipboard systems integrators, sea-trial and test supportYes
Suppliers working through shipyard portals (Exostar, SPARS) or prime flow-downsYes
Multi-facility organizations with more than one CAGE codeYes
A small CNC job shop with no yard, no waterfront, no U-NNPINo — read CMMC for machine shopsinstead. It’s shorter and built for you.
An aerospace supplier with no naval workNo — read CMMC for aerospace suppliers.
You handle classified informationCMMC does not apply to classified systems. That’s a separate program-security conversation.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. We are not affiliated with the Cyber AB, the Department of War, DCMA DIBCAC, NIST, NAVSEA, or any U.S. government agency.


Does CMMC for shipbuilders still apply after the July 2026 suspension?

Yes. The Department suspended one verification mechanism, not the underlying obligation. CMMC is the Department’s program for verifying that contractors protect FCI and CUI. The July 13, 2026 action paused the third-party certification phase; it did not pause self-assessments, DFARS safeguarding duties, or any naval requirement that lives outside CMMC.

During the suspension, program managers may include only CMMC Level 1 (Self) or Level 2 (Self) in procurement documents. They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC). Where a solicitation already carries those levels, the contracting officer is directed to amend “as soon as practicable.” Existing contracts carrying those requirements are to be removed by modification at the next option or administrative modification. No waivers are being granted during the review period.

The Department also stood up a CMMC Reform Task Force with 60 days to report back, and opened a public Request for Information — Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base — with responses due 12:00 p.m. ET, Friday, August 14, 2026.

What paused and what didn’t — the naval supplier version

Last verified

ObligationStatus right nowWho sets itWhere we checked
Level 2 (C3PAO) as a new procurement designationSuspendedDoW CIOMemo 26-P-1023, Attachment 1
Level 3 (DIBCAC) as a new procurement designationSuspendedDoW CIOMemo 26-P-1023, Attachment 1
A solicitation that still shows C3PAO or DIBCACTo be amended “as soon as practicable”Contracting officerMemo 26-P-1023, Attachment 1
Existing contract carrying those requirementsRemoved by modification at next option or admin modContracting officerMemo 26-P-1023, Attachment 1
CMMC waiversNone granted during the reviewDoW CIOMemo 26-P-1023, Attachment 1
Level 1 (Self) — 15 requirements, annual, no POA&MsActive32 CFR § 170.15eCFR; DoW CMMC FAQ
Level 2 (Self) — 110 requirements, three-year cycle, annual affirmationActive32 CFR § 170.16eCFR; DoW CMMC FAQ
NIST SP 800-171 Rev. 2 as the assessed baselineActiveClass deviation to DFARS 252.204-7012DoW CMMC FAQ B-A3
DFARS 252.204-7012 safeguarding and 72-hour incident reportingUnchangedYour contractDoW release, July 13, 2026
U-NNPI safeguarding and NAVSEA 08 approvalNever part of CMMC. Unaffected.Naval Reactors / your contract32 CFR 117.23(f); OPNAVINST N9210.3
Your prime’s purchase order cyber termsUnchanged until your prime changes themThe primePublished prime supplier requirements
Coast Guard MTS cybersecurity rule (if MTSA-regulated)Active, separate schedule33 CFR Part 101, Subpart FeCFR
Program-specific additional protectionsExpressly preservedRequiring activityMemo 26-P-1023, Attachment 1

That last row deserves a second read. The memo that suspended Phase 2 also states that program managers and requiring activities may require additional cybersecurity protections commensurate with law and regulation. In naval work, that sentence carries weight — because the requirements that matter most in a submarine or carrier supply chain were never CMMC requirements in the first place.

What actually changed for you

  1. You cannot currently be told to hire a C3PAO by a Department requiring activity. If a live solicitation still says so, that is now an amendment question — put it in writing to the contracting officer.
  2. Your self-assessment just became the whole ballgame. With independent verification paused, the score and affirmation you post in SPRS carry the full legal weight. Nobody is checking your homework before award. Somebody may check it after.
  3. Nothing about NIST SP 800-171 Rev. 2 got easier. The Department said plainly that during the interim it will enforce compliance against Rev. 2 through self-assessments and select government-led assessments.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

Which CMMC level does a shipbuilder need right now?

Your level comes from the solicitation and the resulting contract, not from your industry. The Department’s own FAQ states that during Phase 1 the intent is for solicitations to carry CMMC Level 1 when only FCI will be processed, stored, or transmitted, and CMMC Level 2 (Self) when any CUI will be handled in contractor-owned systems. Level 3 cannot be designated during the suspension.

Your situationPath to investigateWhat it involvesVerified against
Only FCI enters your systems (POs, schedules, non-public quantities)Level 1 (Self)15 requirements from FAR 52.204-21(b)(1); annual self-assessment and affirmation; no POA&Ms permitted32 CFR § 170.15
Any CUI enters contractor-owned systems (drawings, specs, technical data)Level 2 (Self) during the suspensionAll 110 NIST SP 800-171 Rev. 2 requirements across 14 families; assess every 3 years; affirm annually; score to SPRS32 CFR § 170.16; DoW FAQ D-A5
CUI handled only on paperSafeguarding still required; third-party assessment not requiredSee the paper section — the moment you scan it, this changesDoW CMMC FAQ C-A11
Your document still says Level 2 (C3PAO) or Level 3Amendment or modification analysisRequest the written change. Don’t act on a press release.Memo 26-P-1023
You receive no FCI and no CUICMMC may not apply to that environmentVerify against the actual procurement and data flow — document why32 CFR § 170.3
Solely COTS itemsSpecific treatment appliesConfirm the actual procurement and flow-down languageDFARS CMMC rule

Level 2 does not automatically mean “hire an assessor.” This is the single most expensive misreading in the entire program. The 110 requirements are identical whether you self-assess or a C3PAO assesses you. What differs is who signs. Right now, only you can.

What flows down to you as a subcontractor

The Department’s FAQ confirms CMMC requirements flow down per 32 CFR § 170.23, and that the required level is driven by the type of data — FCI or CUI — that will be processed, stored, or transmitted during performance. Newport News Shipbuilding reproduced the rule’s minimum flow-down table for its own suppliers in February 2025:

If the prime holds…And the sub handles FCIAnd the sub handles CUI
Level 1 (Self)Level 1 (Self)N/A
Level 2 (Self)Level 1 (Self)Level 2 (Self)
Level 2 (C3PAO)Level 1 (Self)Level 2 (C3PAO)
Level 3 (DIBCAC)Level 1 (Self)Level 2 (C3PAO)

Source: 32 CFR Part 170, Table 2, as published to suppliers by HII–Newport News Shipbuilding, February 3, 2025. The prime and the subcontractor do not have to be at the same level. The C3PAO rows reflect what the rule says; what the Department can designate today is narrower. Both facts are true at once.

The right CMMC provider isn’t the same for every contractor — the category you need depends on your required level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

Map your level and assessment type before you price anything →

Five questions about your contract and environment. Two minutes, no email required. The tool asks about categories, never content: no CUI, drawings, or contract attachments.


What actually counts as CUI in a shipyard?

Ship drawings, specifications, models, work packages, and test records can contain CUI — but naval subject matter alone does not make a document CUI, and neither does a distribution statement. The DoD CUI Program states plainly that applying a distribution statement does not automatically mean the document is CUI, because under DoDI 5230.24 distribution statements go on technical documents whether they are classified, unclassified, or CUI. The determination runs on content and category, not on the stamp.

This is where most shipyard programs go wrong in the first week — in both directions.

The over-scoping trap

The instinct, when a drawing shows up with legends all over it, is to declare the whole yard a CUI environment and move on. Newport News Shipbuilding tells its own suppliers not to do that. NNS answers directly that treating all documents as CUI drives up cost by securing systems that don’t handle CUI, expands scope unnecessarily, lengthens C3PAO assessments, requires extra evidence for unrelated systems, adds controls to non-CUI work, and misaligns with CMMC’s own emphasis on scoping boundaries.

When the prime that sends you the drawings is telling you to scope tighter, the vendor telling you to scope wider deserves a hard question.

The under-scoping trap

The mirror-image error is assuming that no marking means no obligation. FCI is typically not labeled at all. And Distribution Statement D is what NNS calls a legacy marking that falls under the CUI umbrella — existing documents carrying it should be treated as CUI//EXPT, and Distribution D information can only be shared with contractors certified under the Joint Certification Program (JCP), the DLA-administered program that authorizes U.S. and Canadian firms to receive unclassified export-controlled technical data.

The question nobody answers: does your work package inherit CUI status?

This is the shipbuilding question. You receive a controlled drawing. Your planners build a bill of materials, a traveler, a router, a weld procedure, an NC program, and a set of assembly and test instructions from it. Do those inherit the designation?

There is no universal rule. But Newport News Shipbuilding states that when technical information from a Distribution Statement D document is incorporated into a new document, the new document should be marked CUI//EXPT. That gives you a workable test rather than a guess:

  1. Does the derived record actually reproduce or reveal controlled content — dimensions, tolerances, materials, performance characteristics, signatures, program detail? Or is it a routing card that says “weld per procedure, see drawing”?
  2. What category and authority applies to the source information?
  3. Did the prime or the Government issue derivation or marking instructions? Ask. In writing.
  4. Can the work instruction be rewritten to omit the controlled content — referencing the drawing rather than restating it? For many yards this single design decision moves entire ERP and shop-floor systems out of the boundary.
  5. Who is authorized to resolve the ambiguity? It is not your IT vendor. It is the information owner, your buyer, or your contracting officer.

One more practical note from NNS: the most common CUI document attached to their purchase orders isn’t the drawing at all — it’s Appendix B, which isn’t attached to the PO and has to be requested from the buyer. Other common CUI items include other appendices, some drawings, P-Specs, and some Mil-specs. If your CUI inventory started and stopped at “the drawings,” it’s incomplete.

We cannot tell you whether a specific drawing on your server is CUI. Nobody writing a general guide can, and you should be suspicious of any page or vendor that claims otherwise. What we can do is give you the authority, the test, and the escalation path — which is what this page does.


The second gate: U-NNPI, NN-801, and NAVSEA 08

If your work touches Unclassified Naval Nuclear Propulsion Information, CMMC is a floor, not a permission slip. U-NNPI is a CUI Specified category with a safeguarding regime that predates CMMC and sits on top of it. Meeting NIST SP 800-171 does not authorize you to process U-NNPI on your systems. A separate Naval Reactors approval does. Nothing in the July 13 suspension touched it.

This is the single biggest blind spot in the CMMC coverage aimed at shipbuilders, and it is not close.

Where the requirement comes from

Under 32 CFR § 117.23(f), NNPI is governed by OPNAVINST N9210.3; all contracts granting access to NNPI must require compliance with the specific safeguarding requirements in that instruction; and any waiver or deviation from NNPI security requirements needs Naval Reactors’ concurrence. The security requirements for this category exceed the baseline standards and are applied through specific contract requirements.

Translation for a valve shop in Connecticut: your CMMC status and your NNPI authorization are two different things, granted by two different authorities, and one does not substitute for the other.

What the primes actually require

Checked July 18, 2026.

Bechtel Plant Machinery, Inc. (BPMI)— the Naval Reactors prime for propulsion plant components — states on its supplier cybersecurity page that it will continue to require contractors to comply with NN-801 Revision 5for physical and cybersecurity controls protecting U-NNPI. BPMI describes NN-801’s Section 10 cybersecurity controls as aligned with and complementary to NIST SP 800-171, with more stringent criteria approved by Naval Reactors, such that supplier systems BPMI approves for U-NNPI under NN-801 Rev. 5 are also compliant with NIST SP 800-171 Revision 2. BPMI also tells suppliers to keep their U-NNPI plans, policies, procedures, and their NN-801 security plan approval letter current and on file.

HII–Newport News Shipbuilding publishes a procedure for suppliers to obtain NAVSEA 08 approvalto process NNPI on non-federal information systems, requiring a letter identifying applicable contract numbers and statements of work, buyer and seller cybersecurity points of contact, the type of information involved, and the affected systems. NNS stated in its February 2025 supplier FAQ that hard copies cannot be phased out for U-NNPI unless and until the supplier obtains an Authority to Operate from NAVSEA 08. For a nuclear-side supplier, an ATO from NAVSEA 08 is what unlocks electronic handling. A CMMC certificate does not.

The two-gate model

Gate 1 — CMMC / DFARSGate 2 — U-NNPI
What it verifiesThat you implemented FAR 52.204-21 or NIST SP 800-171 Rev. 2That Naval Reactors approves your specific system for U-NNPI
Who grants itYou (self-assessment) or a C3PAO when authorizedNAVSEA 08 / Naval Reactors, via your prime
Governing document32 CFR Part 170; DFARS 252.204-7012OPNAVINST N9210.3; NN-801 Rev. 5
Evidence you holdSPRS status, affirmation, SSPNN-801 security plan approval letter; NAVSEA 08 approval
Suspended July 13, 2026?The C3PAO/DIBCAC designation wasNo
Does Gate 1 satisfy Gate 2?No

One honest caveat on marking, straight from NNS: as of February 2025, NNS reported it was compliant with DoDI 5200.48 marking guidance for all CUI categories other thanNNPI, and instead follows the NNPI marking guidance in OPNAVINST N9210.3 because that is the reference invoked by its prime contracts. If your NNPI markings look inconsistent with everything else in your CUI training, that’s why. Ask your buyer which instruction governs your purchase order.

If you just realized this applies to you

Send your buyer these three questions this week:

  1. Does this purchase order involve U-NNPI? Which document establishes that?
  2. What is our current NNPI handling authorization — hard copy only, or approved for electronic processing?
  3. If we want electronic handling, what does NAVSEA 08 approval require of us, and who sponsors the request?

The full set of twelve questions — covering clause, level, CUI category, flow-down, and evidence — is further down this page. Ask the NNPI three first. They’re the ones with the longest lead time.


Which shipyard systems belong in the CMMC boundary?

The entire yard is not automatically in scope. Under 32 CFR § 170.19, Level 2 assets fall into five categories, and each carries a different documentation and assessment burden. Most shop-floor equipment — burn tables, weld cells, cranes, metrology, test sets — lands in Specialized Assets, which must be inventoried, documented in the System Security Plan, and drawn on the network diagram, but is not assessed against the rest of the control set.

That distinction is worth real money, and most yards have never been told it exists.

The five categories, in plain terms

CategoryWhat it means in a yardDocumentation requiredHow it’s assessed at Level 2
CUI AssetsAnything that processes, stores, or transmits CUIAsset inventory, SSP treatment, network diagramAgainst all Level 2 requirements
Security Protection AssetsThings that provide security functions to your scope — EDR, SIEM, VPN, your MSSP’s peopleAsset inventory, SSP, network diagramAgainst the Level 2 requirements relevant to what they provide
Contractor Risk Managed AssetsCould handle CUI but are prevented from doing so by documented policy and practiceAsset inventory, SSP, network diagramSSP reviewed. If documentation is thin, the assessor may run a limited check
Specialized AssetsOT, IIoT, Government Furnished Equipment, Restricted Information Systems, Test EquipmentAsset inventory, SSP showing risk-based management, network diagramSSP reviewed. Not assessed against other CMMC requirements
Out-of-Scope AssetsCannot process, store, or transmit CUI; provide no protection to CUI assets; separatedNoneNone — but be ready to justify it

Source: 32 CFR § 170.19(c)(1) Table 3, as reproduced in the DoD CIO CMMC Level 2 Scoping Guide, v2.13.

The Shipyard Boundary Matrix

Real yard workflows and equipment mapped to the § 170.19 categories, the evidence you’ll need, and the mistake that quietly expands your scope. Treat this as a first-pass investigative classification, not a compliance determination. A workflow belongs in your final boundary only after you verify the contract, the information type, the actual data flow, and your separation controls.

Last verified

Workflow / assetTypical systemsFirst category to investigateEvidence to holdThe mistake that expands scope
Bid and contract adminSolicitations, POs, clause matrices, supplier termsLevel 1 scope if FCI-only; CUI Asset if CUI attachments live thereContract register, clause inventory, amendments, prime instructionsMissing the CUI appendix that isn’t attached to the PO
Naval engineering and designCAD, CAE, PLM, hull models, arrangement drawingsCUI AssetRepository permissions, drawing provenance, export paths, audit logsLocal caches, personal drives, and “temporary” desktop copies
Production planningERP, MES, BOMs, travelers, routers, work instructionsCUI Asset if derived records carry controlled content; otherwise FCI or out-of-scopeField-level review, sample work package, derivation processRestating controlled dimensions in a traveler when a reference would do
CAM / CNC / DNCToolpaths, NC code, controllers, programming stations, machine serversCUI Asset or Specialized Asset depending on function and securabilityProgram lineage, connectivity map, removable-media path, controller inventoryTreating the programming workstation like the machine. It isn’t.
Welding, NDT, QAWeld procedures, radiographs, inspection databases, portable test unitsCUI Asset; test equipment may be SpecializedMarking procedure, inspection data flow, equipment inventory, media custodyInspection databases nobody remembered were on the network
Cranes, dry dock, environmental, access controlPLCs, SCADA, pump and caisson controls, badge systems, paint/blast monitoringSpecialized Asset (OT) in most casesOT topology, data-flow evidence, risk-based policy, segmentation proofAssuming “it’s OT” ends the analysis — the documentation is still required
Deckplate paperPrinted drawings, build books, redlines, bindersPhysical handling process; any device that digitizes it is assessed separatelyCheck-out logs, storage controls, print/scan policy, destruction recordsThe multifunction printer with a hard drive
Supplier portals and subtier exchangeExostar, SPARS, secure file transfer, emailCUI Assets plus External Service Provider scopingFlow-down records, portal responsibility matrix, tenant ownership, access recordsAssuming the portal owner carries your compliance
On-vessel and field workLaptops, tablets, removable media, portable test units, sea-trial systemsCUI Asset or Specialized AssetDevice custody, remote-access config, media controls, field inventoryThe laptop that goes aboard and never gets re-imaged
Email, cloud, backup, security toolingM365 tenant, file storage, backups, SIEM, EDR, identityCUI Asset, Security Protection Asset, and CSP/ESP scopeFedRAMP or equivalency evidence, service description, customer responsibility matrixForgetting that your MSSP is in scope
Government Furnished EquipmentGovernment-owned test sets, loaned systemsSpecialized Asset (GFE)Inventory, custody, SSP entryLeaving it out of the inventory because “it’s theirs”

Four scoping facts that save yards real money

  1. VDI endpoints can be out of scope — under conditions. An endpoint hosting a virtual desktop client is an Out-of-Scope Asset if it is configured to permit no processing, storage, or transmission of CUI beyond keyboard, video, and mouse. Block copy-paste and file transfer across the session, disable client drive mapping and print redirection, keep all CUI handling inside the session, and use MFA to the VDI server that is separate from the unmanaged client. Configuration must be verified.
  2. Encryption alone does not create logical separation. The Department says so directly. Logical separation is achieved by software or network controls — firewalls, routers, VPNs, VLANs. Encryption protects confidentiality; it does not enforce a boundary.
  3. An enclave that routes encrypted CUI through your enterprise network does not automatically drag that network into scope. Per the Department’s scoping FAQ, so long as the enclave is otherwise logically separated, transmitting properly encrypted CUI across enterprise networking components does not extend the assessment scope to those components.
  4. Your MSP and MSSP are in scope even when you send them no CUI — but they don’t need their own certification. The Department’s answer is unambiguous: where an MSP handles IT support and an MSSP handles security tooling, both qualify as External Service Providers and are assessed as part of your assessment scope against applicable requirements, without needing their own CMMC certification.

Build your shipyard scope worksheet

Pre-loaded with the § 170.19 categories and the yard asset classes above, so your first pass takes an afternoon instead of a quarter. It captures system categories only — never upload CUI, drawings, or technical data.


Does paper-only CUI keep a yard out of a CMMC assessment?

Yes — narrowly, and only until someone scans it. The Department states that organizations handling only hard-copy CUI are not required to complete a CMMC third-party assessment, though they may choose a self-assessment or third-party assessment for greater assurance. The paper itself must still be safeguarded. And the moment that CUI is placed on an information system digitally, that system is expected to satisfy applicable CMMC assessment requirements first.

The Department’s list of what counts as digitizing is broad: scanning, entering, photographing, uploading, printing, or emailing. When DFARS 252.204-7012 is in the contract and flowed down, every organization that processes, stores, or transmits CUI — including in hard copy — remains obligated to safeguard it under NIST SP 800-171 and DoD Instruction 5200.48.

Newport News Shipbuilding runs a hard-copy transmission status for suppliers. NNS buyers mail drawings to a supplier when that supplier hasn’t submitted its NIST SP 800-171 control implementation in Exostar, or when the NNS cybersecurity team’s review says the supplier should receive hard copy only. NNS then states plainly: loading the document into the supplier’s information system negates the hard-copy-only posture. The paper isn’t a loophole. It’s a holding pattern with a documented exit.

The deckplate checklist

Walk this list before you claim paper-only:

Miss one and you aren’t paper-only — you’re a yard with an undocumented CUI system. The most common failure is the shop scanner nobody put on the network diagram. Walk the floor with the scope worksheet and find it before somebody else does.


Your prime says you need CMMC. Who is right?

Both of you can be. The suspension memo directs Department contracting officers and requiring activities. It does not automatically rewrite a prime’s purchase order terms, supplier portal requirements, or fiscal-year conditions. Until your prime issues something in writing, its requirements stand on their own contractual footing.

Checked July 18, 2026.

BPMIstates on its supplier cybersecurity page that CMMC requirements will be incorporated into its fiscal year 2027 terms and conditions, and that by the start of FY27 suppliers must confirm and provide evidence of CMMC Level 2 certification status to be eligible for contract awards — including a certificate with the CMMC Unique Identifier and applicable CAGE codes, or an SPRS report showing the final status, UID, assessment date, scope, and expiration.

NNSrequires suppliers to register and maintain an active Exostar Onboarding Module account and complete its cybersecurity questionnaire, per the cybersecurity provision in the DoD appendices to its purchase orders. Neither prime’s page had been rewritten for the suspension when we checked. That is not an accusation; it’s five days. But it is exactly why “the Pentagon paused it” is not an answer you can give your buyer.

Get it in writing — the twelve questions

Send these to your buyer, prime supplier quality contact, or contracting officer. Copy them verbatim. The written answers become your scope file, and your scope file is what protects you if anyone ever questions your affirmation.

  1. Which clause or flow-down establishes the CMMC requirement for this solicitation, contract, subcontract, or purchase order?
  2. What CMMC level and assessment type are required?
  3. Has that requirement been amended following the July 13, 2026 Phase 2 suspension? If so, please provide the amendment or modification.
  4. Which information we will receive or create is expected to be FCI, and which is expected to be CUI?
  5. What CUI category and safeguarding authority applies?
  6. Which drawings, appendices, specifications, portals, or data exchanges contain that information?
  7. Are we authorized to operate hard-copy-only, or to use a designated portal or Government-furnished environment?
  8. Does this work involve U-NNPI? If so, what is required for NAVSEA 08 approval, and what is our current status?
  9. What must we flow to each sub-tier supplier, based on the information each receives?
  10. Which CMMC Unique Identifier, SPRS status, or assessment evidence must we provide, and at what point in the procurement?
  11. Who is authorized to resolve a conflicting or unclear CUI marking?
  12. Please provide the answer, and any applicable attachment or handling instruction, in writing.

A detail with teeth: the Department states that offerors must identify every CMMC Unique Identifier in the proposal that will be used to process, store, or transmit FCI or CUI, and that any company information systems not represented by the UIDs provided are considered non-compliant and cannot be used to process, store, or transmit FCI or CUI during performance. For a multi-yard organization or a company with several CAGE codes, that sentence is a bid-killer if you get it wrong.

Get the shipbuilder clause-and-scope question set

The twelve questions above, formatted to send today, plus the evidence list that opens your scope file. Free, no obligation. Never include CUI, drawings, or contract attachments in anything you send us.


Which clause numbers should a shipbuilder look for in 2026?

Clause numbers changed in February 2026, and both old and new numbers are circulating. A Department class deviation under the FAR overhaul took effect February 1, 2026: DFARS 252.204-7019 is no longer prescribed, DFARS 252.204-7020 appears as DFARS 252.240-7997 under a new DFARS Part 240, and FAR 52.204-21 was relocated to FAR 52.240-93. DFARS 252.204-7012 and the CMMC clause DFARS 252.204-7021 are unchanged.

This matters more for shipbuilders than for most, because a yard is often running work under contracts issued across four or five different procurement vintages at the same time.

What you may see in the documentWhat it addressesHow to read it in July 2026
FAR 52.204-21 (now FAR 52.240-93)Basic safeguarding for systems containing FCI — the 15 requirements behind CMMC Level 1Still the Level 1 substance. Numbering moved under the overhaul.
DFARS 252.204-7012Safeguarding covered defense information, NIST SP 800-171 implementation, 72-hour cyber incident reporting, cloud conditions, subcontract flow-downUnchanged and fully in force. The July suspension did not touch it.
DFARS 252.204-7019 / -7020The prior structure for NIST SP 800-171 DoD assessment notice and requirementsYou may still see them in older instruments. Their absence from a new solicitation does not mean you have no assessment obligation.
DFARS 252.240-7997The renumbered assessment-requirements clause under Part 240; “Basic” assessment references removedExpect it in newer solicitations governed by the deviation.
DFARS 252.204-7021The CMMC clause — ties eligibility to your CMMC status in SPRS and requires flow-downUnchanged. Became effective November 10, 2025.
DFARS 252.204-7025Notice of CMMC level requirements, appearing with 7021Read it. It’s where the required level shows up.
Memo 26-P-1023 (July 13, 2026)Limits current designations to Level 1 (Self) or Level 2 (Self); directs amendmentsProcurement direction, not a contract modification. Get the written amendment.

Two cautions. First, the class deviation runs ahead of formal rulemaking, so the codified DFARS still lists the legacy clauses — both numbers can appear depending on your instrument. Second, on June 23, 2026 the FAR Council moved the overhaul into formal notice-and-comment rulemaking (FAR Case 2026-001, comments due July 23, 2026), which could change numbering again. Use the deviation numbers in force today and verify against the four corners of your actual solicitation.

The Rev. 2 versus Rev. 3 question, settled

The Department’s FAQ is direct: CMMC assessments are conducted against NIST SP 800-171 Revision 2, held in place by a class deviation to DFARS 252.204-7012, until Revision 3 is incorporated into the CMMC Program rule through rulemaking. Contractors mayimplement Revision 3 — using the Department’s Organization-Defined Parameters from the April 2025 memorandum — but must ensure any gaps between Rev. 2 and Rev. 3 are addressed, because Rev. 2 is what gets assessed. If a vendor is selling you a Rev. 3 build as “future-proofing,” that’s a legitimate strategy. It is not a substitute for Rev. 2 traceability.


If the assessment is paused, what should a yard actually do?

The Department published its own answer the same week it paused Phase 2. The DoW CIO launched the “Brilliant at the Basics” campaign, which includes a Top 10 list for information technology and a separate Top 10 specifically for Operational Technology. It is guidance, not a new compliance requirement — but for a shipyard, it is a better-prioritized to-do list than most gap reports.

The OT Top 10, translated to a shipyard

Department OT priorityWhat it looks like in your yardNIST SP 800-171 Rev. 2 family it reinforces
Identity and access controlWho can log into the burn table controller, the crane HMI, the paint booth PLC — and whether that’s a shared password taped to the panelAccess Control (3.1), Identification & Authentication (3.5)
Validated, as-operated asset inventoryAn inventory of PLCs, RTUs, HMIs, engineering workstations, DCS and safety instrumented systems — including firmware versions, protocols, transient assets, and remote-access points, validated by passive monitoring and physical walk-downsConfiguration Management (3.4)
Strict network segmentationThe business LAN and the production network genuinely separated, not just on a slideSystem & Communications Protection (3.13)
OT-specific incident responseA plan where the answer isn’t “unplug it” — because you can’t shut a dry dock pump mid-evolution. Offline backups, isolated safety systems, joint sign-off from cyber and process engineering to restartIncident Response (3.6)
Compensating controls where patching is impossibleFirewall rules, micro-segmentation, and application allowlisting around the 2009 controller running the plate line until its next scheduled windowRisk Assessment (3.11), System & Information Integrity (3.14)
Constrained remote accessKilling always-on vendor tunnels and cellular gateways into machineryAccess Control (3.1)
Continuous monitoringExtending logging to the production floor, then actually reading itAudit & Accountability (3.3)
System resiliencyGrouping assets by physical location and sensitivity; local manual overrides so one compromise doesn’t stop the lineSystem & Communications Protection (3.13)
Supply chain securityHolding your equipment vendors to the standard you’re being held to; a replacement schedule for undefendable legacy hardwareRisk Assessment (3.11)
Formal change reviewA safety-and-security review before any change — so a hardening step doesn’t create an unsafe condition on the deckConfiguration Management (3.4)

Source: DoW CIO “Brilliant at the Basics,” OT cybersecurity Top 10, retrieved July 18, 2026. Family mapping is our editorial crosswalk, not a Department mapping.

The asset inventory line is the highest-leverage week of work available to you right now. It satisfies the Department’s interim guidance, it produces the § 170.19 inventory you need for any CMMC assessment, and if you’re MTSA-regulated it feeds the Coast Guard cybersecurity assessment covered below. One artifact, three regimes.

The seven-step sequence

  1. Inventory the controlling documents. Solicitation, award, subcontracts, POs, amendments, prime notices. Not your vendor’s summary — the documents.
  2. Identify the required status and assessment type separately. “Level 2” is not a complete answer.
  3. Identify the information owner and the data categories. FCI, CUI, U-NNPI, export-controlled, paper, or unresolved.
  4. Trace the workflows. Engineering → planning → fabrication → inspection → supplier → field and vessel → archive.
  5. Classify assets under § 170.19 and write down why, including the out-of-scope calls.
  6. Update the SSP, asset inventory, and network diagram. Not optional — if you mark security requirement CA.L2-3.12.4 (System Security Plan) as Not Met, SPRS returns no score at all.
  7. Complete and maintain the applicable self-assessment and affirmation.

What not to do

Free resources, since you’re paying for enough already

The Department’s own FAQ points to no-cost help: the Cyber AB Marketplace for finding assessors and practitioners; free CMMC training through the Warfighting Acquisition University; the no-cost cybersecurity capabilities listed by DoD Cyber Crime Center’s DIB Collaborative Information Sharing Environment; and Project Spectrum, which provides no-cost tools and training for small DIB businesses. We don’t receive anything from any of them. Use them before you buy anything.


The other clock: the Coast Guard rule nobody suspended

If your facility holds a security plan under 33 CFR Part 105, you are also inside the Coast Guard’s Marine Transportation System cybersecurity rule — and its next hard deadline is closer than anything on the CMMC calendar. The rule took effect July 16, 2025 and applies to owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities required to have a security plan under 33 CFR Parts 104, 105, and 106. Nothing about the CMMC suspension touched it.

The self-test is simple: do you have a Facility Security Officer and an approved Facility Security Plan? If yes, this section is yours. If you’re an inland shop with no waterfront operations, skip to the cost section.

Two clocks, one yard

DateRegimeWhat happens
July 16, 2025USCGRule effective; reportable cyber incidents go to the National Response Center
November 10, 2025CMMCPhase 1 began; DFARS 252.204-7021 effective; Level 1 and Level 2 self-assessment requirements appear in applicable solicitations
January 12, 2026USCGAll personnel must complete the training in 33 CFR 101.650 — and annually after
February 1, 2026CMMCClass deviation renumbers 7019/7020 and FAR 52.204-21
July 13, 2026CMMCPhase 2 suspended; Phases 3 and 4 frozen
August 14, 2026, 12:00 p.m. ETCMMCCMMC Reform Task Force RFI responses due
~Mid-September 2026CMMCTask Force report due to the DoW CIO
July 16, 2027USCGDesignate the Cybersecurity Officer, complete the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval under 33 CFR 104.410, 105.410, or 106.410

Sources: 33 CFR Part 101 Subpart F (eCFR); DoW CIO memo 26-P-1023; DoW CMMC FAQs. Verified July 18, 2026.

Where the two overlap: your asset inventory, your network segmentation project, and your OT incident response plan can serve both. Where they don’t: a CMMC System Security Plan is not a Cybersecurity Plan, and the Coast Guard will not accept it as one. Plan approval takes time. Working backward from July 16, 2027 is not a scare tactic — it’s a calendar.


What does CMMC cost a shipbuilder, and what should you stop paying for?

There is no defensible universal shipyard price, and the Department says so. Its FAQ states that the cost of achieving CMMC compliance depends on the level required, the complexity of the company’s unclassified network, its existing cybersecurity posture, and market forces — and that costs to implement existing safeguarding requirements like DFARS 252.204-7012 are not counted as CMMC compliance costs. Those were already yours.

What the Department actually estimated

The regulatory impact analysis accompanying 32 CFR Part 170 put per-entity figures on assessment and affirmation only— not on building your environment:

Every one of those numbers assumes the security work is already done. For a yard that hasn’t built its boundary, they’re the tip, not the bill.

Defer, keep, accelerate

Editorial judgment derived from the verified facts above. Reasonable people can disagree on the margins.

Line itemCallWhy
C3PAO booking and assessment feesDeferIt cannot currently be designated as a requirement. Your money is idle until the Task Force reports.
Certification-only tooling and “audit readiness” retainersDeferBuying for an audit that isn’t scheduled
System Security Plan, asset inventory, network diagramKeepRequired for any assessment, any level, any future version of this program. A missing SSP zeroes your score.
SPRS accuracy and the annual affirmationKeepThis is now the only external checkpoint
Incident response capability and 72-hour reporting readinessKeepDFARS 252.204-7012 never paused
CUI identification and boundary documentationKeepReduces every downstream cost you’ll ever pay
OT asset inventory and IT/OT segmentationAccelerateServes the Department’s interim OT guidance, your future CMMC scope, and your Coast Guard obligations at once
NNPI approval paperwork (NN-801, NAVSEA 08)AccelerateIndependent of CMMC, gates electronic handling, and takes time
USCG Cybersecurity Plan work, if MTSA-regulatedAccelerateJuly 16, 2027 with an approval cycle in front of it

Some yards should walk away instead

If DoD work is a thin slice of your revenue, your margins are tight, and your CUI exposure is small enough to contain, the smart move may be to reduce scope, sharpen your flow-down questions, or decline low-margin CUI workrather than spend into a full Level 2 program. That is a business decision, not a compliance failure, and good suppliers make it every year. If that’s you, start with the Level 1 path and scope reduction.

Our damaging admission:The Defense Compliance Report earns compensation when readers get matched with providers, and we are telling you to spend less right now, not more. Our matching tool can’t read your contract, can’t see your prime’s FY27 terms, and can’t tell you whether your NAVSEA 08 approval is current. It routes you to a category. That’s a real limit and we’re not going to dress it up. But category and sequence are the entire game during a suspension — and that’s free.

How to compare quotes without a price benchmark

Require every proposal to state:

Quote lineWhat must be specified
ScopingSystems, users, locations, workflows, and stated assumptions
Gap assessmentStandard assessed against, methodology, interview depth, deliverable
RemediationActual implementation, or recommendations only?
DocumentationSSP, policies, procedures, diagrams, inventory — and who owns them afterward
TechnologyLicenses, migration, configuration, and recurring fees, itemized
Managed servicesCoverage hours, response commitments, evidence produced, systems excluded
Assessment prepMock assessment, evidence review, personnel preparation
Formal assessmentA separate engagement, with the conflict-of-interest position stated
Ongoing supportAnnual affirmation support, change management, evidence maintenance

Red flags, in order of severity:a guaranteed certification outcome; a fixed timeline quoted before any scope discovery; “our platform makes you CMMC compliant”; a C3PAO fee bundled into a readiness engagement; no distinction between readiness and assessment; no recurring cost line; no OT or paper analysis anywhere in the proposal; and no customer responsibility matrix.

Compare provider categories before you request scoped quotes

What each category actually does, what it can’t do, and what to verify before you sign — so the quotes you collect are for the same work. No forms, no email.


Build, buy, or share your CUI environment?

Naval suppliers have a fourth option the rest of the Defense Industrial Base doesn’t: a Navy-provided shared engineering environment. Whether it beats a private enclave depends on how much CAD and PLM work you do and whether U-NNPI is in play. No architecture choice removes your own on-premises systems from scope.

OptionBest fitHandles U-NNPI?The honest catch
Harden what you haveSmall CUI footprint, decent IT already, no waterfront OT complexityOnly with separate NAVSEA 08 approvalScope creeps to everything that touches CUI — which in a yard is usually more than you think
M365 GCC High or a private CUI enclaveContained, document-centric CUI; engineering separated from productionOnly with separate NAVSEA 08 approvalLicensing is not compliance. The on-prem side connecting to it stays in scope, and the responsibility matrix has to be referenced in your SSP.
AWS GovCloud (US) at IL5Heavy CAD, large models, simulationAWS states GovCloud (US) at Impact Level 5 handles CUI and unclassified NNPICompany-stated. Your Naval Reactors approval for the workflow is still separate.
Maritime Cloud Environment (MCE)Suppliers who’d rather not build IT infrastructure at allSee disclosure belowCompany-stated program claims. Verify eligibility, cost, and data ownership yourself.

On MCE, everything is attributed. In a June 2026 announcement, AWS described the Maritime Cloud Environment as a Navy-owned, contractor-operated cloud environment delivered with Deloitte, Siemens, and Stigian Consulting, giving suppliers preconfigured digital engineering tooling plus a Deloitte-run security operations center. Every one of those points is company-stated. We have no relationship with AWS, Deloitte, Siemens, or Stigian, we have not evaluated MCE, and nothing here is an endorsement. Ask who owns your data and your models; what happens at exit; what it actually costs; whether it covers your U-NNPI workflow; and precisely which of the 110 requirements it satisfies on your behalf versus which remain yours.

For the broader architecture decision, see our GCC High guidance and managed enclave breakdown.


Which CMMC provider category should a shipbuilder hire first?

For most yards right now, the first call is not an assessor. With third-party assessment suspended, the categories producing durable value are readiness and scoping, OT-capable managed security, evidence workflow, and environment design — roughly in that order. A C3PAO belongs in the formal assessment lane, when that assessment is contractually relevant and you’re ready for it.

CategoryHire whenDon’t confuse it withVerify before you signShipyard-specific question to ask
RP / RPO (Registered Practitioner / Registered Provider Organization)Level, scope, gap analysis, SSP, or POA&M planning is unclearA certifying assessorCyber AB Marketplace status, named personnel, deliverables, conflict-of-interest positionWill you walk the shop floor before you quote?
CMMC-focused MSP / MSSPControls need to be implemented and operated continuouslyProof that you’re compliantShared responsibility split, External Service Provider scope, evidence produced, tenant ownershipHave you worked in an OT environment where downtime isn’t an option?
CUI enclave providerCUI workflows can credibly be containedA universal answer for a yardIntegrations, export paths, printing, backups, admin model, recurring costHow does CAD, PLM, and shop-floor file transfer actually work across your boundary?
GRC platformEvidence, SSP and POA&M workflow, and recurring operations need structureImplementation of the security requirementsEvidence export, accurate Rev. 2 mapping, data ownership, user burdenCan it hold OT and Specialized Asset documentation, not just IT?
Federal-contracts attorneyClause, amendment, flow-down, or liability is disputedTechnical implementationRelevant federal procurement and cybersecurity contract experienceHave you handled a prime flow-down dispute mid-performance?
OT security specialistLegacy machinery, IIoT, or test equipment materially affects scopeA whole CMMC program ownerOT experience, coordination with your CMMC lead, safe implementation practiceHow do you validate an inventory without disrupting live processes?
C3PAOA formal Level 2 certification assessment is contractually relevant and you’re readyA readiness implementerCurrent authorization in the Cyber AB Marketplace, scope, assessor assignment, conflicts, feesNot the first call during the suspension

The independence rule, stated precisely

Under 32 CFR § 170.8, the CMMC ecosystem must prohibit a member from participating in a Level 2 certification assessment where that member served as a consultant preparing the organization for a CMMC assessment within the previous three years. Verify the specific people, organizations, and roles — a marketing claim about “Chinese walls” does not resolve a conflict, and the burden of getting this wrong lands on you, not on them.

The Department’s FAQ also notes that while DCMA DIBCAC may assess certain high-priority contractors, the official certification path runs through a C3PAO authorized by the Cyber AB. Before you engage anyone claiming C3PAO authorization, check the Cyber AB Marketplace yourself.

At the July 13 briefing, the DoW CIO cited more than 100,000 Defense Industrial Base businesses still needing third-party assessment against roughly 100 available assessors. That imbalance is real, and it’s part of why Phase 2 got suspended. It is not a reason to book an assessment slot this month. If a vendor tells you to lock in before the pause ends, ask them to put the contractual basis for that urgency in writing.

Tell us your required level, FCI/CUI scope, environment, and timeline. You’ll see the category logic before you see any provider names.

Get matched with source-checked provider options →

Do not submit CUI, drawings, export-controlled content, or sensitive contract details. This intake is for provider-category routing only.

Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page contains no named provider rankings, endorsements, or “best provider” awards.


What goes wrong in shipyard CMMC programs

The expensive failures happen before a single control gets implemented. They are scoping, sequencing, and interpretation failures — an overbroad CUI assumption, an outdated phase schedule, an architecture bought before the workflow was traced, or the wrong provider category hired first.

FailureWhy it happensWhat it costsThe fix
Treating every naval document as CUIFear plus vague prime instructionsThe whole yard in scope; longer assessments; evidence for systems that don’t matterVerify category, authority, and content — the prime itself says this approach isn’t acceptable
Assuming no marking means no obligationWeak designation process; FCI is rarely labeledUnder-scoped environment; a false affirmationEscalate to the information owner and contracting officer, in writing
Running an old Phase 2 countdownStale templates and vendor decksBuying an assessment nobody can currently requireReplace with the dated suspension status and the actual amendment
Hiring a C3PAO firstCertification framed as the whole problemIndependence conflicts, wasted fees, or a failed assessmentResolve scope and implementation first
Ignoring paper, printers, and scannersIT-only analysisAn uncontrolled deckplate workflow that voids a hard-copy-only postureMap the full media lifecycle, including MFP storage
Calling every OT asset “specialized” and stopping thereMisreading § 170.19Undocumented assets that fail an SSP reviewTest each asset’s actual function and securability, then document it
Leaving out EDR, SIEM, backup, and administratorsScope focused only on where CUI sitsMissing Security Protection Assets and ESPsMap security functions and the responsibility split
Blanket supplier flow-downProcurement convenienceSub-tier confusion, inflated quotes, supplier attritionFlow requirements according to the information each sub actually receives
Believing a product claimWanting a shortcutFalse confidence and a failed self-assessmentGet the customer responsibility matrix; map what stays yours
Affirming without current evidenceDeadline pressureFalse Claims Act exposure on a signature you ownRequire evidence-owner sign-off before the affirming official signs
Legacy ERP on unsupported WindowsReal operational constraintUnpatchable systems inside the boundaryDocument compensating controls in the SSP and build a transition plan
CMMC UIDs that don’t match the systems doing the workMulti-site, multi-CAGE complexitySystems not covered by a UID cannot be used for FCI or CUI during performanceReconcile UIDs to actual performance systems before you submit a proposal

What we actually verified

We don’t ask you to take our word for any of this. Here is what we read and cross-checked on , and what each source supports.

SourceWhat it supports
DoW CIO memo 26-P-1023, Attachment 1 (July 13, 2026)Suspension of the Phase 2 transition; Level 1 (Self) and Level 2 (Self) as the only permitted designations; solicitation amendments and contract modifications; waiver suspension; preservation of additional protections
DoW press release, “Forging the Arsenal of Freedom” (July 13, 2026)Phase 1 requirements remain; interim enforcement against NIST SP 800-171 Rev. 2 via self-assessment and select government-led assessments; DFARS 252.204-7012 unchanged; 60-day Reform Task Force
DoW CIO CMMC Program FAQs (revision history updated July 13, 2026)Phase 1 designation intent; flow-down under § 170.23; Rev. 2 as the assessed baseline; paper-only CUI position; CMMC UID and CAGE rules; SPRS “no score”/“no status” conditions; POA&M closeout mechanics; VDI scoping; encryption vs. logical separation; ESP and CSP treatment
32 CFR Part 170 (eCFR §§ 170.14–170.24)Level definitions and counts; assessment types; scoping categories; POA&M rules; affirmation requirements; ecosystem conflict-of-interest restriction at § 170.8
DoD CIO CMMC Level 2 Scoping Guide, v2.13The five asset categories and their documentation and assessment treatment; Specialized Asset definitions; separation guidance
DoD CUI Program FAQ, Use of Distribution StatementsA distribution statement does not automatically make a document CUI
DFARS 252.204-7012, -7021, -7025 (Acquisition.gov) and the Feb. 1, 2026 class deviationSafeguarding and incident reporting obligations; CMMC status requirements; clause renumbering
DoW CIO “Brilliant at the Basics” (retrieved July 18, 2026)The IT and OT Top 10 lists issued as interim guidance
32 CFR § 117.23(f)NNPI governed by OPNAVINST N9210.3; contracts granting NNPI access must require compliance; waivers require Naval Reactors concurrence
BPMI supplier cybersecurity page (retrieved July 18, 2026)NN-801 Rev. 5 requirement; relationship to NIST SP 800-171 Rev. 2; approval letter retention; FY27 supplier expectations
HII–Newport News Shipbuilding supplier webinar FAQs (Feb. 3, 2025)Hard-copy transmission status and Exostar; minimum flow-down table; NAVSEA 08 ATO gate for U-NNPI; the position against treating all documents as CUI; Distribution D and CUI//EXPT treatment; NNPI marking status
33 CFR Part 101, Subpart F (eCFR) and USCG guidanceEffective date, training deadline, and the July 16, 2027 Cybersecurity Officer, assessment, and plan submission requirements
32 CFR Part 170 regulatory impact analysis (Federal Register)The Department’s published per-entity assessment and affirmation cost estimates

What we did not verify, and won’t pretend to:

A note on the HII material: it is dated February 3, 2025, and some of its forward-looking dates were overtaken by events. We used it only for its operational and interpretive content, which we cross-checked against the current Department FAQ and 32 CFR Part 170. Verify anything program-specific with your own buyer.

See our Methodology, Editorial Standards, and Corrections policy.


CMMC for shipbuilders: frequently asked questions

Do all shipbuilders need CMMC?
No. Applicability depends on the procurement, the written requirement, and whether your contractor-owned systems process, store, or transmit FCI or CUI. A supplier receiving neither may have no CMMC requirement — but should confirm it against the contract rather than assume it.
Did the July 2026 suspension cancel CMMC?
No. The Department suspended the transition to Phase 2 and paused new Level 2 (C3PAO) and Level 3 (DIBCAC) designations. Phase 1 self-assessment requirements remain in force and DFARS 252.204-7012 is unchanged. A CMMC Reform Task Force is reviewing the program, with a report due to the DoW CIO within 60 days of the July 13, 2026 announcement.
What CMMC level does a shipyard need?
The level comes from the solicitation and resulting contract. During Phase 1, the Department’s stated intent is Level 1 when only FCI is involved and Level 2 (Self) when any CUI is processed, stored, or transmitted in contractor-owned systems.
Are naval ship drawings automatically CUI?
No. Drawings can contain Controlled Technical Information or other CUI categories, but naval subject matter alone is not a determination. The DoD CUI Program states that applying a distribution statement does not automatically make a document CUI.
Does a work package created from a CUI drawing become CUI?
There is no universal rule, and the answer depends on the content, category, and any derivation instructions from the information owner. Newport News Shipbuilding advises that when technical information from a Distribution Statement D document is incorporated into a new document, the new document should be marked CUI//EXPT. Ask your buyer for derivation guidance in writing.
Does CMMC cover U-NNPI?
No. Unclassified Naval Nuclear Propulsion Information is a CUI Specified category with additional safeguarding requirements applied through contract. Under 32 CFR § 117.23(f), NNPI is governed by OPNAVINST N9210.3 and all contracts granting access must require compliance with its specific safeguarding requirements. A CMMC status does not authorize U-NNPI processing.
What is NN-801, and do I need it?
NN-801 is the Naval Reactors requirements document for controlling and protecting U-NNPI. BPMI states that it requires supplier compliance with NN-801 Revision 5 for physical and cybersecurity controls, and that suppliers should retain their NN-801 security plan approval letter. Whether it applies to you depends on your purchase order — confirm with your buyer.
Do I need NAVSEA 08 approval to process NNPI on my systems?
If your work involves NNPI, yes — approval to process NNPI on a non-federal information system comes from NAVSEA 08 / Naval Reactors. HII–Newport News Shipbuilding publishes a supplier procedure for obtaining it, and states that hard copies cannot be phased out for U-NNPI until the supplier obtains an Authority to Operate from NAVSEA 08.
My prime still requires CMMC. Do I have to comply?
Probably, until they tell you otherwise in writing. The suspension memo directs Department contracting officers and requiring activities; it does not automatically rewrite a prime’s purchase order terms or supplier portal requirements. Ask your prime, in writing, whether its requirement has changed post-July 13.
Are CNC machines and shop-floor equipment in CMMC scope?
Not automatically, and not in the way most people assume. Under 32 CFR § 170.19, Operational Technology, IIoT, Government Furnished Equipment, Restricted Information Systems, and Test Equipment can qualify as Specialized Assets — which must be documented in the asset inventory, the SSP, and the network diagram, but are not assessed against the other CMMC security requirements at Level 2. The programming workstation that generates the toolpath is usually the higher-risk asset.
Does paper-only CUI keep us out of a CMMC assessment?
The Department’s FAQ states that organizations handling only hard-copy CUI are not required to complete a CMMC third-party assessment, though the CUI must still be safeguarded under NIST SP 800-171 and DoD Instruction 5200.48. If that CUI is later scanned, entered, photographed, uploaded, printed, or emailed, the information system involved is expected to satisfy applicable CMMC assessment requirements first.
Is encrypted CUI still CUI?
Yes. Under 32 CFR Part 2002, CUI remains controlled until formally decontrolled, and the Department confirms that encrypted CUI retains the designation of its plaintext counterpart. Encryption is a safeguarding measure, not a reclassification.
Can an enclave keep the rest of the yard out of scope?
It can, when the separation and workflow containment are real and documented. Two Department clarifications matter: encryption alone does not create logical separation, and an enclave that transmits properly encrypted CUI across otherwise logically separated enterprise networking components does not automatically extend scope to those components.
Do we need Microsoft GCC High?
No regulation names a specific commercial product. Under DFARS 252.204-7012, a cloud service provider storing, processing, or transmitting CUI must meet security requirements equivalent to the FedRAMP Moderate baseline. The right product depends on your workflows and your contract. See our GCC High for CMMC guide for the full comparison.
Does our MSP need its own CMMC certification?
No. The Department’s FAQ states that an MSP providing a non-cloud system storing CUI is not required to have its own CMMC assessment, though it may elect one. But where an MSP handles IT support and an MSSP handles security tooling, both qualify as External Service Providers and are assessed as part of your assessment scope.
Do the prime and subcontractor need the same CMMC level?
No. A lower level may apply to the subcontractor if the prime flows down only limited information. The rule’s minimum flow-down table sets the floor based on whether the sub will process, store, or transmit FCI or CUI.
Are COTS suppliers exempt?
Procurements solely for commercially available off-the-shelf items receive specific treatment under the CMMC acquisition rule, but a supplier should still review the actual procurement, the data received, and the flow-down language rather than assume every commercial sale eliminates all safeguarding obligations.
Is NIST SP 800-171 Revision 3 the CMMC baseline now?
No. The Department’s FAQ states that CMMC assessments are conducted against Revision 2, held in place by a class deviation to DFARS 252.204-7012, until Revision 3 is incorporated through rulemaking. Contractors may implement Revision 3 using the Department’s Organization-Defined Parameters, but must address any gaps against Revision 2, because Revision 2 is what gets assessed.
Can we still get a Level 2 (C3PAO) certification voluntarily?
Existing certifications remain valid — the Cyber AB reported 1,391 Final Level 2 certificates issued as of its May 2026 town hall, and nothing invalidates them. But the Department has not issued comprehensive guidance on assessments already scheduled or under contract. Talk to your C3PAO and your contracting officer before you change anything.
What is the first CMMC step for a shipbuilder?
Obtain the exact solicitation, contract, subcontract, amendment, and prime flow-down. Then identify what FCI and CUI actually enter each yard workflow. Do both before you request a single technology or assessment quote.

These answers are educational. For binding answers about your contracts, consult a CMMC Registered Practitioner (RP/RPO) or qualified federal-contracts counsel.


Your next step

You don’t need to memorize 110 controls this week. You need four things, in this order: the written requirement, the data types entering your yard, the boundary around them, and the right kind of help.

The first three are free. We’ve given you the method for all of them above. The fourth is where most yards lose six figures, and it’s the one decision you can make in the next ten minutes.

Find My CMMC Path →

Free, two minutes, no obligation. Tells you the reasoning, not just a verdict.

Download the CMMC Readiness Checklist

32 points mapped to the NIST SP 800-171 Rev. 2 control families.

Request scoped quotes directly

Already know exactly what you need? Go straight to quotes.

Do not submit CUI, drawings, export-controlled content, or sensitive contract details. These intake forms are for provider-category routing only.


Related reading


About this report

The Defense Compliance Report Editorial Teamcovers CMMC 2.0 and Defense Industrial Base compliance as an independent trade publication. We do not accept editorial-approval rights from sponsors. This guide is editorial research and has not been formally reviewed by a CMMC Subject Matter Advisor.

We are not affiliated with the Cyber AB, the Department of War, DCMA DIBCAC, NIST, NAVSEA, or any U.S. government agency.

Change log

  • — Initial publication. Verified against DoW CIO memo 26-P-1023 and Attachment 1, the July 13, 2026 DoW release, the DoW CMMC Program FAQs (revision history updated July 13, 2026), 32 CFR Part 170, the DoD CIO CMMC Level 2 Scoping Guide v2.13, the DoD CUI Program distribution statement FAQ, 33 CFR Part 101 Subpart F, and published supplier requirements from BPMI and HII–Newport News Shipbuilding.

Found an error? Our Corrections policy explains how we handle it.