By Navneet Lounsberry
A tier-two precision machine shop with 80 employees and an aerospace prime customer sits down for a pre-assessment scope review. Leadership is confident. Controlled Unclassified Information (CUI) lives on the engineering file server, access is restricted to five engineers, email runs through a GCC High tenant. The team believes it is ready.
The assessor walks the floor. Within an hour, CUI has been found on a shared tablet at a first-article inspection station, on two CNC human-machine interface (HMI) screens displaying PDF drawings, in a print spool queue on an unmanaged network printer, in the scheduler's email inbox where traveler sheets quote controlled dimensions verbatim, and on a USB drive in a machinist's toolbox. Scope expands from 12 workstations to more than 60 devices. The assessment is pushed back six months while remediation catches up. The budget triples.
This scenario is a composite drawn from patterns I have watched recur across defense manufacturing environments, not a single client. It is what Certified Third-Party Assessor Organizations (C3PAOs) report seeing over and over. C3PAOs are required to validate CUI asset identification independently, not to accept engineering's initial scope at face value, which is why the plant walk carries the weight it does. The underlying issue is not a defensive posture problem. It is a scoping problem, and it is solvable. The catch is that scoping has to be addressed before the plant walk, not during it.
Why CMMC Scoping Is the Whole Game for Manufacturers
Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) rollout begins November 10, 2026. Starting on that date, third-party C3PAO Level 2 assessments are expected to be required in most new Department of Defense contracts involving CUI, driven by the applicable DFARS clauses and individual solicitations. This is no longer a future planning exercise. Prime contractors including Lockheed Martin, Boeing, RTX, General Dynamics, and BAE Systems are already issuing supplier notices, portal-based questionnaires, and flow-down packages. The pressure reaching tier-two and tier-three manufacturers is coming from the top of the supply chain, not from the DoD directly.
Assessor capacity is the compounding factor. Industry estimates place the number of Certified CMMC Assessors in the hundreds against an affected contractor base of roughly 300,000, with reported C3PAO backlogs of six to twelve months. A failed or delayed assessment does not just generate remediation costs. It pushes an organization back into a queue that is only growing.
Scope determines the economics of certification. Published case data on a 40-person defense manufacturer documents total first-year investment dropping from roughly $140,000 under an enterprise-wide approach to about $78,000 when scope was architected through a properly segmented enclave, a 45 percent reduction on identical compliance obligations. C3PAO assessment fees alone range from approximately $15,000 for a tightly scoped enclave to more than $100,000 for a sprawling full-organization boundary.
Here is the trap most manufacturers walk into: overscoping and underscoping both fail, for different reasons. Overscoping commits the organization to implementing all 110 NIST SP 800-171 Rev. 2 controls (currently incorporated by reference in 32 CFR 170 as the CMMC Level 2 control baseline, despite being superseded by Rev. 3 in the NIST publication series) across systems that never needed them, inflating cost and stretching the timeline past what primes will wait for. Underscoping leaves gaps that a C3PAO will challenge during pre-assessment, pushing the organization back into the same assessor queue. Recent CMMC FAQ revisions, including Revision 2.2, have focused heavily on correcting common scoping errors surfacing in live assessments.
Scope is architected, not described. That architectural work is what separates manufacturers who certify on schedule from those who keep slipping.
Where Does CUI Actually Live in a Manufacturing Environment?
The short answer: in many more places than engineering thinks. The long answer requires walking the plant.
Most defense manufacturing CUI falls under the Controlled Technical Information (CTI) category in the official CUI Registry. CTI includes drawings, three-dimensional CAD models, specifications, geometric dimensioning and tolerancing data, bills of materials, and manufacturing process documents. These are typically marked with DoD Distribution Statements B through F. For most tier-two and tier-three manufacturers, the highest-volume CUI exposure is customer-supplied technical data arriving from a prime contractor or original equipment manufacturer.
That data does not stay where engineering puts it. It follows the part.
The Shop Floor Itself
Assessors consistently cite shop floor CUI exposure as the single most common finding category in manufacturing assessments. The patterns repeat across facilities. Technical drawings display on CNC HMIs at the point of operation. Unencrypted tablets travel between inspection stations with first-article specifications loaded as PDFs. Printed specifications sit unsecured near machining centers. Job travelers ride with parts through the plant, quoting controlled dimensions in plain text. Setup books in machinist toolboxes hold copies of drawings. These are not exotic edge cases. They exist in nearly every defense manufacturing environment because they serve legitimate operational needs.
MES, ERP, and Quality Systems
The manufacturing execution system sits at Purdue Enterprise Reference Architecture Level 3 and routinely holds statistical process control data tied to specific controlled dimensions, first-article inspection records, and nonconformance documentation that references the original drawing. Enterprise resource planning platforms common in the defense supply chain, including Epicor, Plex, Infor, JobBOSS, IQMS, and E2, hold work orders, routing sheets, customer purchase orders, and scheduling records derived from the drawing package. Coordinate measuring machine programs and inspection plans derived from CTI carry the same sensitivity as the source drawing.
Controllers, Programs, and Removable Media
Engineering drawings get translated into G-code and programmable logic controller logic that can embed controlled dimensions, tolerances, and process parameters derived from CTI. USB drives used to move programs from engineering to the machine are ubiquitous in manufacturing and almost always in scope.
The Overlooked Digital Corners
Email archives between the company and the prime often contain the original RFQ attachments, and those attachments frequently include the full technical data package. OneDrive and Dropbox profile sync can silently replicate CUI from an endpoint to cloud services that lack FedRAMP authorization. Under DFARS 252.204-7012, cloud services handling CUI are required to meet FedRAMP Moderate baseline equivalency, which rules out most consumer-grade sync tools by default. Backup systems capture every CUI-bearing file on protected systems and become in-scope assets themselves. Managed service provider remote access tools that touch any CUI-handling endpoint pull the MSP into scope as a Security Protection Asset. The CEO's laptop, where the original RFQ attachment still lives months after award, belongs on the list as well.
Paper and Hybrid Workflows
The DoD clarified in CMMC FAQ Revision 2.2 that pure paper workflows do not by themselves trigger a CMMC assessment, but the moment paper CUI is scanned, photographed, emailed, uploaded, or printed from a system, that system enters scope. Hybrid paper-digital handling is the manufacturing norm, which means most paper CUI conversations eventually become digital CUI conversations.
When manufacturers map their CUI footprint for the first time, most discover it is three to five times larger than they assumed.
Legacy OT, IT Convergence, and the Specialized Assets Lever
The fear among manufacturers with older equipment is that a 2003-vintage programmable logic controller or an unpatchable supervisory control and data acquisition server automatically fails CMMC Level 2. That is not how the framework actually works.
Per 32 CFR 170.19(c)(1) Table 3, the CMMC Scoping Guide defines a category called Specialized Assets. It covers operational technology (PLCs, SCADA, HMIs, building management systems, physical access control panels), Internet of Things and Industrial Internet of Things devices, Government Furnished Equipment, Restricted Information Systems, and Test Equipment. The critical mechanics: Specialized Assets are part of the CMMC Assessment Scope, but they are not assessed against the full set of 110 NIST SP 800-171 controls. The organization must inventory them, document them in the System Security Plan (SSP), show them on the network diagram, and detail how they are managed under risk-based security policies. The assessor verifies the documentation and may perform a limited spot check if it is insufficient.
This is the legacy industrial control system lifeline. Older equipment that cannot support multifactor authentication, modern patching, or endpoint detection can coexist inside a compliant environment when properly categorized with specified compensating controls.
The trap is assuming the label alone is sufficient. Assessors require justification for Specialized Asset designation, not just the designation. If an unpatched PLC shares a VLAN with the CUI file server, the designation fails because the asset has unrestricted access paths to CUI.
The Purdue Enterprise Reference Architecture gives the organizing framework for this scope decision. Levels 0 through 3 cover the OT side (sensors and actuators, controllers, supervisory HMIs, MES and historians). Levels 4 and 5 cover IT (ERP, enterprise networks). A Level 3.5 Industrial Demilitarized Zone sits between them. For most manufacturers, the IDMZ is where the CMMC boundary should be drawn, with the OT side documented as Specialized Assets and the IT side treated as the CUI enclave.
Compensating controls that hold up in assessment include network segmentation with an IDMZ between IT and OT, identity-based microsegmentation overlays for environments where traditional VLAN segmentation cannot be fully retrofitted, data diodes for one-way telemetry flows out of OT, jump boxes with session recording for vendor remote access, and documented program transfer procedures that log and approve every file movement from engineering to the controller. Vendor remote access matters especially because Dragos reporting indicates that the majority of OT attacks, often around three-quarters of observed incidents, begin as IT breaches.
Practical CMMC Scoping Tactics That Actually Work
Four tactics do most of the work.
Start With Data Flow Mapping, Not the SSP
Most manufacturers write SSP narratives before mapping actual CUI flow. The result is documentation that drifts from reality the moment it is filed. The correct order is to map the flow first, classify assets against the five CMMC asset categories, and then write the SSP to match. Under NIST SP 800-171, organizations are explicitly required to identify where CUI is processed, stored, and transmitted. Data flow mapping is how that identification gets done with evidence behind it.
The workshop method that produces defensible results is a "book to bill" walkthrough, tracing one representative contract from arrival of the drawing package through production, shipment, and invoicing. Cross-functional participation is not optional. Engineering, quality, production scheduling, operations, business development or contracts, and at least one shop floor supervisor need to be in the room. Single-department mapping exercises commonly miss 40 to 60 percent of the actual CUI flows. The workshop should produce durable evidence artifacts, including annotated data flow diagrams, meeting notes, asset inventories, and categorization rationale, all of which can be reused during the C3PAO assessment to demonstrate how scope was derived.
Use the Enclave Strategy to Shrink Scope
An enclave is a logically or physically segmented environment where CUI is processed, stored, and transmitted, treated as a distinct CMMC Assessment Scope separate from the rest of the organization. The DoD explicitly recognizes this approach in the Program Rule. Published cost reductions versus enterprise-wide compliance range from 20 to 45 percent across documented case studies.
Architect the Right Kind of Enclave for a Real Plant
This is where marketed cloud enclaves often fail manufacturers. A pure cloud virtual desktop infrastructure enclave, the pattern sold to five-person engineering firms, does not survive contact with a real machine shop. Drawings have to reach CNC workstations at the point of operation. The architecture that works for manufacturers is hybrid:
- A cloud enclave, typically Microsoft GCC High or Azure Government, for email, document collaboration, contract management, and most knowledge-worker CUI handling. This layer inherits the bulk of the 110 controls through FedRAMP-authorized infrastructure.
- A hardened on-premise CUI segment for engineering workstations and the controlled-drawing path to the floor. This layer focuses on segmentation, access control, and physical security for the narrow path from engineering to production.
- An IDMZ separating the CUI environment from the OT network where PLCs, CNCs, and MES terminals operate as documented Specialized Assets.
Apply Scope-Limiting Levers That Hold Up Under Assessment
Several structural decisions consistently reduce scope without creating assessment risk:
- Separate commercial and DoD business units behind identity and network boundaries. If only certain programs handle CUI, other programs can stay out of scope entirely.
- Exclude departments that do not require CUI access, including most of finance, HR, sales, and marketing.
- Put operational technology on dedicated VLANs behind an IDMZ, with documented justification in the SSP.
- Use dedicated hardware for CUI handling, with no BYOD and no corporate Wi-Fi in scope for the CUI segment.
- Where possible, replace printed drawings on the floor with role-based access on viewer-only tablets.
- Establish removable media procedures with logging for the moments when physical transfer to a machine is unavoidable.
Why the SSP Has to Match What Is Actually Happening on the Floor
The SSP, network diagram, data flow diagram, and asset inventory are living documents, not filing cabinet artifacts. The 48 CFR final rule introduced a continuous compliance obligation and an annual affirmation requirement signed by a senior company official. Configuration Management is one of the 14 NIST 800-171 control families, with nine Level 2 practices dedicated specifically to tracking and approving change.
Manufacturing environments make this unusually difficult. New work cells come online. New CNCs get installed. ERP modules get added. Vendor technicians plug laptops into HMIs for diagnostics and leave behind connections no one documents. Contract machinists get onboarded for a rush job with access to the engineering share. Kaizen events reorganize physical layout every quarter. Each of these is a potential scope change, and most manufacturers have no process connecting operational changes to scope documentation.
The practical fix is a cadence paired with a trigger list. A quarterly scope review catches drift, and a defined trigger list forces immediate re-examination whenever any of the following occurs:
- A new contract involving CUI
- A new supplier receiving technical data
- A new hire with CUI access
- New hardware on the floor
- A new cloud service adopted anywhere in the organization
- A merger, acquisition, or significant reorganization
A lightweight change-impact workflow routes these events through a security review before they hit production.
The False Claims Act overlay elevates the stakes meaningfully. Annual affirmations now carry potential FCA liability. Submitting an affirmation against an SSP that no longer matches reality is not just an assessment risk. It becomes a legal risk the moment the senior official signs. Multiple leading defense-contractor law firms have published alerts on this point. The reframe that matters for executives: SSP maintenance is not a compliance chore, it is executive risk management that belongs on the general counsel's radar.
How Does CMMC Flow-Down Affect a Manufacturer's Scope?
A clean internal scope is not sufficient if CUI leaves the building through uncontrolled channels. Flow-down is driven by the data type shared, not by the prime's certification level. If a prime shares Federal Contract Information (FCI) with a subcontractor, that subcontractor needs Level 1. If a prime shares CUI, the subcontractor needs Level 2. The same logic applies when a manufacturer shares CUI with its own sub-tier suppliers.
Primes cannot see subcontractor SPRS certification status directly. They rely on supplier portals, the Cybersecurity Compliance and Risk Assessment questionnaire, and annual attestations to verify compliance. For a manufacturer sitting in the middle of the supply chain, this means the scoping exercise has to extend outward. A heat-treat vendor, a coating supplier, or a specialty machining house receiving the same drawing package is part of the scope conversation.
Practical implications: route supplier file sharing through secure portals rather than email, include CUI handling requirements in subcontract language, and maintain documented flow-down verification for every supplier that receives technical data. Flowing CUI to a sub-tier supplier carries an obligation to verify that supplier's ability to protect it, which means contract clauses, attestations, and documented verification records are part of your own scoping evidence, not just theirs. A manufacturer with a locked-down internal scope can still fail a prime contract review because of how it shares CUI with its own subs.
Frequently Asked Questions About CMMC Scoping in Manufacturing
What is Controlled Unclassified Information (CUI) in a manufacturing context?
In defense manufacturing, CUI most often takes the form of Controlled Technical Information (CTI): drawings, CAD models, specifications, GD&T data, BOMs, and manufacturing process documents supplied by a prime contractor or OEM, typically marked with DoD Distribution Statements B through F. Derived records, including work orders, routing sheets, and inspection plans that quote controlled dimensions, carry the same sensitivity in practice.
When does CMMC Level 2 certification become mandatory for manufacturers?
Phase 2 of the CMMC rollout begins November 10, 2026. On that date, third-party C3PAO Level 2 certification becomes a mandatory award condition for most new DoD contracts involving CUI. Full implementation across all applicable contracts is scheduled for November 10, 2028, but most manufacturers will face the requirement well before then as primes flow down requirements on new awards.
Do legacy PLCs and CNC machines automatically fail CMMC Level 2?
No. The CMMC Scoping Guide creates a Specialized Asset category for operational technology, IoT and IIoT, Government Furnished Equipment, Restricted Information Systems, and Test Equipment. These assets are in scope but are not assessed against the full 110 NIST SP 800-171 controls. They must be inventoried, documented in the SSP, shown on the network diagram, and managed under documented risk-based policies with appropriate compensating controls such as network segmentation.
Does encrypting CUI take a system out of CMMC scope?
No. Encryption reduces risk during transmission and at rest, but it does not remove a system from scope. If a system processes, stores, or transmits CUI, it is a CUI Asset regardless of whether the data is encrypted. Cloud services that handle CUI must meet FedRAMP Moderate baseline requirements per DFARS clause 252.204-7012.
How much does CMMC Level 2 certification cost for a small manufacturer?
Costs vary widely by size, existing security maturity, and scope architecture. Published benchmarks for small and mid-sized manufacturers commonly fall between $75,000 and $150,000 for total first-year investment, with properly scoped enclave approaches coming in 20 to 45 percent below enterprise-wide approaches for comparable organizations. C3PAO assessment fees alone range from approximately $15,000 for a tightly scoped enclave to more than $100,000 for a sprawling full-organization boundary.
What is the difference between overscoping and underscoping?
Overscoping includes systems and users that do not need to be in the CMMC boundary, which inflates the cost of implementation, lengthens the assessment timeline, and commits the organization to controls on systems that never required them. Underscoping omits systems that actually handle CUI, which assessors will challenge during pre-assessment and force the organization to expand scope on the spot, often delaying certification by months. Both failure modes cost more than right-sized scope architected from the start.
What is a CUI enclave and why does it matter?
A CUI enclave is a logically or physically segmented environment where CUI is processed, stored, and transmitted, treated as a distinct CMMC Assessment Scope separate from the rest of the organization. The enclave approach is explicitly recognized in CMMC guidance and is the most effective lever for reducing assessment scope, assessment cost, and ongoing compliance burden without sacrificing security posture. For manufacturers, a hybrid enclave combining cloud collaboration (GCC High or Azure Government) with a hardened on-premise CUI segment typically fits the physical realities of a shop floor better than a pure cloud VDI approach.
The Bottom Line: Walk the Plant Before an Assessor Does
The manufacturers who will certify cleanly in the twelve to eighteen months leading up to Phase 2 are the ones catching the tablet, the print queue, the scheduler's inbox, and the USB drive before a C3PAO does. The work is not a compliance audit. It is a plant walkthrough with a different set of questions.
A Practical Starting Checklist
- Map every CUI entry point, including prime portals, email, physical mail, removable media, and vendor handoffs.
- Trace one representative contract from book to bill. Walk it physically. Note every system and location the drawing touches.
- Inventory every device and location where controlled technical data appears, including tablets, HMIs, printers, toolboxes, and vehicles.
- Categorize against the five asset types (CUI, Security Protection Asset, Contractor Risk Managed Asset, Specialized, Out of Scope) before writing a line of SSP narrative.
- Test the boundary. If an assessor walked the floor tomorrow, what would they see that leadership did not?
Why Getting Scope Right Now Is a Competitive Decision
Three realities drive the timing. Phase 2 certification becomes mandatory November 10, 2026. C3PAO capacity is already constrained, with reported backlogs of six to twelve months. Primes are actively filtering their supply chains right now, not waiting for the deadline.
Manufacturers who architect scope correctly in the next year gain structural advantage: earlier certification, faster prime qualification, and stronger position in contract negotiations. Those who do not will be waiting in the assessor queue while their certified competitors take their work. Scope is not a paperwork exercise. It is the decision that determines whether certification is achievable on the timeline the market is already enforcing.
About the Author
Navneet Lounsberry brings over two decades of enterprise sales and business development experience across IBM, SAP, Manhattan Associates, UKG, and most recently Idenhaus Consulting, where her work spanned identity and access management and cybersecurity compliance, including CMMC. A Georgia Tech graduate, she writes about how enterprise buyers in regulated industries actually evaluate, procure, and operate compliance programs.
Copyright © 2026, Full Throttle Media, Inc. FTM #fullthrottlemedia #inthespread #sethhorne
