Skip to content
Request a demo
PlatformModulesIndustriesSecurityPricingInsights Request a demo
CMMCComplianceDefenseCybersecurityManufacturing

CMMC 2.0 requirements for manufacturers, explained

By Bretton Fischer, Chief Operating Officer ·

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s program for verifying that the companies in its supply chain protect sensitive information to a defined standard. If you machine parts, fabricate assemblies, or run any process under a DoD prime or subcontract, CMMC determines whether you can keep bidding on that work. The core idea is simple: instead of trusting a contractor’s word, the DoD now requires evidence - a self-assessment or a third-party audit - before contract award. This guide explains what CMMC 2.0 asks of a manufacturer, the levels and controls involved, and what a realistic path to readiness looks like on a shop floor.

What CMMC 2.0 is

CMMC 2.0 is a tiered certification framework that confirms a defense contractor has implemented the cybersecurity practices already required by federal regulation. It invents no new controls; it is a verification layer on two existing standards: FAR 52.204-21, which defines basic safeguarding for Federal Contract Information, and NIST Special Publication 800-171, which defines the 110 controls for protecting Controlled Unclassified Information. CMMC makes compliance with those standards provable and consistent across the Defense Industrial Base.

The framework has three levels, scaled to the sensitivity of the data you handle:

  • Level 1 (Foundational) covers Federal Contract Information (FCI) - non-public information provided by or generated for the government. It maps to the 15 basic safeguarding requirements in FAR 52.204-21 and is met through annual self-assessment.
  • Level 2 (Advanced) covers Controlled Unclassified Information (CUI) and requires implementing all 110 controls of NIST SP 800-171 Revision 2. Depending on the contract, it is met either by self-assessment or by a triennial assessment from a certified third-party assessment organization (a C3PAO).
  • Level 3 (Expert) applies to the highest-priority programs and adds a subset of controls from NIST SP 800-172 on top of Level 2. It is assessed by the government’s Defense Industrial Base Cybersecurity Assessment Center.

Most manufacturers handling defense work land at Level 2, because drawings, specifications, and technical data delivered under contract are typically CUI.

Two terms that decide your level: FCI and CUI

The level you need is driven entirely by the data you touch. Federal Contract Information is non-public information generated under a government contract - a delivery schedule or internal process document, for example. Controlled Unclassified Information is more sensitive: engineering drawings, technical specifications, test results, and anything marked as Covered Defense Information or carrying export-control implications under ITAR. The practical takeaway is that the moment a prime sends a CUI-marked drawing package, you are in Level 2 territory and the full 110-control standard applies to every system that stores, processes, or transmits that data.

Why it matters for manufacturers

CMMC is becoming a condition of doing business, not a nice-to-have. Under the program’s phased rollout, certification requirements began appearing as a clause in DoD solicitations in 2025 and ramp toward full inclusion across new contracts over the following years. A contractor that cannot demonstrate the required level at award is, in plain terms, ineligible - an existential issue for a job shop that depends on defense revenue, not an IT problem.

There is also a near-term gate with teeth. Contractors handling CUI must have a current NIST SP 800-171 self-assessment score posted in the DoD’s Supplier Performance Risk System (SPRS). The score starts at 110 and subtracts weighted points for each unmet control, so it can be negative. Primes increasingly check SPRS scores before subcontracting, so a weak or missing score can cost you work before a formal CMMC assessment is ever scheduled.

The requirement also flows down: a prime that needs Level 2 pushes equivalent obligations to the suppliers who touch the same CUI, so tier-two and tier-three shops who assume CMMC is “the prime’s problem” are often the ones scrambling when a flow-down clause lands.

How a manufacturer meets the requirement

Readiness is a sequence, not a purchase, and it breaks into a few concrete stages.

Scope the environment. Identify exactly where FCI and CUI live - which workstations, file shares, ERP and MES systems, email, and machine controllers store or transmit it. The smaller the scope, the cheaper and faster certification becomes, so many shops create an enclave that keeps CUI off the rest of the network.

Assess against the 110 controls. NIST SP 800-171 organizes its requirements into 14 families - access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, physical protection, and more. You evaluate each control as met or not met and document the result.

Write the SSP and POA&M. Two documents are non-negotiable. The System Security Plan (SSP) describes how each control is implemented; the Plan of Action and Milestones (POA&M) lists every gap, its remediation step, and a target date. Assessors expect both, and an SSP that does not match reality is a fast way to fail.

Remediate the gaps. Most of the effort lives here: enabling multifactor authentication, FIPS-validated encryption of CUI at rest and in transit, restricting removable media, tightening least-privilege access, centralizing audit logging, and proving you can detect and report incidents. Each closed gap raises your SPRS score.

Because much CUI lives inside production records - routings, inspection results, traceability data, document revisions - the ERP that runs the floor either helps or hurts your CMMC posture. A platform like Cortrova is built CMMC 2.0 Level 2 ready, with role-based access control, complete audit logging, and document control in every module, and it can deploy on-premises or fully air-gapped when CUI cannot leave the facility. The same system producing the work also produces the evidence that it was protected.

What to watch for

A few traps catch manufacturers repeatedly. Do not over-scope - letting CUI sprawl across every laptop and shared drive turns a manageable assessment into an expensive one. Do not confuse a self-assessment with certification: Level 2 self-assessment is allowed for some contracts, but a senior official must affirm the score, and a knowingly false affirmation carries False Claims Act liability. Do not treat the POA&M as a permanent parking lot - CMMC limits which controls can stay open and sets a strict closeout window. And do not buy tools before scoping, because security products nobody operates produce no evidence and no score improvement.

CMMC 2.0 rewards manufacturers who treat information protection as part of how the shop runs, not as a binder assembled the week before an audit. Define your scope, implement the 110 controls where CUI actually lives, keep your SPRS score honest, and make sure the systems on your floor generate the proof.

Get started

See governed agents in your environment.

Book a demo tailored to your stack - cloud, on-prem, or air-gapped.

Request a demo Explore the platform