The calls we get about CMMC almost never start with a regulation. They start with a customer. A prime contractor or a tier-one supplier sends a letter, a flow-down clause shows up in a purchase order, and a Minnesota machine shop that has never thought of itself as a “defense contractor” discovers that a chunk of its revenue now depends on a cybersecurity certification.
If that is roughly how you arrived here, the honest summary: CMMC is no longer a future problem, the realistic preparation timeline for most manufacturers is 12 to 18 months, and the companies that treat it as an IT project rather than a compliance binder are the ones that get through it without losing contracts.
What is CMMC 2.0?
CMMC, the Cybersecurity Maturity Model Certification, is the Department of Defense’s program for verifying that contractors and subcontractors actually implement the cybersecurity requirements their contracts have referenced for years. The program rule took effect in December 2024, and a follow-on acquisition rule in late 2025 started putting CMMC requirements into new DoD solicitations, phasing in over three years.
The practical change is verification. Defense suppliers have been self-attesting to NIST SP 800-171 since 2017. CMMC replaces “trust me” with assessments: self-assessments at the low end, third-party certification for most companies handling controlled information.
There are three levels. Level 1 applies if you handle Federal Contract Information, the routine data of doing government work, and requires an annual self-assessment against 15 basic safeguards. Level 2 applies if you handle Controlled Unclassified Information, or CUI, and requires the full 110 requirements of NIST SP 800-171, with most companies needing a certification assessment from an authorized third-party assessor, a C3PAO. Level 3 adds requirements for a small set of the most sensitive programs and is not where most Minnesota suppliers live.
Which level does a subcontractor actually need?
Whichever level the data you touch requires, regardless of how far down the chain you sit. The requirement flows down through primes to subcontractors, and machining a component to a drawing marked with CUI puts you in Level 2 territory even if your contract is with another supplier rather than the DoD.
The most valuable early exercise is therefore not technical. It is figuring out exactly what data you receive, from whom, and whether any of it is CUI. Ask your customers directly and get it in writing. We have seen shops assume they were Level 2 because a prime’s form letter said so, when the drawings they receive carry no CUI markings at all, and the reverse: “commercial” work that quietly included export-controlled technical data. The scoping answer changes the cost of compliance by an order of magnitude, so nail it down before buying anything.
Why the timeline is shorter than it looks
The phase-in runs into 2028, which sounds like breathing room. Three things eat it.
First, primes are ahead of the schedule. They carry the compliance risk for their supply chain, so flow-down letters demanding SPRS scores and certification plans are arriving years before the contract clauses technically require them. Your effective deadline is set by your most demanding customer, not by the rulebook.
Second, Level 2 readiness is genuinely slow. Against the 110 requirements, a typical small manufacturer starts with real gaps in access control, logging, multifactor authentication on the shop floor, and incident response. Remediation in a manufacturing environment moves at manufacturing speed, because you cannot patch a machine controller mid-run or force MFA onto a 15-year-old CNC’s control PC. This is the same constraint that shapes IT support for 24/7 operations generally: production wins, so changes queue behind it.
Third, assessor capacity. The pool of C3PAOs is finite and every CUI-handling supplier in the country needs a slot in the same few years. Companies scheduling assessments late in the phase-in are betting on availability they do not control.
Work backward from a customer demanding certification in 2027 and a 12 to 18 month readiness runway, and “into 2028” collapses to “start now.”
What does getting to Level 2 actually involve?
Strip away the acronyms and the work has a familiar shape:
- Scope ruthlessly. The requirements apply where CUI lives. Most manufacturers should build an enclave, a contained environment for CUI data and the systems that touch it, rather than certifying the entire company network. A well-built enclave can cut the compliance surface from every PC in the building to a dozen systems.
- Assess against the 110 and score honestly. The self-assessment produces a SPRS score you report to the DoD. Inflated scores are now a False Claims Act problem, and there is enforcement history to prove it. Score low and honest, then fix.
- Remediate the classics. MFA everywhere CUI is reachable, logging and monitoring that someone actually reviews, access control tied to job function, encrypted backups, an incident response plan that names people. Around-the-clock security monitoring is one of the requirements small shops most often cannot staff internally, and one of the most sensible to buy rather than build.
- Fix the paper too. A System Security Plan that matches reality and policies people follow. Assessors interview staff; a binder nobody has read fails in the first hour.
- Mind the POA&M limits. CMMC allows a Plan of Action for some unmet requirements, but only some, only above a minimum score, and only with a 180-day closeout. It is a short runway, not a parking lot.
What does this cost a mid-market manufacturer?
Wide honest range: from tens of thousands for a small shop with a tight enclave and decent existing hygiene, into the low hundreds of thousands for a larger operation with CUI spread across systems, plus the C3PAO assessment itself. The two levers that move the number most are scoping, which is why the enclave conversation comes first, and how much of the 110 you already do.
Worth weighing against the alternative: for a supplier whose defense work is 30 percent of revenue, the cost of non-compliance is that 30 percent, because primes are already using certification status to pick suppliers. We have started seeing CMMC readiness show up in RFQs the way ISO 9001 or AS9100 does, as a gate, not a bonus.
Frequently asked questions
We only make parts. Do we really handle CUI? Possibly. CUI includes controlled technical information such as drawings, specifications, and process data for defense articles. If your customers send marked drawings, or your work is export-controlled under ITAR, you are likely handling CUI. If nothing you receive is marked, ask your customers to confirm in writing what they believe they send you, and keep the answer.
Can we do CMMC ourselves? Level 1 is a realistic self-managed project. Level 2 is a stretch for a company without dedicated security staff: 110 requirements, evidence discipline, and a third-party assessment at the end. The common pattern is internal ownership with an outside partner running the gap assessment, the enclave build, and the ongoing monitoring, with the requirements small teams cannot staff, like 24/7 monitoring and incident response, delivered as a service.
Does Microsoft 365 work for CMMC? Yes, with the right configuration and, for many CUI scenarios, the government cloud variants (GCC or GCC High) rather than commercial tenants. Which one you need depends on the data, particularly export-controlled content. Getting this call right early avoids an expensive tenant migration later.
What is a SPRS score and does it matter now? It is your NIST SP 800-171 self-assessment score, reported to the DoD’s Supplier Performance Risk System, and it matters today: primes check it, contracting officers check it, and misrepresenting it carries legal exposure. Posting an honest score with a remediation plan is a stronger position than posting a perfect one you cannot evidence.
If defense work matters to your book of business, the scoping conversation is worth having this quarter, not next year. Our manufacturing IT practice runs CMMC gap assessments for Minnesota shops and, more usefully, sticks around to do the remediation and run the monitoring afterward.