Compliance
If you make anything for the defense supply chain — even as a sub-tier subcontractor — CMMC may now gate your contracts. Here's who's actually in scope, what Level 2 requires, and what non-defense manufacturers should do instead.
If you make anything that ends up in the defense supply chain — even as a third-tier subcontractor who never talks to the government directly — CMMC may now decide whether you can win and keep contracts. And the most common question we hear from small shops is the right one: do I even need this? The short answer: if you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on a Department of Defense contract, yes, regardless of your size.
This guide covers who's actually in scope, what the levels require, the dates that matter, and what non-defense manufacturers should do instead.
The CMMC (Cybersecurity Maturity Model Certification) Program Final Rule codifies the program at 32 CFR Part 170. It was published in the Federal Register on October 15, 2024 and took effect December 16, 2024 (Federal Register). The companion DFARS contract clause (252.204-7021) that puts CMMC requirements into solicitations became effective November 10, 2025, on a phased rollout — so the requirement is now appearing in real contracts, not sitting on the horizon.
The rule applies to "defense contractors and subcontractors that will process, store, or transmit FCI or CUI in performance of a DoD contract" (Federal Register). The "and subcontractors" part is what catches small manufacturers off guard: flow-down means a requirement on the prime becomes a requirement on you, even if you're several tiers down.
Two questions determine it:
Don't self-exempt on the assumption that "we're too small." Size isn't the test; data and contracts are. The most expensive mistake is discovering you're out of scope after losing a bid for not being certified — or, worse, attesting to compliance you don't have, which carries False Claims Act exposure.
CMMC Level 2 is built on the 110 security requirements of NIST SP 800-171 (Revision 2) — access control, multi-factor authentication, encryption, audit logging, incident response, configuration management, and the rest. Depending on the contract, Level 2 requires either a self-assessment or a third-party assessment by a C3PAO every three years, with an annual affirmation.
If you've seen a cyber-insurance application, this list will feel familiar — the 800-171 control families and the controls underwriters score are largely the same. (For the scoring mechanics and the related SPRS picture, see our companion guide on the NIST 800-171 self-assessment and SPRS score, and the broader CMMC timeline and Level 2 steps.)
There's a manufacturing-specific wrinkle that sits underneath both CMMC and plain risk: operational technology on the same flat network as IT. When the machines, the scheduling system, and the email all share a segment, one phished workstation can reach the shop floor. Carriers ask about this directly, and "same flat network" is a failing answer. Segmentation before you apply is the single control that most often moves a manufacturer's application — and its CMMC posture — from "decline" to "qualify."
CMMC simply doesn't apply — but don't read that as "low risk." The loss in manufacturing isn't usually a data breach; it's the line going down. Ransomware that reaches production turns a security incident into a revenue incident, and Verizon's 2026 DBIR found ransomware in 48% of breaches (Verizon DBIR). For a non-defense manufacturer, the same controls CMMC is built from — MFA, managed detection and response, OT/IT segmentation, tested immutable backups — are the right program, just driven by cyber-insurance requirements, customer security attestations, and downtime risk instead of a federal rule.
Whether you're chasing certification or just trying not to lose a week of production, the path starts the same way: find out where you actually stand. The Cyber Insurance Readiness Sprint maps your environment against the NIST 800-171 / CMMC control set (and the cyber-insurance questionnaire) in a fixed-scope, seven-business-day engagement, and tells you the gap honestly — including whether you're even in CMMC scope. See the Manufacturing & Industrial security page for how the program runs day to day.
If you handle FCI or CUI on a DoD contract — at any tier — CMMC is in effect and applies to you now, and Level 2 means the 110 controls of NIST 800-171. If you have no defense work, the same controls still protect the thing that actually costs you money: uptime. Either way, the move is to find your real scope and close the gaps before a contract or a carrier forces the issue.
Not sure whether CMMC even applies to your shop? Book a CMMC scope and gap assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
If you process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in performance of a Department of Defense contract — including as a subcontractor at any tier — then yes, CMMC applies to you. The CMMC Program Final Rule was published in the Federal Register on October 15, 2024 and took effect December 16, 2024. The size of your shop doesn't exempt you; the data you handle and the contracts you're on determine scope.
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn't intended for public release — basic but not public. Controlled Unclassified Information (CUI) is more sensitive government information that requires safeguarding under law or policy. Handling only FCI generally points to CMMC Level 1; handling CUI points to Level 2.
CMMC Level 2 is built on the 110 security requirements of NIST SP 800-171. Depending on the contract, it requires either a self-assessment or a third-party (C3PAO) assessment every three years, plus an annual affirmation. The 110 controls cover access control, multi-factor authentication, encryption, logging, incident response, and more — the same control families a cyber insurer scores.
Then CMMC doesn't apply — but the underlying risk does. For any manufacturer, the expensive event is ransomware stopping the production line, plus IP theft. The fix is the same control set CMMC is built from (MFA, managed detection, segmentation, tested backups), driven by cyber-insurance requirements and downtime risk rather than a federal mandate.
Related reading
For a small manufacturer, the expensive cyberattack isn't data theft — it's the ransomware that stops the line. Manufacturing is the most-attacked industry, and downtime is the real loss. The exposure and the fix.
Read articleA plain-English CMMC guide for small defense contractors covering what Level 2 means in 2026, what actually drives cost, how the rollout works, and the steps to get ready.
Read articleA plain-English guide for defense contractors on how the NIST SP 800-171 self-assessment score works, what SPRS actually stores, and how to close the gaps that keep the score low.
Read article