CMMC for Manufacturing Supply Chain: Defense Compliance

Posted: April 1, 2026 to Cybersecurity.

CMMC for Manufacturing Supply Chain: Compliance Requirements for Defense Suppliers

Manufacturers in the defense supply chain face a compliance challenge unlike anything they have encountered before. The Cybersecurity Maturity Model Certification (CMMC) program requires every company that handles Controlled Unclassified Information (CUI) on Department of Defense contracts to implement 110 security practices derived from NIST SP 800-171 and prove compliance through a third-party assessment. For manufacturers, the complication is that CUI does not stay in the front office. It flows onto the shop floor in the form of engineering drawings, CNC programs, technical data packages, inspection reports, and work instructions. That means CMMC scoping for a manufacturing company extends well beyond standard IT systems into operational technology (OT) environments that were never designed with cybersecurity in mind.

If your company machines parts, assembles components, or provides materials to a prime defense contractor, CMMC compliance is no longer optional. Prime contractors are already flowing down CMMC requirements to their supply chains, and manufacturers that cannot demonstrate compliance risk losing contracts they have held for decades. This guide covers the specific CMMC challenges manufacturers face, where CUI hides in manufacturing environments, how to handle OT/IT convergence during scoping, and a practical implementation approach that accounts for the realities of running a production facility while building a compliant security program.

Why Manufacturers Need CMMC Now

The Department of Defense published the final CMMC rule in October 2024, and CMMC requirements began appearing in solicitations in early 2025. The phased rollout means that by mid-2026, virtually every new DoD contract involving CUI will require the contractor and its subcontractors to hold an active CMMC Level 2 certification. For manufacturers in the defense supply chain, the timeline is even more compressed than it appears because prime contractors are not waiting for the DoD to mandate certification in every solicitation. Major primes including Lockheed Martin, Raytheon, Northrop Grumman, and General Dynamics have been requiring their supply chain partners to demonstrate CMMC readiness for months. Some have established internal scoring systems that rate supplier cybersecurity posture and use those scores in sourcing decisions.

The business impact is direct. A manufacturer that cannot demonstrate CMMC compliance will not receive new contracts from prime defense contractors. Existing contracts may not be renewed. The manufacturer's competitors who invested in compliance will absorb that work. For companies where defense contracts represent 30%, 50%, or 80% of revenue, failing to achieve CMMC certification is an existential business risk. This is not a future concern. Prime contractors are making sourcing decisions today based on their suppliers' compliance trajectories.

The pressure compounds because CMMC does not exist in isolation. DFARS clause 252.204-7012 has required defense contractors to implement the 110 controls in NIST SP 800-171 since December 2017. Many manufacturers self-attested to compliance under this clause without fully implementing the controls. CMMC closes that gap by requiring third-party verification. Manufacturers that submitted incomplete or inaccurate self-assessments now face both the urgency of achieving genuine compliance and the risk of False Claims Act liability for prior misrepresentations. The Department of Justice has explicitly stated that it will use the False Claims Act to pursue contractors who falsely certify their compliance with cybersecurity requirements.

Manufacturing-Specific Challenges for CMMC

CMMC was designed primarily with traditional IT environments in mind: office networks, servers, workstations, cloud services, and mobile devices. Manufacturing environments present complications that do not fit neatly into this model. Understanding these challenges before beginning implementation prevents costly rework and scope creep.

OT/IT Convergence Complicates Scoping

The defining characteristic of modern manufacturing is the convergence of operational technology (OT) and information technology (IT). CNC machines, programmable logic controllers (PLCs), robots, quality inspection equipment, and manufacturing execution systems (MES) increasingly connect to the same networks as office workstations, ERP systems, and email servers. This convergence delivers significant operational benefits, including real-time production monitoring, predictive maintenance, and automated quality tracking. It also creates a scoping headache for CMMC because the CUI boundary may extend from the engineering department's CAD workstations all the way to the CNC machines on the production floor.

Traditional office-based CMMC implementations can define a clean CUI enclave: a set of workstations, servers, and network segments where CUI is processed and stored, with controlled access points at the boundary. In a manufacturing environment, that boundary is harder to define because CUI may be transmitted to production equipment, displayed on shop floor terminals, printed on work orders that travel through the facility, and embedded in the programs that drive production machinery. Every system that processes, stores, displays, or transmits CUI is in scope for CMMC, and for manufacturers, that list extends far beyond the office.

Legacy Equipment and Unsupported Software

Manufacturing facilities commonly run equipment with 10, 15, or even 20-year lifecycles. A CNC milling machine purchased in 2010 may run a version of Windows XP Embedded that cannot be patched, cannot run modern endpoint protection software, and was never designed to participate in a managed network environment. PLCs often run proprietary operating systems with no concept of user authentication, access controls, or audit logging. These systems cannot meet NIST 800-171 controls directly, which means manufacturers must find alternative approaches: network isolation, compensating controls, monitoring at the network layer, or in some cases, equipment upgrades that were not in the capital budget.

The cost implications are significant. Replacing a $400,000 five-axis CNC machine because its controller runs unsupported software is not economically viable for most manufacturers. The practical solution involves network segmentation that isolates legacy equipment from the CUI enclave while still allowing controlled data transfer for production purposes. This requires careful architecture design that balances security requirements with production workflow needs. Organizations working with an experienced defense contractor IT services provider can design these architectures without disrupting production operations.

Physical Security and Production Workflow

Manufacturing environments present physical security challenges that office environments do not. CUI in the form of printed engineering drawings, work orders, and inspection sheets moves through the facility. Shop floor workers who need access to technical data may share terminals or use paper-based processes. Visitors, vendors, delivery personnel, and maintenance contractors move through production areas where CUI may be visible on screens, printed on walls, or embedded in the products being manufactured.

NIST 800-171 includes physical protection controls (family 3.10) that require limiting physical access to organizational systems and protecting CUI at alternative work sites. For manufacturers, implementing these controls means evaluating how CUI moves through the entire production lifecycle, from the moment an engineering drawing arrives from the prime contractor to the moment a finished part ships from the loading dock.

Scoping CMMC for Manufacturers: Where Does CUI Live?

Accurate scoping is the single most important step in a manufacturing CMMC implementation. Underscoping means you will fail your assessment because unprotected systems that process CUI were excluded. Overscoping means you will spend far more than necessary protecting systems that do not need to be in the assessment boundary. For manufacturers, scoping requires tracing the lifecycle of CUI through every business process, from contract award to delivery.

Engineering and Design Data

The most obvious category of CUI in manufacturing is engineering data. Technical data packages (TDPs) received from prime contractors typically include engineering drawings, 3D CAD models, material specifications, manufacturing process specifications, and assembly instructions. All of this data is CUI and frequently carries the "Controlled Technical Information" (CTI) marking. The systems where this data is stored, processed, and transmitted are in scope. That includes CAD/CAM workstations, PLM (Product Lifecycle Management) systems, file servers, engineering collaboration tools, and any cloud platform used to receive or share engineering data with the prime contractor.

What many manufacturers miss is the downstream flow of this data. When an engineer converts a 3D model into a CNC toolpath program, the resulting G-code is derived from CTI and is itself CUI. When that program is transferred to a CNC machine, the machine becomes a system that processes CUI. When the machine operator receives a printed work order with dimensions from the engineering drawing, that printed document is CUI. Scoping must follow these flows to their endpoints.

Quality and Inspection Records

Inspection data, test results, first-article inspection (FAI) reports, certificates of conformance, and material certifications are frequently CUI. This data reveals the performance characteristics of defense components, and in aggregate, it can reveal the capabilities of weapons systems. Quality management systems (QMS), coordinate measuring machine (CMM) software, statistical process control (SPC) systems, and any platform where inspection data is recorded or stored are in scope when they handle CUI-designated quality records.

The challenge is that many manufacturers run a single quality management system across both defense and commercial work. If the same QMS database contains both CUI-bearing defense quality records and commercial quality records, the entire system is in scope. Manufacturers who separate their defense quality records into a dedicated system or a logically separated partition within the QMS can reduce their assessment boundary significantly.

Supply Chain and Logistics Data

Shipping and logistics data may be CUI when it reveals quantities, delivery schedules, or destinations for defense materiel. Purchase orders, packing lists, shipping manifests, and customs documentation for defense contracts may carry CUI designations. ERP systems, shipping software, and logistics platforms that process this data are in scope if they handle CUI-bearing records.

Manufacturers should review their contract flow-down documents carefully. The prime contractor is responsible for marking which information is CUI, and the specific marking categories determine which controls apply. If the prime contractor has not clearly marked what constitutes CUI in the data it provides, the manufacturer should request clarification before beginning scoping. Building a security architecture around incorrect assumptions about what is and is not CUI leads to either compliance gaps or unnecessary expense.

CUI on the Shop Floor

The shop floor is where CMMC scoping for manufacturers becomes most complex. Consider a typical production workflow for a defense component:

• CNC programs: G-code and toolpath files derived from CTI-marked engineering drawings are loaded onto CNC machines via USB drives, direct network transfer, or DNC (distributed numerical control) servers. The CNC machine, the transfer mechanism, and the DNC server all process CUI.
• Work instructions: Printed or digitally displayed instructions that reference controlled engineering data carry CUI onto the shop floor. Tablets, kiosks, or terminals displaying this data are in scope.
• Inspection data: Measurements taken on the shop floor using CMMs, gauges, or other inspection equipment may generate CUI when the results relate to defense components. The inspection equipment and any connected data collection systems are in scope.
• Test results: Environmental testing, destructive testing, hardness testing, and other qualification tests produce data that may be CUI. The test equipment, data acquisition systems, and reporting tools are in scope.
• Traveler documents: Job travelers that accompany parts through production and document each operation step, operator initials, and inspection results may carry CUI if they reference controlled technical information.

Every one of these touchpoints must be identified, documented, and either brought within the CUI enclave boundary or isolated from CUI through process changes. This analysis requires close collaboration between the IT team, the engineering department, quality management, and shop floor supervisors who understand how data actually moves through production.

OT Considerations for CMMC Compliance

Operational technology in a manufacturing CMMC environment requires careful treatment. The 110 practices in NIST 800-171 were written for IT systems, and many of them are difficult or impossible to implement directly on OT equipment. The key is to apply the intent of the controls through a combination of direct implementation where possible and compensating controls where direct implementation is not feasible.

Network Segmentation Between IT and OT

Network segmentation is the foundation of OT security in a CMMC environment. The goal is to create a CUI enclave for IT systems (workstations, servers, cloud services) with controlled interfaces to OT systems that must receive or transmit CUI. This architecture limits the scope of the CMMC assessment on the OT side while still protecting CUI as it moves between environments.

A practical segmentation architecture for a manufacturing CMMC environment includes three zones. The IT CUI enclave contains all office systems that process CUI: CAD/CAM workstations, engineering file servers, email systems, ERP, and PLM. This zone implements all 110 NIST 800-171 controls directly. The OT production zone contains CNC machines, PLCs, robots, and other production equipment. This zone is isolated from the internet and from general corporate IT traffic. The industrial DMZ (IDMZ) sits between the IT CUI enclave and the OT production zone, controlling all data transfers between them. The IDMZ hosts jump servers for administrative access, data diodes or one-way transfer mechanisms for program files, and monitoring systems that provide visibility into OT network activity.

This segmentation approach allows manufacturers to argue that OT systems behind the IDMZ are protected by the controlled interface rather than requiring each legacy CNC machine to independently meet all 110 NIST 800-171 controls. The System Security Plan (SSP) must document this architecture, the data flows across the boundary, and the compensating controls that protect CUI in the OT zone.

Monitoring and Access Controls for Shop Floor Systems

Even with network segmentation, CMMC assessors will expect to see monitoring and access controls for shop floor systems that handle CUI. Practical approaches include deploying network monitoring at the IDMZ boundary to log all data transfers between IT and OT zones, implementing physical access controls for areas where CUI is displayed or stored on the shop floor, using individual login credentials for shop floor terminals that display CUI rather than shared accounts, maintaining audit logs for CNC program transfers showing who transferred which program to which machine and when, and restricting USB ports on CNC machines to prevent unauthorized program loading.

Many of these controls are new territory for manufacturers accustomed to shop floor environments where everyone shares a login, USB drives move freely between machines, and program files are stored on the CNC controller with no version control or access logging. Changing these practices requires both technical implementation and cultural change on the production floor.

Compensating Controls for Legacy Equipment

When a CNC machine or other OT system cannot directly implement a required NIST 800-171 control, the manufacturer must document a compensating control that meets the intent of the requirement. For example, if a CNC controller cannot enforce individual user authentication (control 3.5.1), the compensating control might combine physical access restrictions to the machine, a sign-in log for operators, and network monitoring that records all program transfers to the machine. The compensating control must be documented in the SSP and must be equally effective as the original control in mitigating the identified risk.

Assessors accept compensating controls when they are well-documented, reasonable, and genuinely address the security objective. They do not accept hand-waving or controls that exist on paper but are not practiced. For manufacturers, this means investing time in documenting how shop floor processes actually work and designing controls that shop floor workers will actually follow.

Implementation Approach for Manufacturers

A CMMC implementation for a manufacturing company should follow a phased approach that accounts for production continuity, capital budget cycles, and the reality that shop floor changes require careful planning to avoid disrupting output. The following phases represent a typical 12-18 month implementation timeline for a mid-size manufacturer pursuing CMMC Level 2 certification.

Phase 1: CUI Mapping and Scoping (Months 1-3)

Before any technical implementation begins, map every location where CUI enters, is processed, is stored, and exits your organization. Start with the contract documents and identify what data the prime contractor designates as CUI. Trace that data through your business processes: how does it arrive (email, secure portal, physical media), where is it stored (file server, PLM, local workstations), who accesses it (engineers, machinists, quality inspectors, shipping), and how does it flow to the shop floor (DNC transfer, USB, printed work orders)?

This mapping exercise requires interviews with personnel across the organization: engineering managers, shop floor supervisors, quality managers, IT staff, and administrative personnel who handle contract documents. The output is a CUI data flow diagram and a system inventory that defines the assessment boundary. This is the single most important deliverable of the entire implementation because every subsequent decision depends on it.

Phase 2: IT CUI Enclave and Gap Remediation (Months 3-8)

With the scope defined, build the IT CUI enclave first. This is the set of office-based systems where CUI is processed: engineering workstations, file servers, PLM/ERP systems, email, and collaboration tools. Implement the 110 NIST 800-171 controls within this enclave, including multi-factor authentication, encryption at rest and in transit, audit logging, endpoint detection and response, and access controls based on least privilege.

Simultaneously, conduct a gap assessment against all 110 controls and develop a Plan of Action and Milestones (POA&M) for any controls that cannot be implemented immediately. CMMC Level 2 allows a limited number of controls to be on a POA&M at the time of assessment, but the controls must be closed within 180 days. The gap remediation during this phase should prioritize closing high-risk gaps and controls that affect the most systems in scope.

Phase 3: OT Segmentation and Shop Floor Controls (Months 6-12)

With the IT enclave established, address the OT environment. Implement network segmentation between the IT CUI enclave and the OT production zone, deploying an IDMZ with controlled data transfer mechanisms. Replace shared login accounts on shop floor terminals with individual credentials. Establish program transfer procedures that include logging and approval workflows. Implement physical security controls for areas where CUI is accessible on the shop floor.

This phase overlaps with Phase 2 because the segmentation architecture must be coordinated with the IT enclave design. However, OT changes typically take longer because they must be scheduled around production runs, tested during maintenance windows, and validated to ensure they do not affect machine performance or production quality. Allow extra time and plan changes for periods of lower production demand when possible.

Phase 4: Documentation, Training, and Assessment Prep (Months 10-18)

CMMC assessment is as much about documentation as it is about technical controls. The System Security Plan (SSP) must describe every control implementation, including compensating controls for OT systems. The POA&M must document any remaining gaps with realistic timelines for closure. Policies and procedures must be written, approved, and actively followed by personnel.

Training is critical for manufacturing environments because shop floor workers may not have backgrounds in information security. CMMC training programs should include CUI awareness training for every employee who handles CUI in any form, including machinists, inspectors, and shipping personnel. Training must be documented and refreshed annually. A pre-assessment readiness review, either internal or conducted by an RPO, identifies remaining gaps before the formal C3PAO assessment.

Cost and Timeline for Manufacturing Companies

CMMC implementation costs for manufacturers vary widely based on company size, existing security maturity, the volume and complexity of CUI flows, and the extent of OT systems in scope. The following estimates reflect typical ranges for manufacturers pursuing CMMC Level 2 certification.

• Small manufacturer (25-75 employees, limited OT in scope): $50,000-$100,000 for implementation, $15,000-$30,000 annually for ongoing compliance. Timeline: 12-18 months.
• Mid-size manufacturer (75-250 employees, significant OT/CNC environment): $100,000-$175,000 for implementation, $25,000-$60,000 annually. Timeline: 14-20 months.
• Large manufacturer (250+ employees, complex OT, multiple facilities): $150,000-$250,000+ for implementation, $50,000-$100,000+ annually. Timeline: 18-24 months.

These estimates include gap assessment, SSP development, technical control implementation, network segmentation, policy development, training, and pre-assessment readiness review. They do not include the cost of the C3PAO assessment itself, which typically ranges from $30,000 to $120,000 depending on scope complexity and the number of assessment days required.

Capital expenses for OT-related changes can significantly increase costs. If legacy CNC controllers require network interface upgrades to support segmentation, if shop floor terminals must be replaced to support individual authentication, or if physical security infrastructure (badge readers, cameras, locked enclosures) must be installed, the capital component can add $25,000 to $100,000+ beyond the estimates above. Manufacturers should include these costs in their capital budget planning as early as possible.

The cost of not implementing CMMC is typically far higher than the cost of compliance. A manufacturer with $5 million in annual defense revenue that loses its contracts due to non-compliance faces a revenue loss that dwarfs any implementation investment. Factor in the False Claims Act exposure from prior self-attestations, and the financial calculus becomes clear.

SPRS Scoring for Manufacturers

The Supplier Performance Risk System (SPRS) score is the interim compliance metric that the DoD uses to evaluate contractor cybersecurity posture until CMMC assessments are universally required. Every defense contractor must submit an SPRS score based on a self-assessment against NIST SP 800-171. Scores range from -203 (no controls implemented) to 110 (all controls fully implemented). Contracting officers can view SPRS scores in the SPRS database, and a low score can disqualify a manufacturer from contract consideration before any other evaluation criteria are reviewed.

For manufacturers, calculating an accurate SPRS score requires evaluating all 110 controls across both IT and OT environments where CUI is processed. Each unimplemented control carries a weighted penalty based on the DoD's assessment methodology. Controls related to access control, audit, and system protection carry higher weights because they address fundamental security capabilities. A manufacturer that has implemented strong access controls and encryption but lacks audit logging and configuration management will score lower than the raw count of implemented controls might suggest.

The SPRS calculator can help manufacturers estimate their current score and identify which controls provide the greatest score improvement per implementation dollar. This prioritization is valuable during the implementation phases described above because it allows manufacturers to demonstrate compliance progress to prime contractors through steadily improving SPRS scores even before the CMMC assessment is complete.

SPRS scores must be updated whenever the organization's compliance posture changes. Manufacturers should recalculate and submit updated scores after each implementation phase milestone. Prime contractors are requesting current SPRS scores during supplier reviews, and a score that has not been updated in 12+ months raises questions about whether the manufacturer is actively working toward compliance.

Working with Prime Contractors

The relationship between manufacturers and their prime contractors is central to CMMC success. Prime contractors bear responsibility for ensuring their supply chain meets CMMC requirements, and most major primes have established supplier cybersecurity programs that go beyond the minimum DoD requirements.

Flow-Down Requirements

DFARS clause 252.204-7012 requires prime contractors to flow down cybersecurity requirements to subcontractors who will handle CUI. Under CMMC, this means that the prime contractor must verify that the subcontractor holds the appropriate CMMC certification level before awarding a subcontract that involves CUI. In practice, many primes are implementing more granular requirements: requiring specific controls, specifying approved cloud service providers, mandating particular encryption standards, or requiring evidence of security awareness training programs.

Manufacturers should review their existing contracts and pending solicitations for flow-down clauses that specify cybersecurity requirements beyond the baseline CMMC level. Some primes require subcontractors to complete cybersecurity questionnaires, participate in supply chain risk assessments, or provide access to security documentation. Understanding these requirements early prevents surprises during implementation and ensures the manufacturer's security program satisfies both the CMMC framework and the specific requirements of its prime contractors.

Evidence Sharing and Assessment Coordination

Prime contractors increasingly request evidence of their suppliers' compliance posture. This may include a copy of the manufacturer's SPRS score, a summary of the System Security Plan, evidence of completed training, a copy of the CMMC certification once obtained, and incident response plan documentation. Manufacturers should prepare sanitized versions of these documents that demonstrate compliance without revealing proprietary security architecture details.

Assessment timeline coordination is another practical consideration. If a prime contractor requires CMMC Level 2 certification by a specific date, the manufacturer must work backward from that date to ensure the implementation, documentation, and assessment scheduling allow sufficient time. C3PAO assessment slots are limited, and wait times of 2-4 months for scheduling are common during peak periods. Starting the process early provides buffer time that manufacturers working against prime contractor deadlines cannot afford to waste.

Collaborative Compliance Programs

Some prime contractors offer collaborative compliance programs to help their supply chain partners achieve CMMC certification. These programs may include subsidized training, shared security tools, template documentation, or preferred pricing with managed security service providers. Manufacturers should inquire with their prime contractor program offices about available supply chain support programs. Taking advantage of these resources can reduce implementation costs and accelerate the timeline.

Conversely, manufacturers that proactively communicate their compliance roadmap to prime contractors build trust and demonstrate commitment. Sharing your implementation timeline, SPRS score improvements, and assessment scheduling plans shows that your company takes the requirement seriously and is making measurable progress. This communication can be the difference between retaining a contract during the compliance transition period and being replaced by a competitor who appears further along.

Common Mistakes Manufacturers Make During CMMC Implementation

After working with manufacturing companies on cybersecurity compliance, certain patterns emerge consistently. Avoiding these common mistakes saves time, money, and the frustration of assessment failures.

• Underscoping the OT environment: The most frequent and costly mistake. Manufacturers exclude CNC machines, inspection equipment, and shop floor terminals from scope, then fail the assessment when the C3PAO identifies CUI flowing to those systems. Trace every data flow before defining the boundary.
• Treating CMMC as an IT project: CMMC compliance requires involvement from engineering, quality, operations, and management, not just the IT department. Shop floor processes, physical security, and personnel training are all assessed. A CIO or IT director cannot implement CMMC in isolation.
• Relying on compensating controls without documentation: Assessors accept compensating controls when they are documented, reasonable, and demonstrably effective. They do not accept verbal explanations or controls that were implemented after the assessment began. Document everything proactively.
• Ignoring the human element: A manufacturer can implement every technical control and still fail if shop floor workers do not understand how to handle CUI, if shared accounts are used on production terminals, or if printed engineering drawings are left unsecured on workbenches. Training and procedural controls are assessed with the same rigor as technical controls.
• Waiting for the prime contractor's deadline: CMMC implementation for a manufacturer takes 12-24 months. Manufacturers who wait until a prime contractor sets a hard deadline find themselves rushing through implementation, making expensive shortcuts, and still missing the deadline. Starting now, even incrementally, is always the better approach.
• Using residential-grade or consumer IT tools: CMMC Level 2 requires FedRAMP Moderate authorized cloud services for CUI processing. Manufacturers using consumer-grade email, file sharing, or collaboration tools must migrate to approved platforms, which takes months of planning and data migration. Identify these gaps during Phase 1.

Preparing for the Future: CMMC and Manufacturing Resilience

CMMC compliance is not a one-time certification. It requires continuous monitoring, annual self-assessments between triennial C3PAO assessments, and ongoing maintenance of all 110 controls. For manufacturers, this means integrating cybersecurity into operational processes permanently. Security becomes part of how the factory operates, not a project that ends when the certificate arrives.

The manufacturers who approach CMMC as an opportunity rather than a burden gain lasting advantages. A properly segmented network with monitored OT systems reduces ransomware risk, a threat that Dragos reports hit the manufacturing sector harder than any other industry in 2025. Documented processes and access controls improve quality management and auditability across all customer programs, not just defense work. Trained employees who understand data protection make fewer mistakes across all operations. The investment in CMMC compliance creates security infrastructure that protects the entire business.

The defense manufacturing supply chain is consolidating around companies that can demonstrate cybersecurity maturity. Manufacturers that achieve CMMC certification early position themselves as preferred suppliers, while those that delay risk permanent exclusion from the defense market. The timeline is measured in months, not years. If your company manufactures for the defense supply chain and has not started the CMMC compliance process, the time to begin is now.

The defense supply chain depends on manufacturers who can protect the controlled technical information entrusted to them. CMMC certification proves that your company meets that standard. Whether you are a 50-person machine shop or a 500-person multi-facility manufacturer, the path to compliance starts with understanding where CUI lives in your operation, designing controls that work within manufacturing workflows, and committing to the implementation timeline required to reach certification. Contact Petronella Technology Group to start the conversation, or call 919-348-4912 to speak with our team about CMMC compliance for your manufacturing facility.