CMMC compliance for shipbuilders. Done in 60 to 75 days, not six months.
A complete CMMC v2.0 documentation package for NAVSEA prime contractors and Tier 2 / Tier 3 marine subcontractors, scoped for hull-form CUI, weld certification data, and ITAR-overlapped naval engineering. Built by a Cyber AB Registered Provider Organization with four CMMC RPs on staff.
Shipyards, marine fabricators, and Tier 2 / Tier 3 subcontractors.
If your shop fabricates structural steel, machines marine fittings, supplies pumps and valves, welds hull sections, or designs naval systems for a NAVSEA contract, CMMC has flowed down through your purchase order. Here is who is on the hook.
This page is built for the U.S. shipbuilding industrial base. It covers the major prime shipbuilders (HII Newport News and Ingalls, General Dynamics Electric Boat and Bath Iron Works, Austal USA, Fincantieri Marinette Marine), NAVSEA design agents and integrators, and the long tail of Tier 2 and Tier 3 subcontractors: small machine shops, weld shops, casting houses, marine valve makers, switchgear assemblers, electronics integrators, and engineering services firms supporting DDG, SSN, CVN, FFG, and unmanned surface vessel programs.
It also covers the supporting industrial base: marine coatings suppliers, propulsion-component manufacturers, sonar and weapons-system integrators, and the engineering and naval architecture firms that share controlled hull-form, signature, and propulsion data with the prime. If you receive engineering drawings stamped "Distribution Statement B/C/D/F", technical data controlled by NAVSEA, or weld procedure specifications tied to a NAVSEA Tech Pub, you are in scope.
Common buyer signals we see in this space:
- A NAVSEA prime (HII, GD Electric Boat, GD Bath Iron Works, Austal USA, Fincantieri) has updated your master subcontract with the new CMMC clause and DFARS 252.204-7012, plus DFARS 252.204-7019 / 7020 / 7021.
- You hold drawings or weld procedures for a DDG-class destroyer, Virginia-class or Columbia-class submarine, Ford-class carrier, Constellation-class frigate, or unmanned surface vessel program.
- The prime has asked for your current SPRS score, or pulled it from the Supplier Performance Risk System database before issuing new task orders.
- Your customer is also asking for AS9100 / ISO 9001 evidence, NIST 800-171 self-attestations, or a DD Form 2345 (Militarily Critical Technical Data Agreement) on file.
- You are an ITAR-registered firm under DDTC, working naval ordnance, propulsion, or signature reduction technologies, and the customer is asking for proof of cyber posture alongside ITAR controls.
Naval CUI is everywhere a shipyard touches.
The 110 NIST 800-171 controls do not pick a vertical. The places NAVSEA suppliers actually keep CUI are routinely missed during scoping by IT-only consultancies that do not know shipyard workflows.
Hull form and signature data
DDG, SSN, and CVN hull-form drawings, acoustic signature reports, magnetic and infrared signature data, and CFD model outputs are export-controlled and almost always CUI / Controlled Technical Information. They live in PLM, on engineering workstations, and in customer drop folders.
Weld procedure specs and qualification records
WPS, PQR, and welder performance qualification records tied to NAVSEA Tech Pub T9074-AS-GIB-010, S9074-AR-GIB-010A, and the NAVSEA 250 series. Stored in QA shared drives, ERP, and email. Each is a CUI artifact when linked to a controlled program.
Engineering drawings and CAD
Structural drawings, propulsion plant arrangements, electrical plant one-lines, hull mechanical and electrical (HM&E) data in NX, SolidWorks, AutoCAD, or NAVSEA-furnished formats. Routinely shared on encrypted media, large file-transfer portals, or the prime's shared environment.
ITAR overlap on naval technology
If your work touches USML Category VI (vessels of war, ground vehicles), Category XII (sensors and night vision), or Category XX (submersibles), DDTC registration plus ITAR controls live alongside CMMC. We map the overlap so one set of evidence supports both regimes.
Tier 2 / Tier 3 flow-down
The DFARS 252.204-7012 clause and the new CMMC rule flow down to the smallest weld shop. We have seen single-owner machine shops, two-person foundries, and family-run electronics integrators pulled into CMMC L2 scope by their NAVSEA prime. Scoping has to fit the shop, not the other way around.
DCSA facility clearance overlap
Many shipyards and naval design agents already hold a DCSA-issued Facility Clearance for classified handling. The NISPOM controls and CMMC L2 controls share most perimeter, change-management, media-handling, and personnel-vetting expectations. Build them once.
The CMMC package, scoped for a shipyard.
Branded, editable, yours forever. Formatted to DIBCAC and C3PAO expectations. The shipyard-specific items (weld qualification records, controlled drawing handling, NAVSEA distribution statements, on-site contractor access) are baked into the SSP and CUI boundary documents.
System Security Plan (SSP)
110 NIST 800-171 control narratives with shipyard asset inventory: engineering workstations, CNC controllers, NDT laptops, ERP, PLM, weld supervisor PCs, and on-vessel laptops.
CUI boundary for naval programs
Network diagrams that draw the boundary around hull-form CAD repositories, weld qualification record systems, NAVSEA-furnished drawing portals, and large-file transfer infrastructure.
SPRS score
Calculated SPRS score with a control-by-control breakdown. The number NAVSEA primes look at before they release the next task order.
POA&M with shipyard gaps
Plan of Action & Milestones with the gaps shipyards actually have: shared CNC PLCs on the build floor, sub-tier outsourced machining, on-vessel contractor laptops, paper drawings on the deckplate.
14 security policies
One policy per NIST 800-171 family (3.1 through 3.14), branded to your firm. Reuse for ITAR, DCSA, ISO 9001, and AS9100 inspections.
14 operational procedures
Step-by-step procedures for the shipyard floor: how a welder receives a controlled WPS, how a NDT tech ships a radiograph, how a draftsman prints a controlled drawing without leaving CUI in a copier hard drive.
Drawing-handling procedure
How NAVSEA Distribution Statement B/C/D/F drawings move from the prime's portal to the deckplate, including printing, redlining, scanning, and destruction.
ITAR / CMMC crosswalk
A side-by-side mapping between your ITAR program (DDTC registration, USML categorization, technical data controls) and the CMMC family controls so one set of evidence supports both regimes.
Assessment readiness checklist
The day-of punch list: which weld supervisor attends the interview, which deckplate area gets toured, which controlled-drawing repository the assessor opens.
Output formats: PDF, editable Word, HTML, CSV, ZIP. Branded with your logo. No platform lock-in.
From scoping to assessor handoff in 60 to 75 days.
A predictable, productized engagement built around a six-step scoping wizard, with deliverables and sign-offs at each gate.
Scoping & CUI boundary
60-minute working session. We map your NAVSEA contracts in flight, the prime flow-downs you have signed, ITAR overlap, DCSA scope, and the CUI boundary across engineering, fabrication, and outfitting.
Asset and data inventory
Engineering workstations, CNC controllers, weld supervisor PCs, on-vessel laptops, paper drawing handling, large-file transfer infrastructure, and removable media used at the deckplate.
Gap analysis & SPRS
All 110 controls scored against your shipyard. SPRS calculated. POA&M drafted with shipyard-specific gaps and remediation timeline.
Documentation build
SSP, 14 policies, 14 procedures, control narratives, evidence checklist, drawing handling procedure, ITAR crosswalk, all branded and reviewed.
Mock walkthrough
Tabletop assessment with our CMMC RPs, including the questions a C3PAO will ask your QA director, your weld supervisor, and your IT lead.
Assessor handoff
Evidence repository organized, interview prep done, assessment readiness checklist signed. We hand the package to your C3PAO.
Pick your level. Get a fixed price, fixed timeline.
Three productized packages. Fixed prices, fixed timelines, third-party assessment fees disclosed up front so the total budget is transparent before you sign.
Foundational (FCI)
- 17 control narratives + SSP
- Policies and procedures package
- SPRS attestation prep
- 21-day delivery
Advanced (CUI)
- SSP + POA&M + SPRS score
- 14 policies + 14 procedures
- 110 control narratives
- Controlled drawing handling procedure
- 60 to 75 day delivery
Expert
- L2 baseline + 24 NIST 800-172 controls
- DIBCAC-led assessment readiness
- Architecture and threat modeling
- Custom timeline
What counts as CUI in a shipyard.
Use this as a starting point during the scoping call. We will refine each row against your active contracts, your NAVSEA distribution markings, and any DD Form 254 on file.
| Artifact | Likely CUI category | Where it lives |
|---|---|---|
| Hull-form drawings, lines plans, body plans | Controlled Technical Information (CTI), Defense (DCNI-O), often ITAR | NX / SolidWorks / AutoCAD, PLM, NAVSEA drawing portals |
| Acoustic, magnetic, IR signature data | CTI, sometimes classified | Engineering reports, signature analysis tools, customer drop folders |
| Propulsion plant arrangements (DDG, SSN) | CTI, Naval Nuclear Propulsion Information (NNPI) for SSN/CVN | PLM, mechanical engineering shared drives |
| Weld procedure specs (WPS, PQR) | CTI when tied to a controlled program | QA shared drives, ERP, NDE / NDT systems |
| Welder qualification records | CTI, Personally Identifiable Information (PII) | HR systems, training records, paper folders |
| NAVSEA Tech Pubs (T9074, S9074, 250-series) | Distribution Statement B/C/D/F, CUI | Engineering library, controlled paper, secure portals |
| Outfitting drawings (HM&E, electrical) | CTI | PLM, project shared drives, paper at deckplate |
| Sub-tier supplier flow-down packages | CTI, Procurement-CUI | Procurement systems, supplier portals |
If your C3PAO finds a doc gap, we fix it free.
Every ComplianceArmor CMMC engagement carries the Petronella Technology Group Audit-Ready Promise. If a C3PAO assessor identifies a gap in any artifact we produced, we fix it at no charge within 30 days. If a CMMC Level 2 assessment fails because of our documentation work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Important disclosure. Petronella Technology Group, Inc. is a Cyber AB Registered Provider Organization (RPO). The independent CMMC Level 2 assessment required for certification is performed by a Cyber AB Authorized C3PAO under a separate engagement, priced separately from this package. Only the Cyber AB and the U.S. Department of Defense issue CMMC certificates. Petronella Technology Group does not perform certified assessments and does not promise assessment outcomes.
CMMC questions NAVSEA suppliers ask first.
We are a Tier 3 weld shop. Does CMMC really flow down to us?
Yes, in most cases. The CMMC rule and DFARS 252.204-7012 flow down through the entire supply chain whenever your work product carries CUI or your shop receives controlled engineering data. A weld procedure tied to a NAVSEA hull program, a radiograph of a controlled assembly, or a CNC tape generated from a controlled drawing are all CUI. The good news: a small weld shop with a tightly scoped CUI boundary often qualifies for CMMC Level 2 with a manageable footprint, sometimes only a handful of in-scope workstations and a single shared drive. We scope around the shop you actually run.
Are DDG and SSN classified hull designs CUI or classified?
Both, depending on which slice of the design you hold. Most prime-released hull and outfitting drawings carry a Distribution Statement B, C, D, or F and are CUI / Controlled Technical Information. Specific signature data, certain propulsion data on Virginia and Columbia-class submarines (which is also Naval Nuclear Propulsion Information), and a small slice of weapon-system data are classified and live under DCSA NISPOM rules, not CMMC. Your CMMC Level 2 boundary handles the unclassified-but-controlled portion. Classified handling stays in your DCSA-approved closed area, separately. We document the boundary so an assessor can see exactly where each starts and stops.
How does NAVSEA flow-down language work in practice?
NAVSEA prime contractors (HII, GD Electric Boat, Bath Iron Works, Austal USA, Fincantieri) include cyber clauses in every Tier 2 and Tier 3 purchase order touching CUI. The standard flow-down stack is DFARS 252.204-7012 (cyber incident reporting and CUI safeguarding), DFARS 252.204-7019 / 7020 (NIST 800-171 self-assessment and SPRS posting), and the new DFARS 252.204-7021 (CMMC compliance). Once the CMMC final rule fully phases in, the prime cannot legally award you a follow-on subcontract without your CMMC level on file. We help you get the documentation done before the next exercise of options.
What about ITAR overlap on naval systems?
If your work touches USML Category VI (vessels of war and special naval equipment), Category XII (sensors, lasers, night vision, fire control), or Category XX (submersibles), your firm needs DDTC registration and ITAR-compliant technical data controls in addition to CMMC. The same evidence usually satisfies both. ITAR's "technical data" controls map cleanly onto NIST 800-171 families 3.1 (Access Control), 3.8 (Media Protection), 3.13 (System and Communications Protection), and 3.14 (System and Information Integrity). Our deliverable includes an ITAR / CMMC crosswalk so one set of policies and procedures supports both regimes.
How do weld certification and process compliance fit into the SSP?
Your weld program is a documented process that produces records: WPS, PQR, welder performance qualifications, in-process NDT results, and final QA sign-offs. Inside CMMC, those records are treated like any other CUI: access-controlled, encrypted at rest, retained, and destroyed under a documented policy. We do not redesign your weld program. We document how the records flow through your existing systems (ERP, paper, QA shared drive) and how they are protected from drift, deletion, or unauthorized access. Your AWS / NAVSEA welding standards stay where they are.
What does a DCSA facility clearance overlap with CMMC look like?
If your shipyard or marine engineering firm holds a Facility Clearance issued by the Defense Counterintelligence and Security Agency, you already follow the National Industrial Security Program Operating Manual (NISPOM) for classified handling. CMMC Level 2 covers the unclassified-but-controlled side: CUI in the engineering, fabrication, and outfitting environments. The two share most perimeter, change-management, media-handling, and personnel-vetting expectations. We map shared evidence so you do not document the same control twice for two different inspectors.
What about controlled paper drawings on the deckplate?
Paper is a CMMC scope item. NIST 800-171 controls under family 3.8 (Media Protection) and 3.10 (Physical Protection) apply to printed CUI. Most shipyard violations we see are ordinary: drawings left at a workstation overnight, a copier hard drive that retained scans, a contractor flipping through a controlled binder in the parking lot. We document a deckplate-friendly procedure: how a print is checked out, how it is returned, how it is destroyed, and how the copier and shredder are managed. The procedure has to fit the way your fabrication cells actually run.
How long does this take, and what does it cost?
CMMC Level 1 from $6,997 flat, 21-day delivery, no third-party assessor required.
CMMC Level 2 documentation package from $24,997 flat, 60 to 75 day delivery. The required C3PAO assessment fee runs $30K to $50K and is engaged separately. We disclose that on every pricing card so the total budget is transparent up front.
CMMC Level 3 is custom-scoped after a discovery call. DIBCAC-led assessment is government-administered.
Stop authoring the SSP. Start the CMMC assessment.
Schedule a 30-minute scoping call. We will walk through your NAVSEA programs, your CUI footprint, your ITAR overlap, and quote your engagement on the call.
Related: ComplianceArmor CMMC software · ComplianceArmor hub · CMMC gap analysis · CMMC compliance guide · CMMC consultant · Contact us