TL;DR
- CMMC Level 2 applies to any machine shop that receives, stores, or transmits CUI from DoD contracts—technical drawings, CNC programs, and similar controlled data
- Level 2 requires meeting all 110 controls in NIST SP 800-171 Rev. 2, with a triennial third-party assessment by an accredited C3PAO
- The shop floor is your biggest compliance gap: USB thumb drives, shared machine logins, and flat OT networks show up repeatedly as audit failures
- A secure DNC system with role-based access and per-machine event logging addresses the Access Control and Audit & Accountability domains directly
- Remediation takes time—most shops starting from scratch need 12–24 months before assessment
What Is CMMC Level 2 and Who Needs It?
The CMMC Program final rule, published October 15, 2024 and effective December 16, 2024, established three certification levels under CMMC 2.0. Level 2 is the "Advanced" tier, built entirely on the 110 security requirements in NIST SP 800-171 Rev. 2. It exists to protect Controlled Unclassified Information (CUI) within the Defense Industrial Base.
Which Shops Need Level 2?
The trigger is data type, not company size.
| Level | Focus | Requirement Basis |
|---|---|---|
| Level 1 | Federal Contract Information (FCI) only | 15 basic safeguarding requirements |
| Level 2 | CUI | 110 NIST SP 800-171 Rev. 2 requirements |
| Level 3 | High-priority CUI + national security programs | 110 + subset of NIST SP 800-172 |
If your shop is a subcontractor to a DoD prime and your contract references DFARS 252.204-7012, your work covers CUI. Under 32 CFR Part 170, any subcontractor that processes, stores, or transmits CUI must meet Level 2 at minimum.
Many solicitations go further and require a full C3PAO third-party assessment rather than a self-assessment. Check your contract language and confirm with your prime contractor if you're unsure which applies.
Key CMMC Level 2 Requirements for Machine Shops
CMMC Level 2 spans 14 practice domains. All 14 apply, but machine shops face the most exposure in five areas.
Access Control and User Authentication
Access Control is the largest domain—22 requirements—and it's where shops fail most often. Every system touching CUI must enforce role-based access: only authorized personnel can view or retrieve CNC programs, drawings, or job traveler data.
Multi-factor authentication (MFA) on all CUI-handling systems is a specific Level 2 requirement. DoD OIG audits of defense contractors found that 4 out of 10 reviewed organizations failed to enforce MFA or strong passwords. Shared machine logins on the shop floor—one of the most common setups in production environments—create a direct compliance gap here.
Audit and Accountability
Shops must maintain comprehensive audit logs documenting who accessed what data, when, and what changes were made. These logs must be:
- Protected from tampering
- Retained per DoD requirements
- Produced as evidence during assessment
This requirement is especially pointed for CNC program transfers. Every file sent to or retrieved from a machine needs a traceable record.
System and Communications Protection
All CUI must be encrypted in transit and at rest. For machine shops, IT/OT network segmentation is non-negotiable: the operational technology network controlling your CNC equipment must be isolated from your general business network.
NIST SP 800-82 Rev. 3 and CISA/NSA guidance both specify:
- Maintain an accurate OT network map
- Segment PLCs and workstations from internet exposure
- Require MFA with strong encryption for any remote OT access
Configuration Management
Maintain a baseline of approved hardware and software for every system that touches CUI. Unauthorized applications and USB devices are a documented gap; DoD OIG found 5 of 10 audited contractors had no automated controls restricting removable media.
Incident Response
A documented incident response plan is required. This includes a formal process for notifying the DoD within 72 hours of a confirmed breach, per DFARS 252.204-7012.
Protecting CUI on the Shop Floor
This is where CMMC gets specific to manufacturing—and where most shops are most exposed.
CNC Programs and the CUI Problem
When CNC programs, technical drawings, or process specifications contain contract-identified controlled technical information with military or space application, they fall under CUI Registry category: Controlled Technical Information. That G-code running your defense component may be CUI, not just a machining instruction.
The risk pattern is straightforward: shops distributing programs via USB drives, unencrypted email, or paper printouts expose CUI at every transfer point. Assessors will ask:
- Where are programs stored, and who can access them?
- How are programs transferred to machines?
- What change history exists for each program revision?
A USB-based workflow has no satisfactory answers to any of these questions.
How Secure DNC Software Addresses Compliance
A properly configured DNC system turns CMMC compliance into a built-in shop floor workflow rather than a separate IT project. Excellerant's DNC software is built specifically for defense-sector and quality-regulated shops, and its feature set maps directly to the Access Control and Audit & Accountability domains:
- Centralized NC file management eliminates USB drives and email by networking the entire shop floor through secure connections for all program transfers
- Customizable user permissions with Active Directory integration enforce role-based access, keeping CUI-bearing G-code restricted to authorized operators and programmers
- Per-machine event logging tracks all file access and transfers at the machine level, creating the audit trail assessors require
- One-click revision compare with an in-browser G-code editor documents full change history between versions, giving auditors verifiable evidence of change management
- Rev-Lock-Load limits each machine to a single program request, preventing unauthorized loading and enforcing one-program-per-machine control
The platform also supports on-premise deployment, keeping CUI within your facility's secure network perimeter rather than external systems.
Engineering Drawings and Technical Data Packages
CUI doesn't stop at G-code. CAD files, drawings, and process specs received from prime contractors must live in a system with documented access controls, not shared via unprotected email attachments or open network drives.
Your System Security Plan (SSP) must map exactly where all CUI resides. That means identifying every device, server, or cloud system that stores it and documenting what controls protect each one.
Physical Security on the Floor
CMMC Level 2 includes physical access controls as part of CUI protection. Smaller shops where the floor is open and machines are shared face a specific gap here:
- Control walk-up access to CNC workstations with resident programs
- Secure server rooms and network closets
- Limit access to network-connected equipment to authorized personnel only
Building Your CMMC Level 2 Compliance Roadmap
Phase 1: Gap Assessment
Start by mapping every system that touches CUI—ERP, DNC software, email, file storage, CAD/CAM platforms—against all 110 NIST 800-171 controls. Document what's in place and what's missing. This gap assessment produces the raw material for your POA&M and SSP.
Phase 2: SSP and POA&M
The gap assessment feeds directly into two foundational documents that assessors will scrutinize. Under 32 CFR Part 170, an assessment cannot be completed without an up-to-date SSP:
- SSP: Documents how each of the 110 controls is implemented in your specific environment, system boundaries, and relationships between systems
- POA&M: Lists every unmet control, the corrective action required, the responsible owner, and target completion date
One hard rule: certain controls—including CA.L2-3.12.4 (System Security Plan)—cannot appear on the POA&M. They must be complete before assessment.
Phase 3: Remediation
Closing the gaps is the most time-intensive phase. Common remediation activities include:
- Deploy MFA on all CUI-handling systems
- Segment IT and OT networks with documented architecture
- Implement secure DNC or file transfer to replace USB/email workflows
- Establish security awareness training with documented completion records
- Create incident response and backup/recovery procedures in writing
Shops starting without a formal cybersecurity program need 12–24 months from gap assessment through C3PAO assessment.
Phase 4: Ongoing Compliance
Certification is not a one-time event. CMMC Level 2 requires:
- A triennial C3PAO assessment (or self-assessment, depending on the solicitation)
- An annual affirmation by a senior executive in the interim years (failure to affirm causes the assessment to lapse)
- Ongoing SSP updates whenever systems or boundaries change
- Regular employee training with documented completion records
- Audit log retention throughout the certification period
Navigating the C3PAO Assessment
A C3PAO (CMMC Third-Party Assessment Organization) is an organization accredited by the Cyber-AB to conduct official Level 2 certification assessments. Most Level 2 shops cannot self-assess—the solicitation specifies whether a C3PAO assessment is required. You can find accredited C3PAOs through the Cyber-AB Marketplace.
Once you've identified your C3PAO, understanding what they examine helps you prepare.
What Assessors Examine
| Control Category | What They Review |
|---|---|
| Technical | Firewalls, MFA, encryption, network segmentation, DNC configurations |
| Administrative | SSP, POA&M, training records, documented policies |
| Physical | Access restrictions to CUI-handling areas and workstations |
Assessors may specifically request CNC program access logs and DNC system configurations. Having those records exportable and organized before the assessment saves significant time during the on-site review.
Scoring and Outcomes
The maximum Level 2 score equals the total number of requirements. Unmet requirements subtract 1, 3, or 5 points depending on severity. You can receive a conditional pass, but only if:
- Your score is at least 0.8 of the maximum
- Remaining POA&M items close within 180 days
- No excluded controls (like the SSP) remain open
Failure means the shop cannot hold active contracts requiring Level 2 until compliant. To avoid that outcome, run an internal audit before the formal C3PAO review—it's the most effective way to surface POA&M gaps, missing access logs, and undocumented policies while you still have time to close them.
Why CMMC Level 2 Is Worth the Investment
The business case starts with scale: the CMMC final rule cites over 220,000 companies in the Defense Industrial Base, with an estimated 8,350 medium and large entities required to meet Level 2 C3PAO assessment requirements. Early readiness puts your shop in a position to compete where non-compliant shops cannot bid.
Beyond contract eligibility, the controls CMMC requires are also sound operational practice. The average cost of a data breach in the industrial sector reached $5.56 million in 2024, an 18% increase from the prior year, according to IBM's 2024 Cost of a Data Breach Report. The core controls mandated by CMMC do more than satisfy an assessor — they directly reduce your exposure to real operational threats:
- Role-based access limits who can touch sensitive CNC programs and production data
- Audit logging creates accountability and speeds up incident investigation
- Network segmentation contains breaches before they reach shop-floor equipment
- Incident response plans cut recovery time when ransomware or IP theft occurs
A shop that embeds these controls into daily operations — through secure DNC file management, access-controlled program delivery, and documented procedures — earns trust from defense primes and commercial customers alike. CMMC compliance signals operational discipline, not just regulatory checkbox-ticking.
Frequently Asked Questions
What is CMMC software?
"CMMC software" refers broadly to tools that help organizations implement and maintain the security controls required for compliance—including access control platforms, audit log systems, SIEM tools, and secure DNC solutions that protect CUI across digital workflows. No single product covers all 110 controls; a layered approach is required.
What are the best CMMC software solutions for machine shops?
Focus on the systems that actually touch CUI: secure DNC software for CNC program management, MFA-enabled ERP or job management tools, encrypted storage for technical drawings, SIEM for audit logging, and network segmentation for IT/OT separation. Each solution should map to NIST 800-171 control families.
Does my machine shop need CMMC Level 2 or Level 1?
Level 1 applies only to shops handling Federal Contract Information with no CUI. If your shop receives technical drawings, CNC programs, or any defense-sensitive design data, you almost certainly handle CUI and must meet Level 2. Review your contract's DFARS clauses and confirm with your prime contractor.
How long does it take to achieve CMMC Level 2 certification?
Shops with no formal cybersecurity program typically need 12–24 months from gap assessment through C3PAO assessment. Shops with existing NIST 800-171 practices can move faster, but starting well before a contract award is essential.
What is a C3PAO and how do I find one?
A C3PAO is an organization accredited by the Cyber-AB to conduct official CMMC Level 2 assessments. Find accredited C3PAOs through the marketplace at cyberAB.org. Engaging one early—even for a pre-assessment review—helps identify gaps before the formal audit.
What happens if my machine shop fails a CMMC Level 2 assessment?
A failed assessment means the shop cannot be awarded or continue performing on contracts requiring Level 2. Shops receive a detailed findings report, remediate identified gaps, and reschedule reassessment. Having a robust POA&M in place beforehand demonstrates good faith and can support a conditional outcome for minor remaining items.
