CMMC, NIST 800-171, ITAR: A Small Manufacturer's IT Guide
Back to Blog

CMMC, NIST 800-171, ITAR: A Small Manufacturer's IT Guide

CMMC / Defense IT

The phone call that drives this whole article goes about like this: "Our prime contractor is asking us to fill out a CMMC scoping questionnaire. We have until the end of the quarter. What does that mean and what do we need to do?"

If you make precision parts for the defense supply chain, that call is coming, and it might already have come. The Department of Defense has been talking about CMMC for half a decade and has now actually started writing it into solicitations. Suppliers who cannot attest to the relevant level by the contract date stop being eligible to bid.

Below is what a small manufacturer needs to understand about the federal compliance picture in 2026, what your IT environment has to look like to pass, and where the typical gaps are.

The Three Frameworks You Will Hear About

CMMC 2.0

Cybersecurity Maturity Model Certification, version 2.0 is the DoD framework for verifying that contractors and subcontractors are protecting federal contract information (FCI) and controlled unclassified information (CUI). It has three levels:

  • Level 1 (Foundational) covers FCI only. Annual self-attestation. Roughly 17 basic security practices.
  • Level 2 (Advanced) covers CUI. Aligned to NIST SP 800-171 (110 controls). Either self-attestation or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on the contract terms.
  • Level 3 (Expert) covers the most sensitive programs. Aligned to NIST SP 800-171 plus selected controls from NIST SP 800-172. Government-led assessment.

    • For a typical small precision-manufacturing supplier in the defense supply chain, the realistic target is Level 2. If your prime is asking about CMMC, they are almost always asking about Level 2.

    NIST SP 800-171

    NIST Special Publication 800-171 is the federal control set for protecting CUI in non-federal information systems. CMMC Level 2 is essentially a wrapper around NIST 800-171 that adds documentation, assessment, and continuous-monitoring requirements.

    NIST 800-171 Revision 2 specifies 110 security controls across 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Revision 3, finalized in 2024, reorganizes the families and adjusts a number of controls; the contracting machinery is still incorporating Rev 3 in a phased way.

    If you are CMMC Level 2, you are NIST 800-171.

    ITAR

    The International Traffic in Arms Regulations controls the export of defense articles, defense services, and related technical data on the United States Munitions List (USML). Critically, the export controls apply to access by foreign persons even within the United States.

    If you make a part that ends up in something on the USML, the technical data (the drawing, the specification, the inspection criteria) is ITAR-controlled. Failure to register with the State Department Directorate of Defense Trade Controls and to control access to ITAR data carries criminal and civil penalties measured in millions of dollars per violation.

    For a precision-metals supplier the common case is: yes, ITAR applies, you need to be registered, and the IT environment needs to enforce US-person-only access to specific data.

    What a CMMC-Compliant IT Environment Actually Looks Like

    The 110 controls in NIST 800-171 sound abstract until you watch a small manufacturer try to implement them. In practice they collapse into about a dozen technology decisions and a thicker pile of policy and procedure work.

    A separated identity and email tenant. Most small manufacturers end up moving CUI workflows into Microsoft 365 GCC or GCC High. GCC is sufficient for most CMMC Level 2 work; GCC High is required for ITAR. The commercial tenant the rest of the business runs on stays where it is; CUI moves to the federal tenant. The MSP handles the migration, the conditional-access policies, and the ongoing tenant administration.

    Multi-factor authentication on every account, no exceptions. Phishing-resistant MFA (FIDO2 keys or platform authenticators) on privileged accounts. The "we have a service account that cannot do MFA" conversation is the conversation that derails most CMMC assessments.

    Endpoint detection and response on every endpoint touching CUI. Microsoft Defender for Endpoint (Plan 2 minimum), CrowdStrike, or SentinelOne. Configured to log, alert, and isolate on detection. Centrally managed, with retention that meets the audit-log requirement.

    Network segmentation that puts CUI workflows on a separate VLAN or virtual network. The shop floor, the back office, and the CUI environment are not the same network. The segmentation is documented in a System Security Plan (SSP) that the assessor reads.

    Encrypted communications for CUI data. TLS 1.2 minimum in transit, AES-256 at rest. For email containing CUI, use the GCC Tenant's encryption with restricted recipient lists. The "I email the drawing as a PDF attachment" workflow has to end.

    Logging, monitoring, and a SIEM. Audit logs from endpoints, servers, network devices, and identity provider, centralized into a tool that retains them for the required period (typically twelve months minimum). Microsoft Sentinel, Splunk, or a managed SOC service.

    Backup with separation, tested restore, and immutability. A backup that an attacker who compromises the primary tenant cannot delete. Documented restore tests at a defined cadence.

    Configuration management with a known baseline. Every endpoint and server matches a documented configuration. Drift is detected and remediated. Patches deploy on a schedule that the assessor can see.

    Incident response procedures that are written, tested, and known. Tabletop exercises. A documented call tree. A retainer with a digital forensics and incident response firm so the call after the breach is to a number you already have, not a Google search at 2am.

    Access reviews on a documented cadence. Quarterly, at minimum, with sign-off retained. The access-review evidence is what gets pulled in the assessment.

    Personnel security controls. Background checks for people with CUI access. Onboarding and offboarding procedures that are documented and followed.

    A System Security Plan and Plan of Action and Milestones. The SSP describes the environment and the controls. The POA&M tracks every gap, who owns it, and when it closes. These two documents are the heart of the assessment.

    If your current MSP cannot speak fluently to most of the items above, you do not have a CMMC-capable provider, and the gap is meaningful.

    Where Small Manufacturers Trip

    Five patterns I see most consistently when assessing a small precision-manufacturing IT environment for CMMC readiness.

  • Treating the assessment scope as bigger than it has to be. The full enterprise does not need to be in the CMMC boundary. With careful enclave design, the CUI environment can be a discrete subset of users, devices, and data flows, dramatically reducing the controls burden. Get this right early.
  • Letting OT/IT convergence creep into scope. The CNC, the CMM, the heat-treatment furnace, the press: these are operational technology, often running ancient firmware, often on flat networks. If they touch CUI (because the part program contains an ITAR-controlled drawing) they pull into scope. They almost always need to be segmented out.
  • Underestimating the documentation burden. Most of the failure on first assessment is documentation, not technical control gaps. Policies, procedures, evidence packages, training records.
  • Using a commercial Microsoft 365 tenant for CUI. Commercial does not meet the data residency and personnel screening requirements for CUI, and definitely not for ITAR. Move the CUI workflow to GCC or GCC High before the assessor walks in.
  • Choosing an MSP that does not understand the supply-chain context. Most generic SMB MSPs have never run a CMMC environment. The cost of getting through a failed assessment and re-doing the work is far higher than choosing the right partner from the start.

    • The pricing decision and what to look for in a managed IT provider is doubly important when CMMC is in play. The wrong choice burns six figures and a year.

    ITAR: The Add-On That Catches Manufacturers Off Guard

    If you make USML parts, ITAR applies on top of CMMC. The two frameworks overlap but ITAR adds requirements CMMC does not enforce.

    US-person access controls. Foreign nationals working at your facility, including lawful permanent residents in some interpretations, may not have access to ITAR-controlled technical data without a license. Your IT environment has to enforce that. Most generic identity systems do not by default.

    Data residency. ITAR-controlled data must remain in the United States. Microsoft 365 GCC High is the standard answer for the email and document side. AWS GovCloud is the standard answer for any custom application infrastructure. Commercial cloud regions outside the US are an immediate violation.

    Personnel screening. Documented confirmation of US-person status for every employee with ITAR access, retained in the personnel file.

    Technology Control Plan (TCP). A documented procedure for how ITAR data is identified, handled, and controlled. Required for the State Department registration. The MSP supports the IT side; the company owns the document.

    Brokering registration. Separate from manufacturing registration if your business arranges sales involving USML items.

    ITAR violations carry criminal penalties for individuals (up to 20 years per violation), civil penalties up to about $1.2 million per violation, and debarment. Of all the compliance frameworks a small manufacturer faces, ITAR has the highest individual exposure for the people running the company.

    Local Considerations for the Pacific Northwest

    The Portland metro and the broader Pacific Northwest manufacturing belt feed Boeing, Vigor Industrial, several propulsion programs, and a long tail of Tier 2 and Tier 3 defense suppliers. We see CMMC scoping questionnaires landing on small Oregon manufacturers across the region. The Portland-area managed IT picture covers the geographic and local-response side; the federal compliance overlay is what changes the conversation for defense suppliers.

    The two practical implications: response time matters more for OT environments where a furnace cycle cannot wait for a same-day flight, and an MSP that has actually run a GCC High tenant for an Oregon manufacturer is materially different from one that has only run commercial.

    If you are scoping CMMC for the first time and want a one-page gap report against NIST 800-171 before you commit to an assessment, we offer a 60-minute scoping call. No commitment, no upsell.

    The short version of this article, with the specific scope inclusions and a direct CTA, lives at our CMMC and NIST 800-171 Managed IT page.

    Frequently Asked Questions

    What is CMMC 2.0 and which level applies to my business? CMMC 2.0 is the DoD framework for verifying contractor cybersecurity. Level 1 covers Federal Contract Information (annual self-attestation). Level 2 covers CUI (aligned to NIST 800-171, third-party or self-attestation depending on contract). Level 3 covers the most sensitive programs (government-led assessment). For a typical small precision-manufacturing supplier, Level 2 is the realistic target.

    How is NIST SP 800-171 related to CMMC? CMMC Level 2 is built on top of NIST SP 800-171, the federal control set for protecting CUI. Revision 2 specifies 110 controls across 14 families. If you are CMMC Level 2, you are NIST 800-171.

    Does ITAR apply to my manufacturing business? If you make a part that ends up in something on the United States Munitions List, the technical data is ITAR-controlled. Most small manufacturers in the defense supply chain need to register with the State Department Directorate of Defense Trade Controls.

    What does an MSP for a CMMC-regulated environment look like? The MSP either operates inside the customer's assessment boundary or is structured as outside it via documented service-level controls. Tenant separation, US-person staffing for ITAR, GCC or GCC High Microsoft 365, and a security plan compliant with NIST 800-171 are the baseline.

    How long does CMMC Level 2 implementation actually take? For a small manufacturer starting from a commercial environment, 9 to 18 months from scoping to a clean third-party assessment. Plan on a six-figure first-year investment.

    Sources & Further Reading

  • DoD CIO: CMMC Program Overview (program scope, levels, timeline, official assessor list)
  • NIST SP 800-171 Rev. 3 (the controls catalog underneath CMMC Level 2)
  • NIST SP 800-172 (the enhanced controls overlay used by CMMC Level 3)
  • State Department Directorate of Defense Trade Controls (ITAR registration and the United States Munitions List)
  • DFARS 252.204-7012 (the contract clause that obligates contractors to NIST 800-171)
  • Microsoft 365 GCC and GCC High overview (the federal-cloud picture for CMMC and ITAR environments)
  • CISA: Industrial Control Systems (relevant to OT/IT convergence and shop-floor security)

    • Need help with your IT?

    We're here to answer questions and help your business make smart technology decisions.

    Get in Touch

    Get the Cascade Data Letter

    Periodic notes on small-business IT, security, and AI from the work we do. No spam.