CMMC Level 2 Readiness for Small Manufacturers

CMMC Level 2 Readiness for Small Manufacturers

If you’re a small or mid-size manufacturer working with the DoD, you’ve probably heard:

CMMC 2.0 is the U.S. Department of Defense’s framework to make sure contractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) at a level that matches modern threats.

Level 2 is the line in the sand for many small manufacturers. It maps to the 110 controls in NIST 800-171 and is required for contracts where you touch CUI.

The good news: it’s achievable.The bad news: winging it will absolutely wreck your bid pipeline.

This guide is your plain-language path to CMMC Level 2 readiness.

1. What CMMC 2.0 Level 2 actually means (in human terms)

At Level 2, DoD wants to see that you:

• Know where CUI lives in your environment

• Protect it with technical controls (MFA, logging, access control, etc.)

• Have documented policies and procedures, not tribal knowledge

• Can prove you’re doing what you say (evidence)

It’s not just a paperwork exercise. Assessors will look at:

• Your System Security Plan (SSP)

• Your Policies & Procedures mapped to controls

• Your Plan of Actions & Milestones (POA&M)

• Evidence like logs, screenshots, configs, tickets, and training records

2. The 5 most common gaps for small manufacturers

1. No clear CUI scope

   • No one can answer: “Which systems actually process or store CUI?”

   • Result: overscoping (too expensive) or underscoping (failed audit).

2. Weak or inconsistent access control

   • Shared logins on shop floor PCs

   • No MFA on remote access, email, or line-of-business apps

3. Logging & monitoring missing

   • No centralized logs

   • No one watching for suspicious activity

4. Informal or missing policies

   • People “know what to do” but nothing’s written.

   • That doesn’t fly at Level 2.

5. No formal vulnerability and patch management

   • Patching is “when we have time” or “when something breaks.”

   • Old OSes and firmware create easy entry points.

3. Your CMMC Level 2 readiness roadmap

Think in phases, not chaos.

Phase 1 – Get your bearings

1. Identify your CUI and FCI flows

   • Where do you:

     • Receive CUI (email, portals, SFTP)?

     • Store it (file shares, ERP, PLM, MES)?

     • Process it (engineer workstations, CNC programming PCs)?

2. Draw the high-level diagram

   • Show networks, key systems, cloud services, and trust boundaries.

3. Baseline gap assessment

   • Compare your current practices to NIST 800-171 / CMMC Level 2.

   • Score each requirement: Met, Partially Met, Not Met.

You don’t need perfection here; you need visibility.

Phase 2 – Fix high-impact technical gaps

Prioritize controls that dramatically cut risk and are visible to assessors:

• Identity & Access

  • MFA on:

    • VPN / remote access

    • Email

    • Any portal handling CUI

  • Unique accounts only; no shared logins for CUI systems.

  • Role-based access — least privilege.

• Endpoint & network protection

  • Modern AV/EDR on servers and workstations.

  • Firewall rules that restrict access to CUI systems.

  • Separate guest / corporate / OT networks where possible.

• Backups & recovery

  • Regular, tested backups for CUI systems.

  • At least one immutable or offline backup.

• Logging & monitoring

  • Centralized log collection for:

    • Domain controllers / identity providers

    • Key servers and security devices

  • Alerts for failed logins, admin changes, and unusual activity.

Phase 3 – Put structure around it

This is where many shops stall. You’ll stand out if you nail:

1. System Security Plan (SSP)

   • Describe:

     • Your environment

     • CUI scope

     • How each requirement is met

   • This is the master narrative of your security program.

2. Policies & proceduresAt minimum, have written, approved documents for:

   • Access Control

   • Identification & Authentication

   • Incident Response

   • Configuration Management

   • Backup & Recovery

   • Acceptable Use

   • Physical Security

   • Vendor / Supply Chain Management

3. POA&M (Plan of Actions & Milestones)

   • Any requirement not fully met goes here:

     • What’s missing

     • Who owns it

     • Target completion date

Assessors care less about perfection and more about honesty + progress.

4. Should you go it alone or bring in help?

You can DIY CMMC Level 2, but most small manufacturers benefit from a hybrid:

• Internal team

  • Knows the processes, machines, and constraints.

  • Owns daily operations and discipline.

• External CMMC-savvy MSP/consultant

  • Designs secure network & identity architecture.

  • Implements and monitors controls (MFA, logging, EDR, etc.).

  • Helps write the SSP, policies, and POA&M.

  • Preps you for assessment with mock interviews and evidence checks.

Look for partners who:

• Can speak both cyber and manufacturing (OT, shop floor realities).

• Understand DFARS, NIST 800-171, and CMMC — not just generic IT.

5. A practical next step for manufacturers

Position this as your offer: