If you’re a mid-market manufacturer or construction firm, you’ve probably felt the change coming. The Department of Defense (DoD) is finalizing the Cybersecurity Maturity Model Certification (CMMC), and it’s raising the bar for everyone in the defense supply chain. Instead of simply saying you protect Controlled Unclassified Information (CUI), you now have to prove it clearly and consistently.

For many teams, that’s easier said than done. CUI shows up in more places than people realize: CAD models, build sheets, cloud-based plan rooms, email exchanges with subcontractors, and even jobsite devices that come and go. Wherever it flows, CMMC follows.

So if you’re trying to figure out what this means for your upcoming bids or how fast you need to move, you’re in the right place.

 → Book a CMMC Readiness Consult with IT Solutions.

Why This Matters for Manufacturers & Builders

CMMC requirements now flow down through the supply chain via Defense Federal Acquisition Regulation Supplement (DFARS) clauses, meaning many midsize contractors qualify simply by touching CUI, whether directly or through subcontracted work.

For manufacturers, CUI often moves across CAD platforms, PLM systems, and shop-floor technologies. Many plants also blend traditional IT with industrial control systems (ICS/OT), where segmentation and logging aren’t as mature.

For construction firms, the challenge is different: mobile crews, shared plans hosted in cloud environments, varied subcontractor devices, and jobsite networks that don’t always meet enterprise standards.

Failing a CMMC assessment or failing to post required information to the Supplier Performance Risk System (SPRS) can disqualify you from award consideration.

What to Expect in a CMMC Assessment

A CMMC assessment reviews how well your security controls match the level required in your contract and whether you can prove those controls are in place. Depending on the solicitation, Level 2 may allow self-assessment or require a C3PAO, while Level 3 is performed by a DoD assessment team.

What you can expect:

• Three levels: Level 1, Level 2, Level 3
  
• Objective evidence is required for every assessed control
  
• Self- or third-party attestation posted in SPRS
  
• Annual affirmation through the Procurement Integrated Enterprise Environment (PIEE)

The DoD’s program rule (32 CFR Part 170, Federal Register, Oct. 15, 2024) outlines the model structure, while the CMMC Assessment Process (CAP v2.0) from Cyber AB explains how C3PAO-led reviews are executed.

How to Conduct a CMMC Assessment

A CMMC assessment follows a predictable flow: determine scope, assemble documentation, perform the review, and post results to SPRS. Any gaps may be placed on a POA&M if allowed and later closed out.

Key steps:

• Define scope (systems, users, apps, OT networks, jobsites)
  
• Build or update the System Security Plan (SSP)
  
• Map NIST SP 800-171 Rev. 3 controls and gather evidence
  
• Run internal interviews and walkthroughs
  
• Perform self-assessment or schedule with a C3PAO
  
• Post SPRS score or certificate
  
• Create POA&M items, close within allowed windows (eCFR §170.23 outlines 180-day limits)

How Long Does a CMMC Assessment Take?

Expect fieldwork to take anywhere from a few days to several weeks. The real timeline depends on evidence readiness, the complexity of your environment, and how quickly you can remediate gaps.

Time factors include:

• C3PAO scheduling (sometimes months out)
  
• Whether OT or jobsite visits are required
  
• Completeness of your SSP and evidence
  
• Remote vs. onsite interviews
  
• Time needed to assemble logs, screenshots, configs, and training records
  

If your documentation is complete, a self-assessment moves quickly. If not, remediation often takes several months.

If You Don’t Pass: POA&Ms, Conditional Status & Closeout

Falling short doesn’t end your chances if the gap is eligible for a POA&M. Under 32 CFR Part 170, the DoD permits limited POA&M items but not for the highest-impact controls.

Key considerations:

• Ineligible POA&M controls include several encryption, MFA, and logging requirements
  
• Conditional status requires timely and documented remediation
  
• Most POA&Ms must be closed within 180 days (per eCFR §170.23)
  
• Failure to close on time can trigger loss of award eligibility

After remediation, an assessor (or C3PAO) reviews the updated evidence to validate closure.

Manufacturing & Construction Readiness Checklist

Start here:

• Confirm your required CMMC level from the solicitation
  
• Identify FCI (per FAR 52.204-21) and CUI (per 32 CFR 2002)
  
• Build/update your SSP, calculate your NIST 800-171 score, and post to SPRS
  
• Prioritize controls sensitive to your environment: ICS/OT segmentation, jobsite Wi-Fi, subcontractor access, MDM and MFA
  
• Assemble evidence: policies, network diagrams, screen captures, config exports, ticket trails, onboarding/offboarding logs
  
• Conduct a mock assessment (interviews, facility walk-throughs, sampling)
  
• Pre-assign POA&M owners and establish remediation timing
  
• If your solicitation mandates it, book a C3PAO early
  

→ Ready to verify your environment? Contact IT Solutions to start your readiness review.

Risks & Trade-offs to Recognize Early

CMMC isn’t purely a paperwork exercise. Decisions about scope, tooling, and timing all affect cost and compliance.

Watch for:

• Over-scoping (bringing in systems that never touch CUI)
  
• Under-scoping (missing contractor or cloud systems where CUI flows)
  
• Documentation gaps or “tool-only” approaches
  
• OT downtime and jobsite connectivity issues
  
• Supplier and subcontractor dependencies

Good scoping and early evidence preparation often make the difference between passing and a long remediation slog.

When to Bring in Expert Help

You can manage a self-assessment alone, but certain situations call for experienced guidance:

• A solicitation due within the next 6–12 months
  
• First-time CMMC Level 2 organizations
  
• Low or negative NIST 800-171 SPRS scores
  
• Complex OT networks or multiple subcontractor pathways
  
• Need for policy development, diagrams, or evidence structuring

→ Book a CMMC Readiness Consult

IT Solutions helps manufacturers and builders align systems, documentation, OT environments, and subcontractor workflows with CMMC requirements so you can pass on the first attempt or close gaps quickly.

FAQs

• Do we need a C3PAO for Level 2?
  • It depends on the solicitation. Some Level-2 contracts allow self-assessment; others require a C3PAO-led certification on a three-year cycle with annual affirmations in PIEE.
• What happens if we fail a CMMC assessment?
  • You may receive conditional status if your gaps qualify for a POA&M. All eligible items must be closed within the allowed window, which is usually 180 days, before you can achieve final status.
• How should manufacturers secure OT/ICS environments?
  • Segment OT from IT, restrict external connections, log interfaces, and document procedures. NIST SP 800-171 requirements apply, and NIST SP 800-82 offers additional ICS/OT guidance.
• What is SPRS?
  • The Supplier Performance Risk System is where DoD suppliers post required NIST 800-171 scores, affirmations, and ultimately CMMC results.
• Which level do most mid-market firms need?
  • Organizations handling only FCI need Level 1. Those handling CUI often require Level 2. Level 3 applies to high-risk programs and requires a government-led assessment.