CMMC 2.0 for Small Manufacturers: What Level 2 Compliance Actually Requires

If your company holds or handles federal contract information (FCI) or controlled unclassified information (CUI) as part of a Department of Defense supply chain, CMMC 2.0 compliance is no longer optional — it’s a contract requirement. For small and mid-size manufacturers, the path to compliance can feel overwhelming. This guide explains what CMMC 2.0 actually requires, what it costs, and how to approach it without derailing your operations.

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework that requires defense contractors and their subcontractors to meet specific cybersecurity standards before they can bid on or receive contracts that involve CUI. CMMC 2.0, finalized in late 2024, streamlined the original five-level model into three levels:

• Level 1 — Foundational: 17 basic practices from FAR 52.204-21. Annual self-assessment. Required for contracts involving only FCI (no CUI).
• Level 2 — Advanced: 110 practices from NIST SP 800-171. Annual self-assessment or triennial third-party assessment (C3PAO), depending on the contract. Required for most CUI-handling contracts.
• Level 3 — Expert: 110+ practices from NIST SP 800-172, with government-led assessment. Required for highest-priority programs.

Most small and mid-size defense subcontractors fall under Level 2. If you receive design drawings, specifications, or technical data from a prime contractor, you almost certainly handle CUI and need Level 2 compliance.

The Timeline That Matters

CMMC requirements began appearing in DoD contracts in early 2025 and are being phased in across the DFARS (Defense Federal Acquisition Regulation Supplement). By 2026, the majority of new DoD contracts with CUI requirements will include CMMC as a condition of award. You cannot submit a compliant bid — and you can lose existing contracts at renewal — without meeting your applicable CMMC level.

If you haven’t started, you are already behind. Level 2 compliance for a company that hasn’t previously implemented NIST 800-171 typically takes 9–18 months to achieve properly.

The 110 Practices of NIST SP 800-171 (Simplified)

NIST 800-171 organizes its 110 practices into 14 domains. For manufacturers, several of these require more attention than others because they touch operational systems, not just IT:

Access Control (22 practices)

Who can access CUI, and how? This covers user accounts, least-privilege access, remote access controls, and network access restrictions. In manufacturing, this includes access to CAD files, material certifications, process specifications, and any engineering data that qualifies as CUI.

Audit and Accountability (9 practices)

You must log who accessed what CUI, when, and from where. Logs must be protected from tampering and retained. For most manufacturers, this means deploying a SIEM or log management platform — a capability most currently lack.

Configuration Management (9 practices)

Systems must be configured securely (hardened), with unauthorized software prevented from running. In manufacturing environments with specialized CAD/CAM software and ERP systems, developing a secure baseline configuration requires careful coordination with engineering.

Incident Response (3 practices)

You must have an incident response capability — a plan, the ability to detect and respond to incidents, and post-incident analysis. The plan must be documented and tested.

Media Protection (9 practices)

CUI on portable media (USB drives, laptops, external drives) must be encrypted and controlled. This is a common compliance gap in manufacturing where USB drives are used for transferring files to CNC machines.

System and Communications Protection (16 practices)

CUI must be protected in transit (encryption) and at rest (encryption). Boundary protection, network segmentation, and mobile device management are all required here.

The System Security Plan (SSP) — The Document Most Manufacturers Are Missing

The System Security Plan is arguably the most important CMMC artifact. It’s a formal document that describes your information system, the CUI it handles, and how each of the 110 NIST 800-171 practices is implemented.

The SSP must be accurate, current, and match your actual environment. Assessors (whether self or third-party C3PAO) will compare your SSP against what they observe in your systems. Gaps between the plan and reality are a primary source of assessment failures.

Most small manufacturers either don’t have an SSP at all, or have one that was created once and never maintained. Preparing an accurate SSP for a 50–200 person manufacturer typically takes 40–120 hours of effort from someone who knows both the NIST 800-171 requirements and your technical environment.

What CMMC Level 2 Actually Costs

Costs vary significantly based on your starting point. Manufacturers who have already implemented basic security controls spend far less than those starting from scratch. A rough framework:

Gap Assessment: $5,000–$20,000

Before you can fix anything, you need to know where you stand. A structured gap assessment against all 110 NIST 800-171 practices, with findings prioritized by risk and compliance gap size, is the essential first step.

Remediation: $30,000–$150,000+

The cost of closing gaps depends entirely on what’s missing. Common high-cost items: deploying a SIEM, implementing MFA across all systems, deploying endpoint detection and response, encrypting all CUI at rest, and implementing network segmentation. Companies that have none of these will spend significantly more than companies that already have a managed security stack in place.

SSP and Documentation: $10,000–$30,000

Creating an accurate, assessor-ready System Security Plan and Plan of Action and Milestones (POA&M) requires significant time from someone with NIST 800-171 expertise and knowledge of your environment.

C3PAO Assessment (if required): $30,000–$80,000

If your contract requires a third-party assessment (rather than self-attestation), a C3PAO assessment adds this cost. Not all Level 2 contracts require C3PAO — your contracting officer will specify.

Ongoing Compliance: $15,000–$40,000/year

CMMC is not a one-time certification — it requires continuous compliance. Annual self-assessments, maintaining the SSP, addressing new gaps as your environment evolves, and resubmitting scores to SPRS all require ongoing effort.

The SPRS Score: What Primes Are Starting to Ask For

Even before formal CMMC assessment, prime contractors are increasingly asking subcontractors for their SPRS (Supplier Performance Risk System) score — a number between -203 and 110 that represents your self-assessed compliance with NIST 800-171. A score must be submitted to the SPRS government database before you can bid on many DoD-related contracts.

Submitting an inaccurate or inflated SPRS score carries legal risk under the False Claims Act — several manufacturers have faced civil suits for submitting scores that didn’t reflect their actual security posture. The score needs to reflect reality.

Where Midwest Manufacturers Typically Stand

Based on assessments NBIT has conducted with manufacturers in the 50–300 employee range, the most common gaps are:

1. No SIEM or centralized logging (required by Audit & Accountability domain)
2. No MFA on remote access or administrative accounts
3. Unencrypted CUI on shared drives or unencrypted laptops
4. No documented incident response plan
5. USB drives with unrestricted use on shop floor machines
6. No formal SSP — or an SSP that significantly overstates compliance

None of these are disqualifying on their own — each has a defined remediation path. But addressing all of them before a contract deadline requires a structured program, not a one-week sprint.

NBIT’s CMMC Readiness Services

NBIT provides CMMC readiness support for manufacturers that want to pursue DoD contracts without building an in-house compliance team. Our services include:

• NIST 800-171 gap assessment against all 110 practices
• SPRS score calculation and submission support
• System Security Plan drafting and maintenance
• Technical remediation for identified gaps
• Ongoing compliance monitoring and annual reassessment

We work with manufacturers who are starting from zero and with those who have partial compliance from prior DFARS 7012 obligations. Either way, the process starts with an honest assessment of where you actually stand — not where you wish you stood.

Schedule a CMMC readiness consultation to discuss your current DoD contract obligations and what compliance would require for your specific environment.