If you’re doing defense work and not thinking about CMMC yet, you’re already behind. CMMC is the Department of Defense’s framework for ensuring that contractors and suppliers protect sensitive information. For AM facilities handling controlled unclassified information, compliance isn’t optional—it’s a requirement to keep your contracts.
CMMC has five levels. Most AM suppliers operate at Level 1, 2, or 3. Level 1 is basic cyber hygiene—multifactor authentication, antivirus, firewalls, system updates, password policies. If you’ve got someone who knows IT, Level 1 is achievable with 40–60 hours of work. But Level 1 is increasingly insufficient for defense contracts requiring CUI handling.
Level 2 adds documented cybersecurity procedures, role-based access controls, encryption for CUI in transit and at rest, network segmentation, incident response procedures, and security awareness training. This is where most AM suppliers handling CUI need to land. Plan on 200–400 hours and $15,000–$40,000 in IT infrastructure costs. Level 3 is significantly more rigorous with formal risk assessments, continuous monitoring, and supply chain risk management. Most mid-sized manufacturers with significant defense contracts operate here.
Controlled Unclassified Information for AM shops typically includes technical drawings, material specifications, process parameters, performance data, manufacturing SOPs, and quality inspection data. If it’s related to a defense part and came from the government or is part of a defense contract, it’s probably CUI.
Your build files for defense parts are CUI—they can’t sit on the operator’s laptop unencrypted. Inspection reports need secure storage, not shared network folders any employee can access. Supplier information can’t go over regular email. You need a CUI handling procedure that addresses the AM workflow specifically, a segregated network or folder structure with access controls, encrypted email or secure file transfer, audit logging of who accessed what and when, and training for everyone who handles CUI.
Defense part drawings and build files stored in the same folders as general business stuff with no access control. Any employee can see everything. Fix: use folder-level access controls so only people who need to see defense work can access it. Document who has access and why.
Sending defense drawings over Gmail or Yahoo is an unencrypted violation. Set up secure file transfer or encrypted email for anything containing CUI. Prohibit personal email for work files. Also common: no incident response procedure, no training documentation, and portable devices that aren’t tracked or encrypted. All of these are audit failures waiting to happen.
Level 1 compliance: 1–3 months, $5,000–$15,000. Level 2: 3–6 months, $15,000–$50,000 in network upgrades, security software, encrypted storage, and backup systems. Level 3: 6–12 months, $50,000–$150,000 with significant IT infrastructure and possibly hiring a dedicated security person. C3PAO assessment fees run $3,000–$10,000 for the first assessment.
For a typical AM supplier without existing CMMC experience: months 1–2 assess your current state, months 2–4 implement Level 2 controls, month 5 hire a C3PAO and schedule the assessment, months 6–7 complete the audit and remediate findings. Total: about 6–7 months and $30,000–$60,000 in IT costs plus assessment fees. Not cheap, but losing your defense contracts costs more.
CMMC 2.0 compliance for defense AM work isn’t something you delay. Level 2 is achievable with a clear plan. We’ve guided AM suppliers through the entire journey—from gap assessment to implementation to C3PAO readiness. Let’s talk about where you stand.
Request a Quote