Manufacturing companies in the defense supply chain face a version of CMMC compliance that doesn’t look quite like what the framework’s documentation describes. The published guidance assumes a relatively standard enterprise IT environment — servers, workstations, cloud services, identity management platforms, and security tools designed for those contexts.
What it doesn’t account for — at least not explicitly — is what a real defense manufacturing environment actually looks like: CNC machines on the shop floor connected to engineering networks, PLCs managing production processes that can’t be patched without production downtime, SCADA systems that predate modern security tooling by a decade or more, and design environments where CAD files containing controlled technical information flow between engineering workstations and production machinery without passing through any of the controls that standard enterprise security assumes.
This convergence of operational technology and information technology — the OT/IT environment that defines most defense manufacturing operations — creates compliance challenges that standard CMMC preparation approaches don’t fully address. The 110 NIST SP 800-171 controls apply regardless of whether the environment they’re being applied to looks like a corporate office or a precision machining facility. But what “applying” those controls means, what evidence they produce, and what security tooling can and can’t help with is fundamentally different in an OT-heavy manufacturing environment than in a standard enterprise.
This guide is written for defense manufacturers navigating those specific realities — the production managers, IT directors, and compliance leaders at manufacturing companies trying to figure out how CMMC requirements apply to environments they’ve built for making things, not for compliance.
Why Manufacturing Environments Are Different for CMMC Purposes
The standard CMMC compliance model assumes an IT environment where systems can be patched regularly, where security agents can be installed on endpoints, where network traffic can be monitored by modern tools, and where system downtime can be scheduled without significant operational consequences. Manufacturing environments challenge all four of those assumptions.
CNC machines, PLCs, and industrial control systems often run specialized operating systems — sometimes legacy Windows versions, sometimes proprietary embedded systems — that the equipment manufacturer doesn’t support for security patching. A 5-axis CNC machining center running an embedded controller that the manufacturer hasn’t issued security updates for in eight years is a realistic scenario in defense manufacturing facilities.
Installing a standard enterprise endpoint detection and response agent on that controller may void the warranty, disrupt the calibration, or simply not function given the operating system constraints. The standard patching and endpoint protection approaches that satisfy CMMC’s System and Information Integrity requirements in an office environment don’t translate cleanly to the shop floor.

Production continuity requirements create security tradeoffs that enterprise IT environments don’t face. A manufacturing operation producing defense components on a tight delivery schedule cannot accept the same scheduled maintenance window that IT teams use to apply patches, deploy security configurations, and restart systems.
When a change to a production system requires a process requalification — when touching the software environment of a precision manufacturing system means verifying from scratch that the machine still produces parts to specification — the operational cost of a security-driven change can be substantial enough that the change simply doesn’t happen. Security teams that don’t understand this operational reality design compliance programs that exist on paper and don’t get implemented in practice.
The network architecture of manufacturing facilities reflects operational requirements that IT security professionals often find unfamiliar. Process networks that connect production machinery to engineering workstations were designed for reliability and latency, not for security segmentation.
The air gaps or network separations that security teams assume exist between production systems and office networks frequently don’t — or exist only in a form that’s more permeable than the network diagram suggests. CUI that flows from an engineer’s workstation to a CNC machine’s controller does so through a network path that may not have the boundary controls that CMMC’s System and Communications Protection requirements expect.
Multi-site operations are common in defense manufacturing, and each site presents its own OT/IT environment with its own legacy systems, its own production network architecture, and its own operational constraints. A manufacturer with four production facilities can have four meaningfully different technical environments under a single CMMC assessment scope — multiplying the complexity of both the gap analysis and the remediation program.
CUI in a Manufacturing Environment: What It Looks Like and Where It Lives
Before addressing the compliance challenges specific to manufacturing, it helps to be precise about what CUI looks like in a manufacturing context — because where CUI lives in a manufacturing environment determines what systems need to be in scope and what controls need to be applied where.
Controlled technical information is the primary CUI category in most defense manufacturing environments. CTI includes technical data, engineering drawings, design specifications, test results, and technical manuals that have been designated as controlled by the government under distribution statement controls. In a manufacturing facility, CTI flows from the engineering organization — where it’s received from the prime or government customer, worked on in CAD systems, and translated into manufacturing instructions — to the production floor, where it drives the programming of CNC machines, the configuration of quality inspection equipment, and the execution of manufacturing processes.
That flow from engineering to production is where CUI scope decisions get complicated. An engineering workstation that receives CTI drawings and creates CNC machine programs using those drawings is clearly in scope — it processes CUI directly. The CNC machine controller that receives the program file and executes it is also processing information derived from CTI — which may make it in scope depending on whether the program file itself constitutes CUI. The production network that carries that program file from the engineering workstation to the machine controller is infrastructure that connects in-scope assets and therefore falls within the compliance boundary.
A manufacturer who draws the scope boundary to include only the engineering workstations and exclude the production network and production machinery is drawing a scope that may not survive assessor scrutiny — because the CUI flow doesn’t stop at the engineering workstation. But a manufacturer who draws the scope to include every CNC machine, every PLC, and every production network segment may be over-scoping in ways that create compliance burdens without corresponding security benefit, particularly for production systems that never directly receive or store CUI in an accessible form.
The right scope determination requires a careful, system-by-system analysis of what information each asset processes and in what form. Our guide on how to scope your CMMC environment correctly covers the scoping methodology that applies here — and for manufacturing environments, that methodology needs to be applied with a manufacturing-specific understanding of how information flows from design to production.
The OT/IT Network Convergence Challenge
The single most significant technical compliance challenge for defense manufacturers is the convergence of operational technology and information technology networks — specifically, the places where production systems and enterprise systems interact in ways that create compliance exposure without always creating visibility.
Traditional industrial security doctrine called for strict separation between the OT network — the process network controlling production machinery — and the IT network connecting office systems, engineering workstations, and external networks. In practice, that separation has eroded over decades of incremental connectivity additions: remote monitoring connections added for equipment vendors, data historian systems that bridge the OT/IT divide to collect production metrics, engineering workstation connections to machine controllers for program transfer, and enterprise resource planning integrations that connect production scheduling to financial and supply chain systems.
Each of these connections is a path through what should be the OT/IT boundary — and each one is a potential compliance scope extension and security risk that needs to be documented, controlled, and evidenced. CMMC’s System and Communications Protection requirements expect that network boundaries are enforced through technical controls, not just described in architecture diagrams. A firewall rule set that theoretically controls traffic between the OT network and the IT network but hasn’t been reviewed since the remote monitoring connection was added three years ago is a compliance gap regardless of what the network diagram shows.
Network segmentation for manufacturing environments — purpose-built for the OT/IT boundary challenge — typically involves several layers that standard enterprise network design doesn’t include. A demilitarized zone between the OT network and the IT network provides a controlled staging area for data transfer without creating direct connectivity.
Unidirectional security gateways or data diodes enforce one-way information flow from the OT environment to the IT environment for monitoring and data historian purposes without creating a path for IT-to-OT traffic. Application-level controls on program transfer between engineering workstations and machine controllers provide the file-level visibility and authorization that network-level controls don’t.
Documenting these controls in the System Security Plan in a way that accurately reflects both the architecture and its limitations — the boundary controls that exist, the connections that cross the boundary under controlled conditions, and the compensating controls that address residual risk — requires understanding both what the standard CMMC documentation expects and what a manufacturing OT/IT environment actually looks like. The co-managed IT model that works well for many manufacturers brings IT security expertise alongside the operational technology familiarity that’s needed to produce accurate documentation of a hybrid OT/IT environment.
Applying CMMC Controls to OT Systems: What Works and What Doesn’t
The challenge of applying CMMC Level 2 controls to OT systems is that the controls were written for IT environments, and the mapping from IT security practice to OT security practice isn’t always direct. Several specific control areas create particular challenges for manufacturing compliance programs.
Patch management — addressed in CMMC’s System and Information Integrity domain — is the control area with the starkest OT/IT contrast. Enterprise IT patch management involves deploying vendor-released security patches to operating systems and applications on a defined schedule, typically monthly for routine patches and accelerated for critical vulnerabilities.
OT patch management involves navigating vendor support policies for embedded systems, qualifying any software changes against production process specifications, scheduling patching during planned downtime that may occur quarterly or annually at best, and accepting that some systems simply cannot be patched without equipment replacement. The evidence that demonstrates compliant patch management in an IT environment — a patch deployment report showing all systems current within the SLA — doesn’t exist in the same form for OT systems.
The compensating controls approach is how CMMC compliance programs address this gap for OT systems. Where standard patch management controls cannot be applied to OT assets due to vendor restrictions or operational constraints, organizations document the specific constraint, the risk it creates, and the compensating controls implemented to mitigate that risk — network isolation of unpatched systems, enhanced monitoring of traffic to and from those systems, vendor notification procedures for vulnerability disclosures, and a documented risk acceptance at the appropriate leadership level. This approach needs to be credibly documented in both the SSP and the POA&M to withstand assessor scrutiny.
Endpoint protection — the installation of security agents on in-scope systems for malicious code detection and endpoint monitoring — faces similar OT constraints. Modern EDR agents designed for Windows enterprise environments often cannot be installed on CNC machine controllers, PLCs, or other OT systems without vendor authorization. Where agent-based endpoint protection isn’t feasible, network-based monitoring alternatives — passive network traffic analysis tools designed for OT environments that can identify anomalous behavior without requiring agent installation — provide a compensating control that doesn’t require touching the OT system itself.
Audit logging — which CMMC requires for all in-scope systems — is an area where OT systems frequently have limited native logging capability. A CNC machine controller that logs only fault codes and tool change events doesn’t produce the user activity, access, and system event logs that CMMC’s Audit and Accountability domain expects. Network-level logging at the OT/IT boundary — capturing traffic flows between OT systems and other network segments — provides a compensating capability that addresses the audit requirement at the network level rather than the system level.

Multi-Site Scope Management for Defense Manufacturers
Defense manufacturers with multiple production facilities face a scoping challenge that single-site organizations don’t: CUI flows across facility boundaries, each facility has its own technical environment, and maintaining CMMC compliance across that distributed environment requires governance structures that most manufacturing organizations haven’t needed before.
The first question for multi-site manufacturers is whether each facility will be treated as a separate assessment scope or whether a unified scope will cover all facilities. The answer depends on how integrated the facilities are — whether they share IT infrastructure, whether CUI flows between facilities, and whether the compliance environments at each site are similar enough that a unified approach makes sense — and what the operational and cost implications of each approach are.
A unified scope that covers all facilities under a single SSP and a single C3PAO assessment is simpler to manage from a documentation standpoint but requires that every facility meet the same compliance standard. A single facility with a legacy OT environment that can’t meet the standard without significant capital investment can hold up compliance certification for the entire organization under a unified approach.
Separate scopes for different facilities — where each facility operates under its own documented CUI environment with its own controls — allow each facility to be compliant on its own timeline but create ongoing documentation and maintenance overhead for multiple parallel compliance programs. For manufacturers with facilities that serve different contracts with different CUI profiles, separate scopes may also be necessary to accurately reflect which facilities are handling CUI and which aren’t.
A vCIO who has worked through multi-site CMMC compliance for manufacturing organizations can help leadership model the tradeoffs between these approaches before committing to a program architecture. The decision has downstream cost implications — unified scope can be less expensive to assess if the facilities are genuinely similar, but more expensive if bringing every facility to the same standard requires significant remediation investment at the lagging locations.
The Gap Analysis for Manufacturing Environments
A CMMC gap analysis for a manufacturing organization needs to include specific evaluation of OT systems and the OT/IT network environment — not just the enterprise IT systems that standard gap analysis approaches cover. This is one of the clearest places where manufacturing organizations go wrong when engaging general cybersecurity advisors without OT experience: the gap analysis covers the engineering workstations, the servers, the cloud environments, and the office network, but doesn’t adequately address the production network, the machine controllers, or the OT/IT boundary controls that have the most unique compliance challenges.
A manufacturing-specific gap analysis should evaluate each OT system category against the applicable CMMC controls and document specifically where standard controls apply, where OT-specific adaptations are needed, and where compensating controls are the appropriate path. It should examine the OT/IT network architecture to identify all connections that cross the OT/IT boundary and evaluate whether those connections are adequately controlled and documented.
It should assess the feasibility of applying standard security tooling to OT environments and identify where alternative approaches are needed. And it should evaluate the configuration management and change control processes that govern OT system changes — because these are almost always different from the enterprise IT change management processes and need to be documented separately in the SSP.
Our guide on CMMC gap analysis covers what a thorough gap analysis involves, and for manufacturing organizations the key criterion in selecting a gap analysis provider is whether they have genuine OT security assessment experience alongside CMMC framework knowledge. A provider with only enterprise IT security experience will produce a gap analysis with significant blind spots in exactly the areas where manufacturing organizations have the most compliance complexity.
Building the Manufacturing CMMC Program: Practical Sequencing
For defense manufacturers building their CMMC compliance programs, the sequencing of activities matters more than it does for organizations with simpler environments — because the OT-specific elements of the program require longer lead times, larger capital investments in some cases, and more complex coordination between IT, OT, and production teams.
The first priority is network architecture — specifically, establishing or strengthening the OT/IT boundary controls that define the compliance perimeter. This is where architecture investments in network segmentation, OT monitoring, and boundary enforcement occur. For facilities where the OT/IT boundary is poorly defined or inadequately enforced, this architecture work may be the largest single investment in the compliance program and needs to happen early enough that the rest of the program can be built around the resulting architecture.
The second priority is CUI flow documentation — specifically for the engineering-to-production information flow that defines the scope for OT assets. Understanding exactly what information flows from engineering workstations to production systems, in what format, through what network paths, and with what access controls determines which OT assets are in scope and what controls need to be applied where.
The third priority is developing OT-specific compensating control documentation for the controls that standard approaches don’t satisfy in the OT environment. This documentation — the risk analysis supporting each compensating control, the description of the compensating control and why it addresses the relevant risk, and the evidence that the compensating control is implemented and operational — needs to be developed in close coordination with both OT operations staff and compliance advisors who understand how assessors evaluate compensating controls.
Managed IT services for manufacturing organizations should be structured to provide IT security services for the enterprise environment while understanding and respecting the operational constraints of the OT environment — not applying enterprise security approaches blindly to production systems that can’t accommodate them. Building that understanding into the managed services relationship from the beginning, rather than discovering the mismatch when IT security changes conflict with production operations, is one of the most important program design decisions a manufacturing CMMC compliance program makes.
For manufacturers with backup and data recovery needs that span both IT and OT environments — where CUI exists in both engineering systems and production system configurations — the backup and recovery architecture needs to address CUI protection requirements in both environments. CUI in backup systems is still CUI and is subject to the same access control and protection requirements as CUI in production systems.
What Assessors Look for in Manufacturing Environments
C3PAO assessors who evaluate manufacturing organizations approach the assessment with an understanding that the environment they’re evaluating doesn’t match the standard enterprise model. What they look for reflects the specific challenges of manufacturing environments — particularly the OT/IT convergence and the compensating control documentation that addresses it.
Assessors will examine the network boundary controls between OT and IT environments specifically — not just whether the controls are documented in the SSP, but whether they’re technically implemented in the way the SSP describes. A firewall rule set between OT and IT segments that’s documented but not enforced is a finding. A data historian connection that’s described in the SSP as a unidirectional data flow but implemented as a bidirectional TCP connection is a finding. The gap between documented architecture and actual network configuration is what OT-focused technical testing surfaces.
Assessors will evaluate the compensating controls documentation for OT systems that can’t meet standard control requirements — specifically whether the documentation reflects genuine risk analysis and proportionate compensating measures, or whether it’s boilerplate justification for controls that weren’t implemented without adequate risk management. The quality of compensating control documentation often determines whether an OT-related finding is scored as a managed limitation with adequate compensating controls or as an unmanaged gap.
Assessors will also evaluate personnel understanding of OT-specific security responsibilities — specifically whether production staff, operations technology staff, and IT security staff all understand the boundaries between their respective domains and the security requirements that apply at those boundaries. An IT security team that doesn’t understand what the OT environment looks like, and an OT operations team that doesn’t understand what security requirements apply to their systems, produce interview gaps that reflect a compliance program that was built on the IT side without adequately engaging the operations side.

Conclusion: Manufacturing CMMC Is a Specialist Challenge That Rewards Specialist Preparation
CMMC compliance for defense manufacturers is harder than the framework documentation suggests because the framework was written for environments that manufacturing facilities don’t always have. The OT/IT convergence, the legacy production systems, the operational constraints on security changes, and the multi-site complexity all create compliance challenges that require manufacturing-specific expertise to navigate accurately.
The manufacturers that certify successfully are the ones who engage those challenges honestly — who invest in OT-specific gap analysis, who develop credible compensating control documentation for systems that standard approaches don’t reach, who build network architecture that actually enforces the OT/IT boundary they’ve described, and who bring the right advisors into the program who understand both the compliance requirements and the operational realities of defense manufacturing.
The manufacturers that struggle are the ones who try to apply enterprise IT compliance approaches to OT environments without adapting them, who discover the gaps between those approaches and their actual environment during the formal assessment, and who pay the cost of that discovery in delayed certification and follow-on assessment work that thorough preparation would have avoided.
If your organization is planning its CMMC compliance journey, contact Stealth Technology Group today at (617) 903-5559 to learn how modern cybersecurity infrastructure can accelerate your path toward certification readiness.
