Case Study: Securing CMMC Level 2 for Defense Manufacturing

Unlike pure IT or software firms, manufacturing environments present physical and logical challenges that require a nuanced understanding of the production floor. This organization had to manage a sprawling environment where proprietary designs—specifically G-code—were moved via physical media to CNC machines. This created a complex boundary where technical security met physical operations, requiring a consistent baseline across all locations to satisfy assessment requirements.

• Personnel Management: Managing a mix of staff where not everyone is authorized to handle CUI on a “sprawling” manufacturing floor.
• Data Portability: The need to move proprietary designs (G-code) via physical media (USB sticks) to CNC machines.
• Baselining: Ensuring that security controls applied at one site were consistently implemented across all locations to satisfy assessment requirements.

KLC Consulting utilized a structured, three-person team—comprising a Lead Assessor, a Second Chair, and a Quality Assurance (QA) Assessor—to execute a phased assessment. John Sciandra emphasized that KLC Consulting’s approach is designed to enable the OSC (Organization Seeking Certification) rather than just “audit” them, providing a seven-week readiness window to resolve documentation hurdles before the high-stakes assessment week began.

Phase 1: Pre-Assessment & Planning

• Initial Discovery: Understanding the manufacturing process and identifying critical Cage Codes.
• Seven-Week Readiness Window: KLC Consulting provides an extended preparation period to allow the client to upload documentation and resolve logistical hurdles.
• Scoping & Site Visits: A formal scoping call to determine travel requirements for on-site physical inspections of the manufacturing floor.

Phase 2: The Assessment Week

• On-Site Walkthroughs: Verifying physical security, personnel access controls, and manufacturing equipment configurations.
• Evidence Review: Examining the “Three Pillars” of evidence: Interviews, Artifacts, and Technical Demonstrations.

Phase 3: Remediation & Quality Assurance

• The “Reasonable Person Test”: Taking extra effort to investigate technical edge cases (e.g., software caching) rather than defaulting to a “gotcha” failure.
• 10-Day Correction Window: Allowing the client to formalize verbal processes into written documentation within the SSP (System Security Plan) as permitted under 32 CFR.

During the engagement, the team encountered “sticky” technical situations that required persistent investigation. For example, the process of transferring G-code required deep-dive technical discussions with manufacturers to verify the security of FIPS-enabled USB drives. KLC Consulting’s philosophy is to do the “extra hard work” to find the correct answer, ensuring that technical implementations—no matter how unique—meet the rigorous standards of NIST and the DoD.

• FIPS Modules & G-Code: KLC Consulting investigated the specific process of transferring CUI designs to CNC tools using FIPS-enabled USB drives.
• Audit Control Misunderstandings: KLC Consulting identified common confusion between Control 3.3.3 (Reviewing audit tool settings) and Control 3.3.1 (Reviewing logs).
• The Importance of Lists: The assessment emphasized that “surprises” are the enemy of success. The client was encouraged to maintain comprehensive lists of:
  • All external connections.
  • FIPS module versions (e.g., FortiGate 7.2 vs. 7.4).
  • Specific ports and protocols.

The lessons learned are the critical takeaways that turn a single client success story into a roadmap for others. John Sciandra noted that many organizations fall into the trap of submitting “terse” SSPs that merely parrot requirements without explaining the actual implementation. He stresses that if you can explain a process during an interview, it should be documented in that same narrative style. Furthermore, the client learned that success requires Subject Matter Experts (SMEs) to be present and ready to demonstrate technical controls in real-time, rather than relying on a single spokesperson.

• Avoid “Terse” SSPs: Simply “parroting” the requirements back to the assessor is insufficient. Documentation must describe how the requirement is met.
• Empower Your Experts: Don’t let one person do all the talking. Assessors need to see the SMEs demonstrate controls (e.g., opening Intune to show settings).
• Do Your Due Diligence: Use the Cyber AB website to find competent RPOs. Working with someone who doesn’t fully understand CMMC can lead to costly failures.
• Pick a “Ready Date”: Avoid the hype of scheduling just to “get in line.” Organizations that schedule before they are ready often face expensive rescheduling fees.
• The Value of Mock Assessments: For companies with pending contracts, a Mock Assessment Bundle is more cost-effective than failing a formal assessment and having to repay to redo the entire process.

The engagement concluded with the manufacturer successfully achieving their CMMC Level 2 Certification. This victory converted a “panic mode” situation into an immediate opportunity, allowing them to secure their pending contract and build a robust, scalable security posture for the future. By investing in the right preparation and documentation, the company is now in “good stead” for all future DoD contract bids.