CMMC 2.0 for Inland Empire Manufacturers: What You Need to Know

If you’re a manufacturer in the Inland Empire and any of your revenue comes from Department of Defense contracts, CMMC 2.0 (Cybersecurity Maturity Model Certification) is coming for you. Not eventually. Now. And the businesses that wait until a prime contractor demands proof of compliance are going to be scrambling.

The Inland Empire has a massive defense and aerospace corridor. From logistics hubs in Riverside and San Bernardino to precision machining shops in Ontario and Rancho Cucamonga, there are hundreds of small and mid-size manufacturers feeding into the DoD supply chain. We work with several of them, and the pattern is always the same: they know CMMC is a thing, they’ve heard it mentioned at industry events, but they don’t know exactly what it means for their shop floor and their IT environment.

Let’s fix that.

What Is CMMC 2.0?

CMMC stands for Cybersecurity Maturity Model Certification. It’s a framework the Department of Defense created to make sure that every company in the defense supply chain is protecting sensitive information. The original version (CMMC 1.0) was overly complicated, so the DoD streamlined it into CMMC 2.0 with three levels instead of five.

Level 1: Foundational. This covers businesses that handle FCI (Federal Contract Information), which is basically any information the government gives you as part of a contract that isn’t public. Level 1 requires 17 basic security practices. Think things like using antivirus, limiting who can access systems, and locking computers when people walk away. You can self-assess for Level 1.

Level 2: Advanced. This is where most Inland Empire manufacturers will land. If you handle CUI (Controlled Unclassified Information), things like technical drawings, specifications, or performance data related to defense projects, you need Level 2. It maps directly to NIST SP 800-171, which is 110 security controls. For critical contracts, you’ll need a third-party assessment from a C3PAO (CMMC Third-Party Assessment Organization). For non-critical CUI, you can self-assess annually.

Level 3: Expert. This is for companies dealing with the most sensitive programs. It adds controls from NIST SP 800-172 and requires a government-led assessment. Most small and mid-size manufacturers won’t need this level.

Who Actually Needs CMMC Compliance?

If any of these describe your business, you need to pay attention:

• You have a direct contract with the DoD (even a small one)
• You’re a subcontractor to a prime defense contractor
• You manufacture components that end up in defense systems
• You receive technical data packages, drawings, or specifications marked as CUI
• Your contracts include DFARS (Defense Federal Acquisition Regulation Supplement) clauses 252.204-7012, 7019, 7020, or 7021

Here’s what catches people off guard: it doesn’t matter how small your piece of the puzzle is. If a prime contractor sends you a technical drawing for a bracket that goes on a military vehicle, and that drawing is marked CUI, you need Level 2 compliance. Period.

The Timeline Is Not Hypothetical

CMMC 2.0 rulemaking finalized in late 2024, and the DoD began including CMMC requirements in contracts through a phased rollout starting in 2025. By 2026, it’s showing up in new solicitations regularly. If you’re bidding on contracts this year or next, you should expect to see CMMC requirements.

More importantly, prime contractors are already asking their subs about compliance posture. We’ve seen this firsthand. A machine shop in Ontario got a letter from their prime asking for a self-assessment score and a Plan of Action and Milestones (POA&M) within 60 days. They hadn’t started. That’s a bad position to be in.

What IT Changes Does CMMC Actually Require?

This is where it gets real. For Level 2, which most manufacturers need, you’re looking at 110 controls across 14 families. Here are the ones that hit hardest for a typical manufacturing environment:

Access Control. Every user needs unique credentials. No shared logins on the shop floor CNC computers. No sticky notes with passwords. Role-based access so people only see what they need to see.

Multi-Factor Authentication. MFA (Multi-Factor Authentication) on every account that accesses CUI. That includes email, file shares, remote access, and any cloud applications where CUI lives.

Encryption. CUI must be encrypted at rest and in transit. If you’re emailing technical drawings as unencrypted PDF attachments, that’s a problem. If your file server isn’t encrypted, that’s a problem.

Endpoint Protection. Every device that touches CUI needs managed antivirus, EDR (Endpoint Detection and Response), and regular patching. That includes the workstation running your CAD software and the laptop your engineer takes home.

Audit Logging. You need to log who accesses what, when, and from where. And you need to actually review those logs. This is where a lot of manufacturers fall short because they’ve never had a reason to track this before.

Network Segmentation. Your CUI environment should be separated from your general business network. The computer your receptionist uses to browse the internet should not be on the same network segment as the systems storing defense project data. This is where a zero trust security model pays off - it assumes no user or device should be trusted by default, which maps directly to what CMMC assessors want to see.

Incident Response. You need a documented plan for what happens when something goes wrong. Who do you call? How do you contain a breach? How do you report it to the DoD? You’re required to report cyber incidents to the DoD within 72 hours.

Security Awareness Training. Every employee with access to CUI needs regular training. Not just once. Ongoing. Phishing simulations, policy refreshers, the works.

The Biggest Mistake We See

The number one mistake manufacturers make is assuming their current IT setup is “close enough.” We did an assessment for a fabrication shop last year. They had decent IT by normal business standards. Firewalls, antivirus, Office 365. But when we mapped their environment against the 110 NIST 800-171 controls, they were meeting about 40 of them. That’s a failing grade, and it meant months of work to get compliant.

The second biggest mistake is trying to DIY the compliance work with internal staff who don’t have security expertise. CMMC isn’t something you can Google your way through. The controls are specific, the documentation requirements are rigorous, and the assessors know what to look for.

What Should You Do Right Now?

If you’re an Inland Empire manufacturer with DoD work, here’s your action plan:

1. Figure out what data you handle. Do you receive FCI? CUI? Both? Check your contract clauses and talk to your prime contractors. This determines which CMMC level you need.

2. Get a gap assessment. Have someone who understands NIST 800-171 evaluate your current environment against the controls. You need to know your starting point before you can build a plan. We offer a compliance assessment specifically designed for this.

3. Scope your CUI environment. One of the smartest things you can do is limit where CUI lives. The smaller your CUI boundary, the fewer systems you need to bring into compliance. This can save you significant time and money.

4. Build a remediation plan. Based on your gaps, create a prioritized plan to implement the missing controls. Focus on the high-impact items first: MFA, encryption, access controls, and endpoint protection.

5. Document everything. CMMC assessors want to see written policies, procedures, and evidence that you’re following them. A System Security Plan (SSP) and POA&M are required documents. Start writing them now.

6. Partner with an MSP that knows CMMC. Your IT partner should understand the defense manufacturing space and the specific compliance requirements. Not every managed IT provider has this expertise, so ask the right questions about their CMMC experience before you sign anything.

The Business Case Is Simple

Losing a defense contract because you can’t prove compliance is an existential risk for a lot of shops. The manufacturers who invest in CMMC compliance now are the ones who will keep their contracts and win new ones. The ones who wait are going to find themselves locked out of bids.

And here’s the upside that nobody talks about: the same security controls that make you CMMC compliant also make your business dramatically harder to attack. Ransomware, phishing, data theft. You’re building real cybersecurity resilience, not just checking boxes for an auditor.

If you’re not sure where you stand or you want a clear-eyed assessment of what it will take to get compliant, reach out. We’ll walk through your environment, identify the gaps, and give you a realistic timeline and budget. No scare tactics. Just a practical plan to protect your contracts and your business.