The Shop Floor is Bigger Than You Think: CMMC 2.0 Scoping for Defense Manufacturers

CMMC compliance follows the data—not the org chart. For most manufacturers, that means the perimeter is much larger than anyone initially expects.

Many defense manufacturers start with a simple assumption: the CMMC scope is contained. It feels defined. Manageable. A few engineering workstations, the product data management (PDM) system, maybe Enterprise Resource Planning (ERP).

But when it comes to CMMC 2.0, compliance doesn’t follow the org chart—it follows the data. And in a world that’s digital, connected, and increasingly cloud-first, that makes the perimeter far larger than most teams expect.

We see it play out all the time. A mid-size aerospace sheet metal fabricator assumes its scope is tight on paper. In reality, it’s anything but. Their computer numerical control (CNC) machines are pulling job instructions from a shared drive used by engineering. That same environment holds drawings, specs, and production details that move well beyond the systems originally considered “in scope.” Their manufacturing execution system (MES) vendor still had remote access credential no one had revisited in years. And design files were being shared through a commercial cloud sync tool that wasn’t FedRAMP authorized.

At that point, the idea of a clean perimeter starts to fall apart. The scope doesn’t just expand. It reveals how connected everything already is.

Beyond the Shop Floor: Scoping CMMC

Once you start tracing where Controlled Unclassified Information (CUI) actually moves—across systems, applications, vendors, and users—you see just how much is in scope, whether it was ever meant to be or not.

That’s the shift most teams underestimate. The perimeter extends beyond the shop floor to everywhere the data goes.

And the stakes are real. Nearly 89% of defense contractors have already experienced financial, operational, or reputational damage from a cyber incident, most with security tools already in place. That gap is about governance, not just technology.¹

At the same time, roughly 80,000 defense contractors will need CMMC Level 2 certification, and there are only so many authorized assessors to go around.² Meanwhile, manufacturing remains one of the costliest sectors for data breaches, with the global average cost of a data breach at $5 million in 2025.³

Sensitive manufacturing data rarely stays contained in CAD or PLM systems. It starts there—but it moves fast.

CUI flows through CAD files, production terminals, vendor access sessions, and cloud tools, creating a compliance perimeter that may start from the shop floor but quickly gets passed along in supplier emails when drawings are shared back and forth. It lives on shared folders that outside service teams tap into when they’re troubleshooting. And, more often than not, it ends up in whatever cloud application someone used because it was quicker than the “approved” way.

One of the biggest gaps is the floor itself. Teams lock down design environments but overlook where the work actually happens. To meet requirements, you have to protect every place that data shows up—machines, operator devices, temporary access points, all of it. If the data reaches it, it‘s your responsibility to secure it. It doesn’t matter what a system was supposed to do—if it’s touching controlled data, it’s in scope.

High-Risk Exposure Areas

Every system, endpoint, or vendor connection that touches CUI is in scope. A well-defined CUI enclave can reduce that scope substantially, but you can't define it without doing the work first. Getting the scope definition right before starting remediation is key to preventing the costliest surprises.

Here are four high-risk exposure areas to consider:

1. CAD, PLM, and engineering environments – In manufacturing, CUI is prevalent in everything from drawings and BOMs to technical data packages and revision-controlled files. Every system that stores or accesses this data needs access control, audit trails, and defined data boundaries.
2. Shop-floor and production endpoints – Also in CMMC scope are operator terminals displaying build instructions, test procedures, and inspection data whenever CUI reaches them. VDI and session isolation are the primary architectural responses, keeping the endpoint out of scope while meeting production workflow requirements.
3. Vendor and integrator remote access – Among the most commonly cited gaps in Level 2 assessments are CNC maintenance, MES integration, and OEM access paths. Unmanaged vendor access bypasses virtually every perimeter control a manufacturer has in place.
4. Cloud and file sharing for engineering workflows – Cloud services storing, processing, or transmitting CUI must be FedRAMP Moderate authorized or equivalent. Although most manufacturers are using them for engineering collaboration, most commercial file-sync and document management tools don’t meet this standard.

The Vendor Access Problem

Unmanaged third-party remote access is one of the most frequently cited gaps in Level 2 assessments, and it's one of the easiest to overlook. If a CNC equipment vendor has a standing login to your network for maintenance purposes—and most do—that access path is in scope. If it isn't governed, monitored, and documented, it's a finding. The same applies to MES integrators, OEM support accounts, and any other external party that can reach systems where CUI lives.

The Good News: Scope Can Be Reduced

Not every system in your facility needs to meet Level 2 requirements—only those that store, process, or transmit CUI. A well-defined CUI enclave draws a clear boundary around those systems and keeps everything else out. That boundary, properly established before remediation begins, can greatly reduce both the complexity of the work and the total cost of compliance.

That fabricator wasn't in worse shape than anyone else. They just hadn't mapped it yet. Once they did, they were able to isolate their production environment using session controls, revoke and replace the standing vendor credentials, and move engineering collaboration to a compliant platform. That significantly reduced the scope before remediation even started. The lesson isn't that manufacturing environments are impossible to scope correctly. It's that you can't define the boundary without doing a proper data flow analysis first, and most manufacturers never have.

Virtual Desktop Infrastructure (VDI) is one of the more practical tools available for manufacturers trying to manage scope intelligently. VDI and session isolation allow production terminals to display CUI through a controlled session. Without storing it locally. This effectively removes those endpoints from full Level 2 scope while keeping production workflows intact.

Scoping for Success with NexusTek

The manufacturers who get surprised by scope are the ones who assumed they understood it without doing the analysis. A solid gap assessment finds the boundaries before an assessor does.

Not sure how far your CUI perimeter actually extends?

NexusTek's Readiness Assessment maps every touchpoint—IT, OT, cloud, and vendor—before remediation begins. Learn more https://info.nexustek.com/cmmc-2.0-readiness-assessment

NexusTek is not a C3PAO. We prepare manufacturers to pass the assessment.

Sources:

1. Merrill Research and CyberSheath, New Study Reveals Only 1% of Defense Contractors Fully Ready for Imminent CMMC Deadline, September 2025
2. FedTech, Major Contractors Close In on CMMC 2.0 Readiness, April 2025

3. IBM, Cost of a Data Breach Report, July 2025