CMMC Level 1 for Machine Shops: A Practical Compliance Guide

CMMCheck

CMMCheck

8 min read
CMMC Level 1 for Machine Shops: A Practical Compliance Guide

Machine shops are the backbone of defense manufacturing. From precision aerospace components to submarine parts, small machine shops across the country produce the pieces that keep our military operational.

If you run a machine shop doing DoD work, you handle drawings, specifications, tolerances, and technical data every day. All of that is Federal Contract Information—and that means CMMC Level 1 applies to you.

Here's what many shop owners miss: CMMC isn't just about your office computers. It applies to your CAD workstations, your networked CNC controllers, your shop floor tablets, and anywhere else contract information lives or travels.

This guide translates CMMC Level 1 requirements into machine shop language. No generic IT advice. No irrelevant corporate security talk. Just practical guidance for protecting the drawings and data that flow through your shop every day.

Important note: This guide assumes you're handling FCI (Federal Contract Information), not CUI (Controlled Unclassified Information). If the drawings and technical data you receive are marked "CUI," "Controlled," or have export control markings, you likely need Level 2—not Level 1. Check your documents. When in doubt, ask your prime contractor.

Whether you're a five-person job shop or a fifty-person production facility, the requirements are the same—and they're achievable without hiring expensive consultants or overhauling your entire operation.

What Counts as FCI in a Machine Shop?

Federal Contract Information is any non-public information related to your government contracts. In a machine shop, that includes more than you might think.

Definitely Contract Information (Check for Markings)

Technical drawings and blueprints. Drawings you receive from a prime contractor or government customer are contract information—but which type depends on markings. Check every drawing for "CUI," "Controlled," or export control markings (ITAR/EAR). If they're marked, you're handling CUI and need Level 2. If they're unmarked but still non-public, they're FCI and Level 1 applies. This includes PDFs, CAD files, and paper prints—whether they came by email, file transfer, or physical delivery.

Part specifications and tolerances. Same rule applies. The technical requirements for what you're making—dimensions, materials, surface finishes, tolerances—are contract information. Marked specifications are CUI (Level 2). Unmarked specifications that aren't public are FCI (Level 1). When in doubt, ask your prime contractor or contracting officer whether the technical data you're receiving is CUI.

Also FCI (Unless Marked as CUI)

Pricing and quotes for DoD work. Your estimates, quotes, and pricing information for government contracts are FCI. This includes the spreadsheets, estimating software data, and emails where you discussed pricing.

Purchase orders and contracts. The actual contract documents, POs, and any modifications or amendments are obviously FCI.

Email correspondence about contracts. Emails discussing delivery schedules, technical questions, change orders, or any other contract-related topics contain FCI.

Inspection reports and quality records. First article inspections, CMM reports, material certifications, and other quality documentation for DoD parts are FCI.

Shop travelers and work orders. Internal documents that contain contract specs, drawing numbers, or other technical details are FCI.

Not FCI

General business records unrelated to DoD work. Your commercial customer files, general accounting records, and HR documents aren't FCI (unless they somehow contain contract information).

Publicly available information. If the government has publicly released something, it's not FCI.

The key question: Is this information related to a government contract and not meant for public release? If yes, treat it as FCI.

What Systems Are in Scope?

"Scope" means the systems, people, and locations subject to CMMC requirements. In a machine shop, scope extends well beyond the front office.

CAD/CAM Workstations

Your design and programming computers are ground zero for FCI. They store drawings, create toolpaths, and often hold years of accumulated job files. If you do any CAD work in-house—even just opening and viewing customer drawings—those workstations are in scope.

CNC Machine Controllers

This is where it gets interesting. If your CNC machines are networked and store drawing data or programs containing contract specifications, they may be in scope. A standalone machine with manually loaded programs is different from a networked controller pulling files from a server.

Ask yourself: Does contract information live on or pass through this controller? If yes, it's in scope.

File Servers and Network Storage

The server or NAS where you store job files, drawings, and programs is definitely in scope. This is often the central repository for all your FCI.

Email Systems

If you email about contracts—and every shop does—your email system is in scope. This includes email on computers, phones, and tablets.

Estimating and Quoting Software

Your estimating software contains pricing data, job specifications, and contract details. If it touches DoD work, it's in scope.

Shop Floor Computers and Tablets

That computer at the inspection station? The tablet machinists use to view drawings? The PC running your shop management software? If they access or display FCI, they're in scope.

Your Phone

If you read work emails on your phone, discuss contracts via text, or access drawings remotely, your phone is in scope. This catches a lot of shop owners off guard.

What's Probably Not in Scope

Systems that never touch contract information can be excluded. A dedicated accounting computer that only handles commercial work, a break room PC for employee use, equipment isolated from any contract data—these may be out of scope if you keep them strictly separated.

Control-by-Control for Machine Shops

Let's walk through how each CMMC Level 1 requirement applies specifically to a machine shop environment.

Access Control

Only authorized people access your systems.

In practice: Each machinist, programmer, and office staff member has their own login. No generic "shop" account that everyone uses. When someone leaves, their access is removed that day.

Limit what each person can do based on their job.

In practice: Not everyone needs access to everything. Your CAD files can be organized by customer or project with permissions set accordingly. An apprentice might view drawings but not modify them. Only your programmers can change CAM files. Your estimator accesses quoting data but not engineering files.

Example setup:

  • Machinists: View drawings, view programs
  • Programmers: View and edit drawings and programs
  • Office staff: Access contracts and business docs, no CAD access
  • Owner: Access to everything

Control external connections.

In practice: Know what connects to your network from outside. Remote access for CAD vendors? VPN for working from home? Cloud backup services? These should be documented and controlled, not just allowed to happen.

Control public information.

In practice: Before posting photos of parts on your website or social media, verify nothing is controlled. That impressive five-axis part might be for a program you shouldn't be advertising.

Identification and Authentication

Know who's using your systems.

In practice: Every login is tied to a real person. When you see "JSMITH" accessed a file, you know that's John Smith in programming. No anonymous access, no generic accounts.

Verify users are who they claim to be.

In practice: Strong passwords on all systems—CAD workstations, shop floor computers, file servers. No sticky notes with passwords on monitors. Screens lock automatically when people step away.

For the shop floor: Yes, it's inconvenient to log in repeatedly. But a shared "shop" password that everyone knows isn't security—it's the illusion of security.

Media Protection

Dispose of contract information properly.

In practice: This matters more than most shops realize.

Paper drawings: Shred them when the job is done and retention requirements are met. Don't toss old blueprints in the dumpster.

USB drives: Those thumb drives floating around with drawing files? When you're done with them, wipe or destroy them. Don't just delete files and throw them away.

Old computers: When you replace that CAD workstation, the hard drive is full of years of contract drawings. Wipe it properly or destroy it before the computer leaves your facility. The same goes for the old PC you pulled off the shop floor.

Old CNC controllers: When you sell or scrap a machine, what's on that controller? Programs based on customer drawings may still be there.

Physical Protection

Limit physical access to systems.

In practice: Your shop floor probably isn't open to the public—customers don't wander through the machining area unescorted. Good. Keep it that way.

Your server or main CAD workstation should have additional protection. A locked office or server closet that not everyone can access.

Escort visitors.

In practice: When customers, vendors, or job candidates visit, they sign in and someone accompanies them. They don't wander the shop floor alone, potentially seeing drawings or parts for other customers.

Keep access logs.

In practice: A sign-in sheet for visitors. If you have badge access, keep those logs. You should be able to answer "who was in the shop last Tuesday?"

Manage keys and badges.

In practice: Know who has keys to the building, the shop, and the office. When an employee leaves, collect their keys. If someone loses a key, consider whether you need to re-key.

System and Communications Protection

Protect your network boundary.

In practice: A firewall between your shop network and the internet. Most business routers include this. Make sure it's enabled and configured—not just plugged in with default settings.

Separate public systems from internal.

In practice: Guest WiFi should be separate from your shop network. When a vendor tech connects to troubleshoot equipment, they shouldn't land on the same network as your file server.

Also consider: Don't connect CNC machines directly to the internet. If a controller needs updates or remote diagnostics, route that through a controlled connection—not direct exposure to the outside world.

System and Information Integrity

Fix system flaws promptly.

In practice: Keep Windows updated on all computers. Update your CAD/CAM software when security patches are available. That old Windows 7 machine running your EDM? It's a liability.

Protect against malware.

In practice: Antivirus on every Windows computer—office and shop floor. Windows Defender works fine. Make sure it's running, not disabled because it "slowed things down."

Keep antivirus updated.

In practice: Automatic updates enabled. Definitions updating daily. Check occasionally that it's actually working.

Regular scans.

In practice: Schedule weekly scans on all systems. They can run overnight or during lunch. A shop floor PC that never gets scanned is a weak point.

Common Machine Shop Gaps

These are the compliance gaps we see most often in machine shops:

Shared logins on shop floor computers.

"Everyone uses the same login on the shop PC" is incredibly common—and a clear compliance failure. Yes, individual accounts are more work. They're still required.

Drawings on unencrypted USB drives.

Thumb drives are convenient for moving files to machines. But uncontrolled USB drives with customer drawings floating around the shop—or going home in pockets—is a problem. Track them, control them, or find a better method.

Old computers sent to scrap with data intact.

That CAD workstation you replaced three years ago—what happened to the hard drive? If you're not sure, this is a gap. Every computer leaving your facility needs its data wiped or destroyed.

CNC machines on the main network.

Networking your CNCs is convenient for file transfer. But if those controllers are on the same network as everything else, with no segmentation, you've expanded your attack surface. Consider a separate network segment for production equipment.

Personal phones on shop WiFi.

If employees connect personal phones to your main shop WiFi, those devices are now on your network. Either create a separate network for personal devices or have a clear policy prohibiting it.

No documentation of anything.

You probably do most things right already. But can you prove it? Write down your practices. Keep records. Documentation is what separates "we do that" from "we're compliant."

Practical Next Steps

You don't need to overhaul your shop overnight. Start with understanding your current state.

Map where your drawings live.

Trace the path of a typical job through your shop. Where do drawings come in? Where are they stored? What systems access them? Where do they end up? This mapping exercise often reveals systems you hadn't considered in scope.

Inventory all computers that touch FCI.

Make a list: every workstation, server, tablet, and networked controller that stores or accesses contract information. This is your scope. These are the systems that need to meet requirements.

Walk through each requirement.

For each system in scope, check it against the 15 Level 1 requirements. Individual logins? Check. Antivirus running? Check. Go requirement by requirement, system by system.

Document as you go.

As you verify compliance, write it down. Create a simple document describing how you meet each requirement. Save screenshots of settings. This becomes your evidence.

Use CMMCheck to structure your assessment.

CMMCheck walks you through each requirement with simple yes/no questions designed for non-technical business owners. It helps you identify gaps and understand what needs attention—without wading through government documents or hiring consultants.

Your machine shop can achieve CMMC Level 1 compliance. The requirements are reasonable. The investment is primarily time. Start today, work through it systematically, and you'll be compliant without disrupting your production.

This guide is part of CMMCheck's Plain English CMMC Level 1 Guide, helping small businesses navigate DoD cybersecurity requirements without the jargon.

Read more