Most Pacific Northwest aerospace and DoD manufacturers are not ready for CMMC Level 2 — and most don’t know it. As of 2025, the Department of Defense began embedding CMMC Level 2 requirements directly into contracts, and enforcement through third-party assessments (C3PAOs) is now active for new awards.
If you handle Controlled Unclassified Information (CUI) and you supply to Boeing, Blue Origin, the Navy, or any Tier 1 DoD prime, your next contract renewal or new award will likely require documented CMMC Level 2 compliance. The gap between where most 25–250 user manufacturers stand today and what Level 2 requires is 12 to 18 months of active remediation work — and the clock is already running.
Here’s what Level 2 actually requires, where most manufacturers are failing, and what a realistic readiness path looks like.
What CMMC Level 2 Actually Is (Plain Language)
CMMC Level 2 is not a new framework. It maps directly to the 110 security practices in NIST 800-171, which most DoD contractors have been required to self-attest to for years.
The critical change in 2025–2026 is how compliance is verified.
Previously: you self-assessed, submitted a score to the Supplier Performance Risk System (SPRS), and hoped no one looked closely.
Now: for contracts above certain thresholds, a Certified Third-Party Assessment Organization (C3PAO) conducts an independent audit. If you fail, you don’t get the contract. If you’re mid-contract and fail a triennial assessment, you can lose the award.
Self-attestation still applies to some lower-risk contracts. But if you’re pursuing new DoD work in 2026, assume third-party assessment is required.
The 5 Areas Where PNW Manufacturers Most Commonly Fail CMMC Assessments
These are the gaps inTech’s engineers find most consistently when conducting CMMC readiness assessments with Pacific Northwest manufacturers:
1. No System Security Plan (SSP)
NIST 800-171 requires a documented SSP describing how every one of the 110 controls is implemented in your environment. Most manufacturers either have no SSP, have one written by a non-technical person that doesn’t match actual configurations, or have one that’s three years out of date.
An assessor will compare your SSP to your actual environment. Discrepancies are automatic findings.
2. CUI Is Not Scoped or Labeled
You cannot protect what you haven’t defined. CMMC requires knowing exactly where CUI lives — which systems process it, store it, or transmit it — and having a documented boundary around that environment.
Most manufacturers have CUI scattered across shared drives, personal laptops, email, and cloud tools that were never evaluated for CUI handling. Every system touching CUI is in scope for the full 110 controls.
3. Access Control Gaps
NIST 800-171 requires least-privilege access, MFA on all CUI systems, and documented user access reviews. Common failures:
- Shared credentials on engineering workstations
- Former employees with active accounts in CAD or ERP systems
- No MFA on remote access to CUI environments
- Admin accounts used for daily work
4. No Continuous Monitoring or SIEM
NIST 800-171 Practice 3.3.1 requires audit logging of all activity on CUI systems. Practice 3.14.6 requires monitoring for unauthorized activity. Together, these require SIEM-level log aggregation and continuous monitoring — not quarterly log reviews.
Most traditional MSPs do not provide SIEM as a standard service. This is a direct assessment failure.
5. Incident Response Plan Exists on Paper Only
An IRP is required. So is evidence that it’s been tested. A PDF in a SharePoint folder that no one has read since 2022 is not a tested incident response plan. Assessors will ask for tabletop exercise records, plan revision dates, and contact lists that are current.
Why Manufacturers Underestimate the Gap
The SPRS score problem. Many manufacturers submitted a SPRS self-assessment score in 2021 or 2022 and assumed that score still reflects their environment. Systems change, staff turns over, configurations drift. A score submitted three years ago is almost certainly inaccurate today — and an assessor will find the delta.
The “we’re compliant enough” problem. CMMC Level 2 is pass/fail in practice. A score of 95 out of 110 does not mean you’re 95% ready. It means you have findings. Findings with no Plan of Action and Milestones (POA&M) can disqualify an award.
The “our IT guy handles it” problem. Most in-house IT staff and general MSPs are not CMMC-trained. NIST 800-171 has specific implementation requirements that differ from standard IT best practices — particularly around CUI scoping, audit logging, and configuration management documentation.
A Real Scenario: 85-Person Aerospace Supplier in Tacoma
An 85-person precision machining company in Tacoma, supplying components to a Tier 1 aerospace prime. Long-standing relationship, eight-figure annual contract. Self-attested CMMC Level 1 compliance in 2021. Never formally assessed.
2025: Prime contractor requires Level 2 C3PAO assessment as condition of contract renewal.
Gap assessment findings:
- No SSP for CUI environment
- CUI identified on 14 systems not previously scoped
- Three former employees with active network credentials
- No SIEM — audit logging not enabled on CUI servers
- IRP last updated 2020, never tested
- SPRS score submitted: 94. Actual scored assessment: 61.
Timeline to remediation: 14 months. Cost of remediation: $185,000 in infrastructure, documentation, and third-party support. Contract status during remediation: On hold pending POA&M acceptance by prime.
The business had been operating with a 33-point gap between their self-reported score and their actual security posture — for four years.
What CMMC Level 2 Readiness Actually Costs
For a 25–250 user Pacific Northwest manufacturer, a realistic CMMC Level 2 readiness engagement breaks down as follows:
| Phase | Scope | Typical Cost |
|---|---|---|
| Gap assessment | Current state vs. 110 controls | $8,000–$18,000 |
| SSP and POA&M development | Documentation package | $12,000–$25,000 |
| Technical remediation | Infrastructure, MFA, SIEM, access controls | $40,000–$150,000 |
| C3PAO assessment | Third-party certification audit | $30,000–$75,000 |
| Ongoing compliance maintenance | Annual monitoring and reassessment | $2,500–$6,000/month |
Total first-year investment: $90,000–$270,000 depending on current state.
That range sounds wide because it is — the single biggest cost driver is how far your current environment is from the 110 controls. Manufacturers who have been running a modern managed IT stack with SIEM, MDR, MFA, and documented access controls are closer to the low end. Those starting from scratch trend toward the high end.
The CMMC Readiness Framework: 5 Phases
Phase 1 — Scope Define your CUI boundary. Every system that touches CUI is in scope. Minimize that boundary aggressively — every system you remove from scope reduces your assessment surface.
Phase 2 — Assess Run a formal gap assessment against all 110 NIST 800-171 practices. Document current state, findings, and a realistic POA&M with timelines.
Phase 3 — Remediate Prioritize findings by assessment risk. Critical gaps first: access control, audit logging, CUI protection, incident response. Infrastructure changes before documentation updates.
Phase 4 — Document Build or update your SSP to match your actual environment. Document every control implementation with evidence — screenshots, configuration exports, policy acknowledgments. This is what the assessor audits.
Phase 5 — Assess and Certify Engage a C3PAO for the formal assessment. Have your documentation package complete and your technical team briefed before the assessor arrives. Post-assessment findings require a POA&M with remediation timelines.
What This Means for Your Contracts Right Now
If you are actively pursuing new DoD or aerospace contracts in 2026, assume the following:
- New awards above the simplified acquisition threshold will require Level 2 certification or a credible POA&M
- Existing contracts up for renewal may require Level 2 as a condition
- Primes are increasingly flowing CMMC requirements down to Tier 2 and Tier 3 suppliers
- A failed or missing assessment is grounds for contract disqualification — not a grace period
The manufacturers who begin remediation in Q3 2026 will have certification completed by Q1–Q2 2027. Those who wait another 12 months will be chasing contracts they’ve already lost.
Bottom Line
CMMC Level 2 is not coming. It’s here. The manufacturers who treat it as a future problem are the ones who will lose contracts to competitors who treated it as a present one.
The gap between a typical PNW manufacturer’s current posture and a passing C3PAO assessment is real, it’s measurable, and it takes 12–18 months to close. The time to start is now.
Find Out Where You Stand Before Your Next Contract Renewal
An inTech CMMC readiness consultation maps your current environment against all 110 NIST 800-171 controls, identifies your highest-risk gaps, and gives you a realistic remediation timeline — before a prime contractor or assessor does it for you.