The Cybersecurity Maturity Model Certification (CMMC) does not stop at the prime contractor. It flows down through every tier of the defense supply chain to any organization that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of a defense contract. For parts manufacturers in that supply chain, the engineering systems, ERP platforms, MES environments, and API connections that process, store, or transmit CUI are directly in CMMC scope.
StratoKey provides data protection products that help organizations satisfy specific NIST SP 800-171 controls and store regulated data on-premises or in their FedRAMP-authorized environment. It is not a C3PAO and does not provide CMMC compliance advice. For advice, assessment and certification, consult an accredited C3PAO via the Cyber AB Marketplace.
How CMMC Flow Down Works
Under DFARS 252.204-7021, prime contractors must include CMMC requirements in every subcontract where CUI or FCI is handled, at every tier of the supply chain. Compliance is not optional. It is a condition of award.
The required level is not simply copied from the prime. Under 32 CFR §170.23 it is determined by two factors: what information is being shared, and what assessment type the contracting entity above holds. A subcontractor receiving CUI from a prime that requires Level 2 (C3PAO) needs Level 2 (C3PAO). A subcontractor receiving only FCI needs Level 1 regardless of what the prime holds.
The flow-down stops where CUI and FCI stop. If a subcontractor does not receive, process, store, or transmit either, CMMC does not apply to them.
Read more: CMMC Flow Down Requirements 2026: What Major Defense Primes Are Requiring From Subcontractor
The flow-down chain looks like this:
| Tier | Who | Obligation |
| DoD | Contracting authority | Data: FCI and or CUI Specifies required CMMC level and assessment type in solicitation via DFARS 252.204-7025 |
| Prime contractor |
Defense OEM or systems integrator | Data: FCI and or CUI as per contract Must hold the required CMMC level. Must identify what FCI or CUI will be shared with each sub, include the CMMC clause in every relevant subcontract, and confirm the sub holds a current CMMC status at the appropriate level before sharing any data. |
| Tier 1 subcontractor | Major component supplier | Data: FCI and/or CUI flowed down by the prime Must meet the CMMC level that matches the data they receive and the prime's own assessment type under 32 CFR §170.23. Must flow the same obligation to any of their own subs who will touch that data. |
| Tier 2+ subcontractor | Parts manufacturers, specialty fabricators | Data: FCI and/or CUI flowed down by Tier 1 Same obligation as Tier 1. The required CMMC level is determined by the data received and the assessment type held by the contracting entity above them, not by their position in the chain. |
CUI in a Manufacturing Environment
For a defense manufacturer, CUI is not sitting in one place. It moves through multiple systems of record as part of daily work. NIST SP 800-171 Rev 2 requires that CUI be protected wherever it is processed, stored, or transmitted. That covers every system in the table below.
If the provider processes, stores, or transmits CUI, their services fall within the contractor's CMMC assessment scope.
| System of Record | What it does | Typical CUI |
| ERP (Enterprise Resource Planning) |
Manages contracts, procurement, financials and inventory. | Contract line items, pricing tied to defense programs, supplier data, sales orders, BoMs, work orders, travelers etc. |
| PLM (Product Lifecycle Management) |
Manages engineering design and revision history. | Technical drawings, CAD files, specifications. |
| MES (Manufacturing Execution System) |
Manages production execution on the shop floor. | Work instructions derived from technical data packages. |
| QMS (Quality Management System ) |
Manages quality documentation and certification records. | Test results, inspection records, certification docs returned to prime. |
Where Systems are Hosted Matters
Not all hosting environments are equal. The obligation to protect CUI is the same regardless of where a system sits. What changes is how that obligation is met and who is responsible for what.
Many systems of record manufacturers use run on commercial cloud. If CUI is present, the standard commercial tier is rarely sufficient for CMMC, this is because under DFARS 252.204-7012 any cloud service provider (CSP) that processes, stores, or transmits CUI must meet the FedRAMP Moderate baseline or an approved equivalent.
A CSP is any external company providing platform, infrastructure, application, or storage services where CUI is present. That includes cloud-hosted ERP, file sharing platforms, and collaboration tools commonplace in manufacturing.
If the service offering does not appear in the FedRAMP Marketplace at Moderate or higher, the contractor is responsible for obtaining evidence of equivalency and providing it to their C3PAO at assessment.
| Hosting type | What it means for CMMC |
| On-premises | Fully in scope. Contractor owns the infrastructure and is directly responsible for all 110 NIST SP 800-171 controls. |
| Commercial cloud (standard SaaS) | If CUI is present, the specific service offering must be FedRAMP Authorized at Moderate or higher. |
| Government or defense-grade cloud (e.g. Microsoft 365 GCC High, Azure Government, AWS GovCloud) | Purpose-built for CUI. These offerings are FedRAMP Authorized at Moderate or higher. |
| Third-party managed or hosted services | If the provider processes, stores, or transmits CUI, their services fall within the contractor's CMMC assessment scope. |
Scenario: A Precision Parts Manufacturer
A precision manufacturer produces components for a defense prime. Their work includes CUI specifications. Their prime holds Level 2 (C3PAO) and has communicated that the CUI being shared means the manufacturer also needs to meet CMMC Level 2 (C3PAO) under 32 CFR §170.23.
The diagram shows a simplified example of CUI moving through the precision manufacturers' connected systems.
.png?height=428&name=CMMC%20Supply%20Chain%20CUI%20Issues(1).png)
The prime sends two types of information into the manufacturer's environment. The technical data package containing drawings, specifications (CUI) is transmitted into the PLM system before production begins. The purchase order arrives and is entered into the ERP, carrying contract line items (parts), pricing, and contract data (FCI and CUI).
From there, CUI moves through every operational system. The ERP and PLM both feed the MES with work orders and drawing references. The MES passes work instructions down to the shop floor. Production results flow from the shop floor into the QMS, which generates certification and test records.
Every blue system in the diagram, ERP, PLM, MES, and QMS, stores, processes, or transmits CUI. Every one is in scope for CMMC Level 2.
Standard controls such as MFA, SSO, and firewalls are likely already in place. The problem is that none of them protect the data itself. CUI sits in plain text inside each of those systems.
That is what a C3PAO assessor will test against.
Where CUI Is Exposed to Non-Compliant Environments
The scenario above is a normal operating environment. The problem is that CUI is exposed at multiple levels and standard controls do not address them.
The most fundamental issue is hosting. Most ERP, PLM, MES, and QMS platforms are standard commercial SaaS products that are not FedRAMP authorized. Under DFARS 252.204-7012, any cloud service provider handling CUI must meet the FedRAMP Moderate baseline or an approved equivalent. A platform that is neither FedRAMP authorized nor able to demonstrate equivalency has a gap a C3PAO assessor will find before they look at a single access control.
Beyond hosting, there are four data-level exposure points, each with direct control requirements under NIST SP 800-171.
CUI at Rest
ERP, PLM, MES, and QMS all store CUI in their systems. A compromised credential, an over-privileged role, API request, or direct database access exposes it in full. NIST SP 800-171 requirement 3.8.1 requires CUI to be protected on organizational systems and media. Requirement 3.8.6 requires CUI to be sanitized or destroyed before disposal or reuse of system media. Plain text storage in a standard SaaS platform meets neither requirement without additional data-layer protection such as tokenization or field-level encryption.
CUI in Transit
CUI moves constantly in this environment. Technical data packages arrive via file transfer. Purchase orders come in via API. Drawing references pass between PLM and MES. Certification documents go back out to the prime. HTTPS encrypts the transport channel. It does not inspect or govern the CUI payload within it.
CUI Accessed by Users
Role-based access configured inside an ERP or PLM controls who can log in and what screens they can reach. It does not enforce access at the data level, a user with system access (such as a SaaS vendor technical employee) may be able to see CUI beyond what their role requires. Application logs record system-level events. They are not designed to produce the data-level audit trail a C3PAO assessor will look for under 3.3.1 and 3.3.2. A governance layer at the data layer is what closes both gaps.
CUI Accessed by Machines
API connections and internal system integrations carry the same CUI protection obligation as user access but receive far less scrutiny. Requirement 3.13.8 requires CUI to be protected during transmission using cryptographic mechanisms. Requirement 3.3.1 requires audit records of all system activity involving CUI, including automated processes and API connections. In most manufacturing environments, neither is consistently in place for machine-to-machine connections.
Solving the Exposure Problem With StratoKey Cloud Data Protection Platform
StratoKey is a Cloud Data Protection (CDP) platform that operates as a gateway. It sits between the outside world and the manufacturer's systems, ERP, PLM, MES, and QMS, and intercepts every request and response passing through. The underlying systems do not need to be modified.
The platform is deployed inside the customer's own FedRAMP-authorized environment, either in their cloud or on-premises. CUI exists in a readable form only inside the customer's FedRAMP environment, under customer-controlled keys. It is never readable outside that boundary at any stage.
Removing CUI from Non-FedRAMP Systems of Record
Most manufacturers are not going to replace their systems of record, of which there is generally multiple. The practical solution is to remove CUI from those systems entirely. StratoKey intercepts CUI before it reaches the manufacturing systems of record, encrypts it, and stores it in the token vault. The ERP, PLM, MES, and QMS receive tokens. They never hold raw CUI and are therefore no longer in scope as CUI-processing platforms under DFARS 252.204-7012. Requirements 3.8.1 and 3.8.6 are met at the vault layer, under customer-controlled keys, inside their FedRAMP authorized environment.
Governing User Access to CUI
The user gateway governs all user access. When an engineer requests a drawing from the PLM system, the gateway checks identity and entitlement, retrieves the encrypted value from the token vault, de-tokenizes it inside the customers FedRAMP authorized environment, and presents it to the authorized user. An unauthorized user receives a token only. Every access event is logged, who accessed what, when, and from where. Requirements 3.1.1 and 3.1.2 are enforced at the gateway. Requirements 3.3.1 and 3.3.2 are met through the gateway audit log.
Governing API & Machine Access
The API gateway applies the same approach, securing (with tokenization and encryption) CUI within API payloads and enforcing access control to machine-to-machine connections and providing audit logs.
The Benefits of Using the Cloud Data Protection Platform
- CUI is removed from non-FedRAMP systems via tokenization without replacing them, reducing scope and cost.
- The token vault sits inside the customer's own FedRAMP authorized environment under customer-controlled keys.
- Subcontractor access down the supply chain to CUI can be governed and logged, reducing risk.
- Authorized users and machines access CUI through a governed, logged proxy layer.
- Unauthorized users and machines receive tokens only, a breach on a token does not expose CUI.
- Audit trail across user and API access supports CMMC assessment evidence requirements.
- Tokenization and encryption at the data layer directly address NIST SP 800-171 requirements 3.1, 3.3, 3.8, and 3.13.
- Deployable on-premises or in the customer's own cloud environment.
Secure Your Manufacturing Systems Before CMMC Compliance Audits
CMMC assessments are now active. Phase 1 enforcement began November 2025 and C3PAO schedules are filling fast. For manufacturers handling CUI, the window to close gaps before a formal assessment is narrowing.
If you are a defense manufacturer looking to secure your environment ahead of a CMMC audit, get in touch.
AI Creates CMMC Compliance Risks. What Can You Do About it?
Artificial intelligence (AI) tools and features introduce compliance risks that CMMC was not designed to address. Defense contractors using AI for..
.png?width=680&name=Blog%20Featured%20Image%201.911(1).png)
Securing the Defense Manufacturing Supply Chain for CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) does not stop at the prime contractor. It flows down through every tier of the defense supply..
CMMC Flow Down Requirements 2026: What Major Defense Primes Are Requiring From Subcontractors
Whether you currently hold a subcontract with a major defense prime or are looking to win one, it is likely that CMMC applies to you. Primes are..