Use our new CMMC Level 2 compliance resource page to get educated about CMMC requirements.

Register for our first ever product webinar featuring a Q1 development recap.

CMMC Level 2 Controls: Who Owns What

A summary of key takeaways from ProShop's CMMC Level 2 controls webinar.
Gary Parkinson

We recently hosted a webinar with Brian Kirk, the Director Information Assurance & Cybersecurity and C3PAO from Cherry Bekaert. As an active auditor, Brian provides a “view from the other side of the table” for shops pursuing CMMC Level 2 controls and certification.

The session focused on one critical question: who is actually responsible for implementing and maintaining the 110 CMMC Level 2 controls?

Many machine shops fall into a common trap, believing that buying the right software and checking a few boxes will make compliance take care of itself. In reality, CMMC Level 2 controls are managed across four distinct layers. Understanding these layers prevents you from wasting time and budget on requirements that ProShop and AWS GovCloud already handle.

That’s what this session was built to provide, and here’s the substance of our conversation.

Watch the Webinar Recording >>

Compliance is a Shared Stack, Not a Solo Burden

Full list of CMMC Level 2 controls segmented by responsibility.

The responsibility for the 110 CMMC Level 2 controls is shared across the platform, the infrastructure, and your organization. Here is how the requirements break down:

  • Fully Inherited Controls (41 controls): These are handled at the platform and infrastructure level by ProShop and AWS GovCloud. Over one-third of your compliance burden is managed for you, requiring no independent build or maintenance at the shop level.
  • Shared Controls with ProShop (52 controls): ProShop maintains the platform that enforces these controls, but your shop is responsible for execution, such as training users to document CUI in secure endpoints and enforcing internal access policies.
  • Shared Controls with AWS (6 controls): These involve physical protection. While AWS GovCloud secures the data center layer, your shop must maintain user-based controls to ensure unauthorized parties cannot access CUI on your shop floor.
  • Customer-Owned Controls (11 controls): These sit squarely on your shoulders. They primarily relate to security awareness, personnel screening, and internal facility procedures. Only shop management can implement these organizational policies.

Layer 1: The Application Layer (ProShop)

ProShop manages secure application architecture, audit logs, and access control workflows. We provide the technical framework necessary for your System Security Plan (SSP), including hardening guidance aligned with NIST SP 800-171 and our SAFE+ (Secure Access File Ecosystem) for CUI management.

Think of ProShop as a “flight recorder” for manufacturing. It automatically captures:

  • Who accessed CUI and when.
  • What changes were made to documents or settings.
  • Unauthorized access attempts.

We are also introducing Record Classification. This allows you to tag specific records (like work orders or part numbers) so that any downstream records or attached CUI drawings inherit those protections. This creates a clear, auditable boundary within the system.

ProShop's role in enforcing CMMC Level 2 controls.

Note for Current Customers: To achieve CMMC certification, you must transition from our Commercial Cloud to our FedCloud package. While the interface remains the same, the hosting environment changes to meet federal requirements. Reach out to your CSM to discuss this transition.

Layer 2: The Infrastructure Layer (AWS GovCloud)

When ProShop hosts your environment on AWS GovCloud, you inherit the physical and environmental security of that data center. This is the physical security of servers, data center perimeter controls, encryption in transit or at rest, and disaster recovery. These are inherited controls that belong to AWS, but you must prove to auditors that you control the key.

Layer 3: The Organizational Layer (You)

This is the layer no software can solve for you. Your shop is responsible for:

  • Physical Security: Securing your facility and ensuring firewalls/endpoint protection are on every device.
  • Personnel Security: Documenting background checks and insider threat awareness training.
  • Operational Discipline: Promptly deprovisioning terminated employees and enforcing “least-privilege” access.

ProShop acts as the central repository for this evidence. You can store training completions and policy acknowledgments within ProShop’s QMS Module, ensuring evidence isn’t scattered across emails or shared drives when an auditor arrives.

CMMC Level 2 controls that are the responsibility of your shop.

However, the underlying discipline has to come from your shop. If you’re managing any CMMC-related work outside the system — in spreadsheets, email threads, or a shared drive — that’s precisely the kind of gap an assessor will find.

Layer 4: The Assessment Layer (RPO & C3PAO)

A key takeaway from our session was the distinction between an RPO and a C3PAO:

  • The RPO (Registered Provider Organization): Your “coach.” They spot gaps, define CUI boundaries, and help build your SSP.
  • The C3PAO (Certified 3rd Party Assessment Organization): The “referee.” They conduct the official assessment, test your controls, and grant certification.

Important: ProShop cannot act as a C3PAO. Any vendor claiming they can “certify” you themselves is providing misleading information that could lead to audit failure.

What Auditors Are Actually Looking For

CMMC assessment is an evidence-based verification. Assessors operate in three modes: Examine documentation, Interview staff, and Test implementations.

According to Brian, the four areas where manufacturers are most exposed are:

  1. Incomplete asset inventories
  2. Inadequate System Security Plans (SSPs)
  3. “Paper policies” with no evidence of actual execution
  4. Non-compliant third-party vendors (ERP or Cloud)

Remember that the ultimate responsibility for enforcing CMMC Level 2 requirements falls on your shoulders. Armed with the knowledge from our latest webinar, here are proactive steps you should take to begin your CMMC Level 2 journey.

  • Ask your current software vendors if they’re FedRAMP Moderate-aligned environments
  • Determine whether they support FIPS 140-2 validated encryption
  • Inquire about how they handle data sovereignty
  • Find out if they provide a Shared Responsibility Matrix

Responses to these questions will help move you along your CMMC Level 2 journey. If you hear the word no in response to these questions, or if they hem and haw, that’s a serious risk to your compliance posture. To stay compliant and keep defense contracts, you’ll need new software.

Additionally, you can run your own CMMC self assessment to prepare for a proper CMMC Level 2 audit. These readiness tips Brian shared are practical, sequenced, and aligned with what a C3PA0 will validate in a CMMC audit.

  • Identify how CUI impacts business operations
  • Define and document your authorization boundary
  • Build a complete SSP that addresses all assessment objectives
  • Conduct a complete asset inventory
  • Run a mock assessment or gap analysis before you go to certification

A Note on ProShop’s FedRAMP Path

We mentioned this in the session and it’s worth being direct about here as well. ProShop is on track to achieve FedRAMP Moderate Equivalency, with a target completion of June 2026.

ProShop customers need an ERP partner who doesn’t cut corners on data security. A non-compliant ERP platform is one of the most common SSP requirements that Brian identified leaves shops at risk of failing CMMC audits. When auditors ask whether your software vendor’s hosting environment meets federal security standards, the answer should be unambiguous. Once our FedRAMP Moderate Equivalency assessment is complete (target June 2026) it will be for every ProShop customer.

The Hero Model is Broken

Before we close, it’s worth naming the pattern that underlies almost every compliance failure we see in shops at this stage. There’s one person — the quality manager, the IT person, the owner — holding the entire compliance posture together through vigilance and tribal knowledge. The process exists in their head, and things get done because they remember to make them happen. If that person leaves, or simply takes a vacation, the compliance leaves with them.

Auditors are looking for documented, systematic evidence, not good intentions. If your compliance depends on someone remembering to do the right thing, you’re running on a system of hope, which is not good enough to pass an audit.

The path out of the Hero Model isn’t hiring more people or building more checklists. It’s moving to a system where controls are embedded in the workflow — enforced by the platform, logged automatically, independent of any individual. It’s where documentation errors are treated with the same seriousness as part defects. That’s the standard CMMC Level 2 controls hold you to, and it’s the standard ProShop is built to help you meet.

Where to Go From Here

Getting CMMC-ready is a significant investment, in time, money, and organizational change. We built the Shared Responsibility Matrix, record classification, and our Federal Cloud package to carry as much of that infrastructure burden as the platform can. The rest, we’ve tried to make as clear and manageable as possible.

That starts with resources like this one. Watch the full webinar recording of our discussion with Brian to help begin your self-assessment. We also have a CMMC Level 2 compliance resource page, which contains all our helpful resources about how to prepare for CMMC Level 2. If you have questions specific to your shop’s situation, our team is available and so is Brian’s at Cherry Bekaert.

Contact ProShop CMMC Level 2 controls webinar panelists.

Shops that move now will be certified while their competitors are still figuring out where to start. That gap won’t last forever.