CMMC is genuinely complicated, and that’s why so many CMMC FAQs have emerged of late. Shops understand the underlying need to protect sensitive defense information, but they feel overwhelmed by the volume of work. Translating 110 security controls into documented precision machine shop operations requires sound judgment calls.
What counts as CUI when it’s embedded in a G-Code file? Does the requirement flow to your shop if you never see a drawing marked controlled? Where does your prime’s responsibility end and yours begin? These aren’t fringe questions. They’re the CMMC FAQs every defense-serving shop owner is sitting with, often without a clear place to take them.
That’s exactly what surfaced when we opened the floor in our CMMC Shared Responsibilities Webinar. Attendees came in with sharp, specific, operational questions. They’ve done their homework and are seeking clarity that hits real decision points. We’ve pulled the most useful CMMC FAQs together here, along with answers that reflect how CMMC actually applies on the shop floor.
Most Common CMMC FAQs from Customers
1. Can you provide a responsibility matrix for CMMC 2.0? What does ProShop handle vs. what the shop must manage?
CMMC compliance is a partnership, and the clearest way to think about it is through two distinct roles. ProShop is the system, and you are the discipline.
ProShop’s role is to provide the technical infrastructure that supports compliance. Our role-based access control enforces:
- Least-privilege permissions
- Audit logs with role-based access restrictions and retention controls
- Session timeouts
- CUI encryption at rest and in transit
- System security architecture documentation (including diagrams) for your SSP
These controls are structural because the system is built that way. Your shop’s role is to configure and operate that system responsibly. That means defining:
- Who gets access to which data
- Standardizing MFA on network perimeters and email
- Enforcing physical security (locking doors, managing visitor logs)
- Reviewing the audit logs ProShop generates
- Defining the policies that govern your CUI environment
- Completing your System Security Plan, POA&M, and any staff training
The distinction matters because it shapes how you scope your compliance effort. CMMC compliance spans three layers of responsibility, with controls managed by your shop, covered by ProShop, and relegated to a shared hosting cloud. The organizational controls like the policies, the physical security, and the staff training are yours to own.
You can review our Shared Responsibilities Matrix for a deeper understanding of who owns what control to achieve CMMC compliance.
2. Can you describe what a POA&M is?
A Plan of Action and Milestones, or POA&M, is a formal document that identifies security controls you haven’t yet fully implemented. It lays out a specific plan for closing those gaps, including what you’ll do, who’s responsible, and by when.
Think of it as your compliance roadmap for work still in progress. No shop achieves perfect compliance on day one, and CMMC doesn’t expect that. What it does expect is that you can demonstrate an honest, structured, time-bound plan for any controls that aren’t yet met.
A few important caveats to consider. The DoD requires a minimum score of 88 out of 110 NIST 800-171 controls to be eligible for conditional certification with a POA&M (applies specifically to SPRS scoring under DFARS 252.204-7019/7020, and is subject to program-specific interpretation and regulatory change). Controls deemed critical cannot be deferred to a POA&M at all and must be implemented before assessment. Any flagged POA&M items must be resolved within 180 days of a conditional certification.
The POA&M is not a workaround, but a legitimate part of the compliance process.
3. Does the CMMC requirement flow down through the entire supply chain, or only to suppliers who directly handle CUI?
CMMC requirements flow down specifically to the parts of the supply chain that handle CUI. If you receive, process, store, or transmit engineering drawings, material specifications, inspection data, or program details, you handle CUI and are in scope for CMMC Level 2.
If you’re a subcontractor and your prime has a CMMC Level 2 requirement, they’re obligated to flow that requirement down to you. The prime cannot absorb your compliance if you handle CUI during your work on the contract. You need your own certification.
If your work on a given contract involves only Federal Contract Information (FCI) and no CUI — for example, purely administrative or logistical data — you may only require Level 1. Don’t assume that, though. Consult your prime, ideally a qualified CMMC consultant, and make this decision carefully. The cost of getting the scoping wrong could cost you lucrative contracts.
4. Are shop travelers considered CUI if they contain part numbers, revisions, and customer information?
It depends on what’s on them. For most defense-focused shops, the answer is yes.
If a shop traveler contains technical specifications, part geometries, material requirements, revision levels, or any information derived from a defense contract, it very likely contains CUI. The information must meet the definition of CUI under the NIST 800-171 framework.
This is also one of the most common places shops underestimate their CUI footprint. Paper travelers circulate on the shop floor, get filed in binders, or end up in recycling without being treated as controlled information. Each one of those is a potential compliance gap.
If you’re performing defense work, assume your travelers contain CUI. Until you’ve formally scoped your environment, don’t assume otherwise. If they do, they must be handled, stored, and disposed of accordingly. This is exactly the kind of operational process ProShop’s digital work order environment is designed to support.
5. Is an enclave or an all-in approach best for a small shop handling mixed commercial and defense projects?
For small shops running a mix of commercial and defense work, the enclave approach is typically the more practical starting point. An enclave defines a specific, bounded environment — a subset of your systems, users, and data — as the scope of your CMMC compliance effort. Only the systems and people that touch CUI need to meet Level 2 requirements. Your commercial work stays outside that boundary.
The advantage of the enclave model lies in cost and complexity. Certifying your entire operation to Level 2 when only a portion of it touches CUI is expensive and unnecessary. A well-scoped enclave reduces the number of systems, users, and controls in scope for your assessment.
The tradeoff is rigor in maintaining that boundary. An enclave only works if the separation between your CUI environment and your general environment is real, documented, and consistently enforced. If CUI leaks across the boundary (through shared email, a common network drive, or a device used for both), the scoping collapses.
ProShop SAFE is specifically designed to support this model. It provides a compliant environment for CUI-related work while allowing your broader ProShop deployment to continue serving your commercial operations. Boundary definition, network segmentation, and organizational controls remain the customer’s responsibility.
6. How do tools like Teams, Slack, and email factor into your SSP? What does it mean if staff use them to share setup photos or information that feeds into ProShop?
Any tool that processes, stores, or transmits CUI is inside your CMMC compliance boundary. Therefore, it must be addressed in your System Security Plan. That includes email, messaging platforms, and file-sharing tools — regardless if their purpose is for quick communications.
The challenge with tools like Teams, Slack, or standard email is that most commercial versions of these platforms are not FedRAMP Moderate authorized. Using a non-compliant platform to share a setup photo that contains CUI puts that information outside your controlled environment.
The practical path forward is a two-part answer. First, formally scope your CUI boundary and document which tools are inside it. Second, for tools that need to stay in use, evaluate whether a compliant alternative exists. For tools that can’t be made compliant, don’t allow CUI data to pass through them.
This is also a staff training issue, which is itself a CMMC requirement. Your team needs to know not just what CUI is, but where it can and cannot travel.
7. Is G-Code considered CUI, assuming there is no metadata identifying tooling, part numbers, or program context?
This isn’t a straightforward yes or no question. The honest answer is it depends, but you shouldn’t assume it isn’t.
G-Code in isolation, such as generic toolpaths with no identifying information may not qualify as CUI. In practice, G-Code programs are rarely fully decontextualized. A program tied to a specific part is derived from a defense-contract drawing. It’s stored alongside metadata connected to a controlled program, which likely includes CUI even if the code itself looks generic.
The safest posture for a defense-focused shop is to apply CUI handling procedures to all manufacturing data. Work backward from the outcome of any defense contract if you believe specific elements are genuinely out of scope.
If you’re uncertain how to proceed, consult a qualified CMMC Registered Practitioner Organization or your C3PAO. The cost of misclassifying something as non-CUI is much higher than the cost of treating it as CUI when it technically isn’t.
8. What is an example of a CMMC requirement for a CNC machine? What about older machines that rely on USB, keypad input, or DNC?
CNC machines that process, store, or transmit CUI are inside your CMMC compliance boundary. A modern CNC with network connectivity that receives G-Code from a shared drive, or that stores part programs associated with a defense contract, needs to be addressed in your System Security Plan. Requirements that typically apply include:
- Access control (who can operate or modify programs on the machine)
- Audit logging where the machine supports it
- Configuration management (documenting machine’s software and network connections)
Older machines present a real challenge, especially those that only accept programs via USB or manual keypad input. If they have legacy DNC connections, they may not support modern authentication or logging capabilities.
The compliance path for these machines generally follows one of two approaches.
- Accept that the machine is a known gap and address it in your POA&M with compensating controls (such as physical access controls, supervised operation, and manual logs)
- Scope the machine out of your CUI environment and ensure it never receives CUI data directly
The key principle is that CMMC compliance is about protecting CUI, not about upgrading every piece of equipment on your floor. Thoughtful scoping and documented compensating controls can address legacy equipment without requiring wholesale capital investment.
9. Do you have to be AS9100 certified before pursuing CMMC?
No. AS9100 certification is not a prerequisite for CMMC. They are separate frameworks with different governing bodies, different scopes, and different requirements. AS9100 focuses on quality management systems for aerospace manufacturing. CMMC focuses on cybersecurity controls for protecting CUI in the defense supply chain.
That said, shops that have already gone through AS9100 certification often have meaningful compliance infrastructure that transfers well to CMMC preparation. A culture of documented procedures, consistent recordkeeping, management review, and internal auditing is exactly the operational posture that CMMC rewards. If your shop is already AS9100 certified, you’re not starting from scratch on CMMC. You’re extending a discipline you’ve already built.
The reverse is also worth noting. CMMC, done well, strengthens your quality system. Shops that build system-enforced compliance into their daily operations don’t just pass audits more easily. They run more reliably, reduce risk, and have the kind of documentation trail that serves them in every customer relationship.
10. For Canadian shops: how does access to files by non-U.S. persons work with CMMC, and how is ProShop SAFE expected to be deployed for Canadian manufacturers who need Level 2 but don’t have access to AWS GovCloud?
This is one of the most complex intersections in the current CMMC landscape. Canadian shops should approach it with qualified legal and compliance guidance specific to their situation.
CMMC Level 2 requires that CUI be stored and processed in a FedRAMP Moderate authorized environment. AWS GovCloud is one such environment, but it’s restricted to U.S. persons and U.S.-based entities. Additionally, CMMC access control requirements include restrictions on access by foreign nationals, adding another layer of complexity for any shop with non-U.S. employees interacting with defense CUI.
Canadian shops pursuing CMMC Level 2 typically need to work through a combination of approaches. They must establish a U.S.-based entity or subsidiary through which the compliant environment is operated. Work with a Managed Service Provider that can provide a FedRAMP Moderate equivalent environment accessible from Canada. Carefully define personnel access policies that address the foreign national access question in their SSP.
Legal Disclaimer:
ProShop supports the documentation and process controls relevant to CMMC Level 2 and FedRAMP alignment, but does not guarantee certification or authorization outcomes. Achieving compliance requires organization-wide controls — including physical security, personnel training, and IT management — that remain the responsibility of the manufacturer. ProShop is one component of a broader compliance program. The CMMC FAQs content in these materials are for general informational purposes only.
ProShop cannot guarantee the timeliness, completeness, or accuracy of such materials for a specific manufacturer. As such, the information available in these CMMC FAQs responses is not a substitute for professional, compliance-related advice for a manufacturer’s specific circumstances. This post does not constitute a System Security Plan (SSP), compliance assessment, or advice of any kind. ProShop USA Inc. is not acting as a Registered Practitioner (RP), Registered Practitioner Organization (RPO) in producing this guide.
The customer action items in this guide are suggested starting points, not a complete or exhaustive compliance program. Your full CMMC Level 2 certification requires an independent assessment by a C3PAO authorized by the Cyber AB. Your facility, endpoints, staff, subcontractors, internal network, or any system outside the ProShop application boundary are controls that fall under your responsibility. This post is not meant to signify compliance with DFARS 252.204-7012, ITAR, EAR, or any other legal, contractual, certification, or regulatory regime of any kind.