If you’re a defense machine shop preparing for CMMC Level 2 certification, your biggest question isn’t about one specific control. It’s actually this: who’s responsible for managing each of the 110 NIST SP 800-171 requirements for CMMC audit preparation?
CMMC compliance doesn’t rest on any single vendor or any single policy. It’s distributed across three interdependent layers:
- The software you use
- Infrastructure that software runs on
- Your own shop’s commitment to enforcing protocols.
Understanding how these layers divide and share responsibility is the fastest way to identify where you can spot actual CMMC audit gaps.
Layer 1: The Application Layer
This is your ERP or manufacturing software. This is the system your team uses every day to manage jobs, documents, quality records, and CUI. An application designed to align with FedRAMP Moderate control requirements, and hosted on FedRAMP-authorized infrastructure, may support substantiation of a meaningful portion of NIST SP 800-171 requirements. That being said, your organization remains responsible for verifying, documenting, and evidencing those controls.
A properly scoped application provides capabilities to support controls like role-based access, audit logging, session management, multi-factor authentication, and data encryption in transit.
However, your organization must still demonstrate that those controls are operative within your specific deployment. That implementation process must be documented in your System Security Plan.
The key word is document. You need to clearly show your auditor that you’re using a qualifying system and that you understand what it covers.
Layer 2: The Infrastructure Layer
Behind every cloud-hosted application is a physical data center. For CMMC audit preparation, that data center must be FedRAMP-authorized. AWS GovCloud is the most common example in defense manufacturing contexts.
The infrastructure layer covers physical security, hardware maintenance, media sanitization, environmental controls, and the network backbone that keeps your data isolated from other tenants. These controls are largely invisible to your team, but they’re critical for your CMMC compliance audit. Your assessor will want evidence you’ve stored CUI in an authorized environment, not on a general-purpose commercial cloud server.
Again, inherited controls require documentation. Your System Security Plan needs to reference your cloud infrastructure provider and articulate what protections they provide.
Layer 3: The Organization Layer
This is where most defense shops have the most work to do. These controls are the sole responsibility of your shop, and it’s these controls where audits tend to surface the biggest gaps.
The organization layer covers everything that happens at your facility:
- Who has physical access to your shop
- How you train employees to handle CUI
- Screening and verifying new hires
- Responses to major incidents
- Managing your endpoints
- Whether your policies actually reflect day to day activity
Controls like physical access logs, cybersecurity awareness training, insider threat programs, mobile device policies, and incident response plans are entirely your responsibility. No software vendor can own these for you.
These are precisely the controls that C3PAO assessors spend considerable time evaluating. These controls reflect operational discipline that goes beyond just technical configuration.
Layer 4: The Assessment Layer
The fourth layer isn’t a control owner, but the verification mechanism. A Registered Practitioner Organization (RPO) can help you identify gaps before your formal audit. A C3PAO conducts the official CMMC Level 2 assessment and evaluates all three layers to certify compliance.
Every control, every artifact, and every policy you document across the application, infrastructure, and organizational layers will be examined. The better you understand the shared responsibility model for cloud security, the more confidence you have in your evidence for each domain.
Practical Shop Takeaways for CMMC Audit Preparation
The shared responsibility model isn’t a loophole but a framework. Using a qualified ERP on FedRAMP-authorized infrastructure means you start with a meaningful number of controls already substantiated.
It also means you need to understand exactly which controls remain under your shop’s responsibility. You must document your implementation protocols for each layer of control, and demonstrate the evidence to an assessor on demand.
The shops that pass CMMC Level 2 certification the first time aren’t necessarily the ones with the most sophisticated IT infrastructure. They’re the ones that understand the model clearly, close the organizational gaps deliberately, and walk into the assessment room ready to show their work.
Download our Shared Responsibility Matrix to get a comprehensive and well-structured overview of how to manage each of the 110 NIST 800-171 controls across 14 domains. Similarly, if you’re ready to begin your CMMC compliance journey, book a call with our team to discuss how ProShop can be a supportive partner in your CMMC audit preparation journey.