CMMC Compliance Resource Hub
Supporting Your CMMC Level 2 Compliance Journey
CMMC auditors won’t ask you to explain your process, but to show your system can prove it. If the ERP where your CUI lives isn’t in a FedRAMP-equivalent environment, you’re non-compliant by default, regardless of everything else you have done right.
Don’t build a bank vault in your office. ProShop built it to federal standards. You just need to rent the safety deposit box.
Why CMMC Matters
What CMMC Level 2 Compliance Actually Means for Your Shop
CMMC isn’t a far-off concern. It’s already showing up in contracts, and it affects your ability to compete for the work you have today, not just tomorrow.
Impact on Existing & Future Contracts
Primes are asking suppliers for SPRS scores today — before 2026 deadlines. Proactively pursuing CMMC Level 2 helps win new work and keep what you already have.
Formal Audit by a Certified Assessor
Auditors want proof of your process. Level 2 requires a third-party C3PAO audit every three years. Each answer must be documented and systematic, not a well-intentioned explanation.
110 Specific Security Controls
Level 2 maps to all 110 controls in NIST SP 800-171. ProShop covers infrastructure-level controls within its defined boundary, so you’re not starting from zero.
Certification Takes 6–18 Months
Gap assessment, remediation, C3PAO scheduling — it all takes longer than most shops expect. The ones that start now will be certified when contract windows open.
Want to get a head start on preparing your CMMC Level 2 readiness journey? Our CMMC Starter Guide is purpose-built to help you take control of all 110 CMMC security controls.
Shared Responsibility
You Don’t Have to Solve CMMC Alone
CMMC compliance spans three layers — your shop, ProShop’s platform, and your hosting environment. Here’s who owns what, so nothing falls through the cracks.
Your Shop
YOU OWN THIS
The people, policies, and physical environment no software can replace.
Policies, training & personnel security
Physical access controls & facilities
Incident response planning
SPRS score submission & affirmations
RPO consultants
Identifying & scoping CUI flows
ProShop ERP
PROSHOP COVERS THIS
The people, policies, and physical environment no software can replace.
Role-based access controls & permissions
Fixed audit logs & traceability
Digital chain of custody for CUI
FedRAMP Moderate Equivalency is in active 3PAO assessment, targeting June 2026
Evidence generation for audit review
AWS Hosting
AWS GOVCLOUD
The people, policies, and physical environment no software can replace.
Physical data center security
Network boundary protection
Infrastructure-level encryption
AWS cloud environment that’s current and complete
System availability & redundancy
Don’t leave any CMMC Level 2 compliance controls to chance.
ProShop’s Laura Curk and Paul Van Metre join Cherry Bekaert C3PAO Director Brian Kirk, leading a detailed discussion about CMMC shared responsibilities.
DoD Timeline
Phased Implementation Timeline
The DoD is rolling out CMMC requirements in four phases over three years. Know where you stand today and what future CMMC updates mean for your shop tomorrow.
Nov. 10, 2025
Phase 1
LIVE
Level 1 & Level 2 self-assessments required in applicable solicitations.
Nov, 2026
Phase 2
Level 2 C3PAO mandatory assessments if you manage CUI.
Nov, 2027
Phase 3
Level 3 certification requirements begin for high-sensitivity programs.
Nov, 2028
Phase 4
FULL
Full program implementation across all contract levels and requirements.
Where ProShop Stands
We’re On This Journey Too
ProShop completed our System Security Plan and entered independent 3PAO assessment of our FedRAMP Moderate aligned environment in early 2026, targeting completion by end of June.
We’re not asking you to trust a roadmap, but to proactively begin your readiness journey alongside a platform that’s building the infrastructure to support it. When assessment completes, customers on our FedRAMP Secure tier will be able to store CUI in our environment with the documented, federal-grade proof their auditors require.
Resource Library
Start Here. Go at Your Own Pace.
Built for shop owners, not IT consultants. Whether you’re just getting CMMC-oriented or deep into preparation, these resources will guide you from the beginning to the end of your CMMC Level 2 journey.
“ProShop gave us the framework to be ready to support those aerospace customers. It allowed us to really easily have great traceability on our work orders and be able to build really robust document packages easily.”
– David Bamforth, Rennscot MFG
Free Guide
CMMC Starter Guide for Machine Shops
New to CMMC? Start here. This guide covers what Level 2 requires, what changed in November 2025, and exactly what ProShop covers versus what stays with you.
Free Guide
Why Added Vigilance Won’t Pass a CMMC Audit
Doing things carefully isn’t enough. C3PAO auditors need documented, systematic proof. This guide shows what separates a shop that tries hard from one that passes an audit.
On-Demand Webinar
CMMC for Machine Shops: Who Does What and What You Do Next
ProShop’s Laura Curk and Paul Van Metre join Cherry Bekaert C3PAO Director Brian Kirk to walk through shared responsibility in plain language. Plus, get a concrete checklist of next steps.
Free Checklist
CMMC Self-Assessment Guide: Score Your Shop Across All 14 Domains
Know your gaps before an auditor does. This guide scores your shop across all 14 CMMC domains so you can see your exposure clearly — on your own time.
On-Demand Webinar
Who Owns What: Understanding Shared Responsibility in CMMC Compliance
In this webinar, the ProShop team is joined by a certified C3PAO assessor to break down the Shared Responsibility model in plain terms.
Free Resource
CMMC Shared Responsibility Matrix:
Support your compliance posture and be ready for any audit. From access control and identity management to incident response and media protection, have a ready reference when evaluating your CMMC and defense contracting needs.
Free Resource
CMMC System Security Plan (SSP) Template
Streamline your path to compliance with our CMMC SSP Template. Designed for organizations aiming for CMMC Level 2, this resource helps you document how your system protects Controlled Unclassified Information (CUI)
Common CMMC Questions
Can you provide a responsibility matrix for CMMC 2.0? What does ProShop handle vs. what is the shop responsible for?
Think of it this way: ProShop is the system, you are the discipline. ProShop provides the technical infrastructure containing audit logs with role-based access restrictions and retention controls. You own the organizational controls, defining who gets access, enforcing MFA, physical security, reviewing logs, and completing your SSP and POA&M. CMMC compliance spans three layers of responsibility, with controls managed by your shop, covered by ProShop, and relegated to a shared hosting cloud. You can learn more about these shared responsibilities with our shared responsibility matrix.
What is a POA&M, and how does it factor into my CMMC assessment?
A Plan of Action and Milestones (POA&M) is a formal document that identifies controls you haven’t yet fully implemented and lays out a time-bound plan to close those gaps. The DoD requires a minimum score of 88 out of 110 controls to be eligible for conditional certification with open POA&M items (applies specifically to SPRS scoring under DFARS 252.204-7019/7020, and is subject to program-specific interpretation and regulatory change). All items must be resolved within 180 days. Critical controls cannot be deferred to a POA&M at all.
Does the CMMC requirement flow down to every supplier, or only those who handle CUI?
CMMC requirements flow specifically to the parts of the supply chain that handle CUI. If you receive, process, store, or transmit Controlled Unclassified Information as part of a defense contract, you are in scope for Level 2, and your prime cannot absorb that compliance on your behalf. If your work involves only Federal Contract Information (FCI) with no CUI, Level 1 may apply. When in doubt, confirm your scope with your prime contractor.
Are shop travelers considered CUI if they contain part numbers, revisions, and customer information?
For most defense shops, yes. If a digital or paper traveler contains technical specifications, revision levels, or information derived from a defense contract, it very likely contains CUI. This is one of the most common places shops underestimate their CUI footprint. If you’re performing defense work, treat your travelers as CUI until a formal scoping exercise confirms otherwise.
Is an enclave or an all-in approach better for a small shop handling mixed commercial and defense work?
For most small shops, an enclave is the more practical starting point. It limits your compliance scope to only the systems and people that touch CUI, which reduces cost and complexity significantly. The tradeoff is maintaining a real, documented boundary between your CUI environment and everything else. ProShop SAFE is designed specifically to support this model. Boundary definition, network segmentation, and organizational controls remain the customer’s responsibility.
How do tools like Teams, Slack, and email factor into my SSP?
Any tool that processes, stores, or transmits CUI is inside your compliance boundary and must be addressed in your System Security Plan. Most commercial versions of Teams, Slack, and standard email are not FedRAMP Moderate authorized, meaning CUI should not travel through them. This is also a staff training issue: your team needs to know not just what CUI is, but where it cannot go.
Is G-Code considered CUI if it has no metadata identifying part numbers or tooling?
It depends, but don’t assume it isn’t. G-Code in full isolation may not qualify, but in practice, programs tied to a specific defense-contract part or stored alongside identifying metadata likely carry CUI implications. The safest posture is to apply your CUI handling procedures to all manufacturing data associated with a defense contract and work backward from there if you believe specific elements are genuinely out of scope.
What is an example of a CMMC requirement for a CNC machine, and how do I handle legacy machines?
Any CNC machine that receives, stores, or processes defense-contract programs is inside your CMMC boundary and must be addressed in your SSP. This includes access control, configuration management, and logging where the machine supports it. For legacy machines that rely on USB, keypad, or DNC and can’t support modern controls, you’ll need physical access restrictions, supervised operation, and manual logs documented in your POA&M.
Do I need AS9100 certification before pursuing CMMC?
No. AS9100 and CMMC are separate frameworks with different governing bodies and scopes. That said, shops that are already AS9100 certified have meaningful infrastructure that transfers well, such as documented procedures, consistent recordkeeping, and a culture of internal audits. If you’re AS9100 certified, you’re not starting from scratch on CMMC, but extending a discipline you’ve already built.
For Canadian shops: how does CMMC apply, and how does ProShop SAFE deploy without access to AWS GovCloud?
This is one of the most complex intersections in the current CMMC landscape, and Canadian shops should engage qualified legal and compliance guidance specific to their situation. CMMC Level 2 requires a FedRAMP Moderate authorized environment for CUI, and AWS GovCloud is restricted to U.S. persons and entities. Canadian manufacturers typically need a U.S.-based entity or a Managed Service Provider that can provide a compliant environment.
Ready to See Where Your Shop Stands?
CMMC certification takes 6 to 18 months, so starting now means you’re certified when 2026 contract windows open. Our team shows you where ProShop maps to your CMMC Level 2 requirements, and where remaining work sits. No pressure, no jargon.