5 Lessons Learned on Our Journey to CMMC Level 2 Compliance

CMMC
Written By Justin Quinn

By Justin Quinn, Owner of Focused on Machining

At Focused on Machining, we are fully prepared to support your CMMC Level 2 projects with our precision machining. But that compliance didn’t happen overnight.

When the CMMC framework was first announced, I knew how essential compliance would be for our customers involved in defense work. And as a veteran, that responsibility is personal to me. I quickly learned, however, that being among the first to tackle this challenge would come with unique challenges. 

With the DoD beginning to enforce CMMC requirements, many shops are now facing the journey we’ve completed. To help other CNC machine shops, I want to share several lessons we learned along the way. I’ve also got one important recommendation for OEMs and primes navigating these early days of CMMC.

Why You Need an Experienced Partner

When the Department of Defense introduced the first version of the CMMC program in 2020, we immediately began investigating the certification process. At this time, no IT providers had any meaningful experience with the brand-new requirements, and the framework would continue to evolve for years to come.

Our existing IT provider was transparent about their lack of experience in the area, but they offered to help in any way they could. They had been trustworthy partners on other issues for many years, and I decided to take them up on their offer.

It quickly became clear that it would simply take too long to have a partner who was learning alongside me. I thanked them for their transparency and switched to a new IT company.

Lesson 1: If a partner tells you they’re not ready, it’s best to keep searching.

The Importance of Due Diligence

When we selected our second CMMC IT partner, they presented themselves as having deep CMMC expertise. At that point in time, it was still difficult to validate those types of claims, as everyone was still learning what CMMC would eventually become. With few established benchmarks or references available, we made the best choice we could at the time.

As the relationship continued, I began asking more detailed CMMC questions. Their responses were broad and vague, which made it clear their supposed expertise had just been in pursuit of sales.

Lesson 2: In the early days, it was hard to verify a potential partner’s expertise. Today, you have more available to you. Ask technical, requirement-based questions and request proof of prior CMMC work before choosing a partner.

Don’t Go It Alone

After my first two IT partnerships, I had made some progress on CMMC, but not enough. I briefly decided to handle CMMC myself. I love a challenge, and I’d previously led our certification efforts to become an AS9100 machine shop. I figured if I was intelligent enough to rebuild Air Force engines, I could handle this process. 

But CMMC is different. The requirements are dense and technical, and some sections genuinely felt like reading a foreign language. I eventually decided I needed help from professionals.

Lesson 3: As a machine shop owner, you cannot effectively achieve CMMC Level 2 certification alone. Even if you’re strong in IT and have led other certification efforts, it’s simply a different beast.

Find the Right Partner and Work in Phases

At this point, I was committed to finding an experienced partner and doing extensive due diligence. I interviewed multiple firms that were able to provide clear proof of their expertise in CMMC. 

Ultimately, I found the right partner in Imprimis in Colorado Springs. Their owner has decades of experience working with the DoD, and the firm specializes in CMMC work. They have been key to our success, and I recommend them to any other Colorado machine shop going through this process.

It’s important to note that, even after finding the right partner, the path to CMMC Level 2 certification is a marathon and not a sprint. Our process has included months of significant work followed by stretches of slower progress due to bottlenecks or reviews. That’s relevant to your expenses too, as some months will have significant costs, while others will be lower.

Lesson 4: Achieving CMMC certification takes place in stages, and it takes time. This structure helps distribute the spending and workload over time, but it also means the process is lengthy. Start early, well before a partner requires you to be certified.

What Primes Need to Know

These lessons have primarily been for other machine shops, but I do have a final message for our customers and primes. In many early CMMC contracts, Level 2 work begins with a self-assessed CMMC Level 2 status rather than a full third-party certification. But shops still must be actively progressing toward full Level 2 certification.

Lesson 5: If a shop says they are “almost done,” ask for proof. They should be able to provide documentation such as their scope outline, POA&M, system security plan, and other materials.

This matters for your supply chain, too. Even though we are compliant, we cannot send controlled documents to downstream vendors if they do not meet the necessary standards.

Moving Forward With Confidence

CMMC Level 2

I’m sharing these lessons because I want to help other shops protect sensitive data and strengthen our national defense. Our journey was full of twists and turns, but we’re proud we achieved CMMC early.

If you are a machine shop owner who has questions, don’t hesitate to contact me

And if you’re an OEM looking for a CMMC Level 2 manufacturer, request a quote today!

Justin Quinn
Next

Collaborate on Planning for High-Volume Machining Success