CMMC on the Shop Floor: A No-BS Guide for CNC & Aerospace Machine Shops

from Justice IT Consulting. We are here to help businesses like yours navigate CMNC and NIST 800-171 compliance. We're hired guns, getting companies fast-tracked to compliance. But today, we're here to give you all the secrets for free. So if you want to tackle it yourself, you are equipped to do so. Let's dive into today's episode. CMMC on the shop floor, a no BS guide for CNC and aerospace machine shops. If you've ever looked at your CNC machines, coolant soaked travelers, and that old XP machine in the corner and thought, how can I make this CMMC? You're not alone. Most of the advice out there is built for IT guys, enterprises, and not machine shops. Certainly, not ones running DoD or ITAR jobs with two or three shifts and production that can't stop. This episode is a real-world playbook for making compliance work in environments like yours. Okay, so first question I've got for you, Brooke, is probably one of the most deliberated questions for manufacturing floors and machine shops, and that is, what actually counts as CUI? Because CUI determines scope and how much you have to protect for CMMC. Right.

So hopefully all your CUI, first of all, is coming in properly marked. So try not to laugh. We know all of it comes in properly marked. I know it doesn't, but... So what you have coming in is CUI, properly marked or not. To address the or not part, if you have what you think is CUI and it's not marked, then technically you should go back to your customer and say, hey, I think we got this. It looks like CUI. It smells like CUI. It quacks like CUI. I think it's CUI. So should this be marked CUI? And they can either tell you yes or no. or no, or they may just tell you, yeah, everything under this contract is CUI, which is another case altogether. But the other thing with this is if you think it's CUI, you have to protect it like it's CUI. And you can't just turn a blind eye and go, nope, it's not marked, and so I don't think it's CUI. So if you think it's CUI, then you have to protect it like CUI. At some point, hopefully, the government and the primes get better about marking it. But assuming you know what CUI is and it's marked, come into your shop, then you have that paperwork that is CUI and you know that's CUI. So anything that comes from that, any derivatives from that, like drawings, drawings of different parts or something like that that come from that, they're going to be CUI, unless for some strange reason you pull out something off of that drawing and it's only an off-the-shelf product and it is not anything CUI and you'll have to prove that but if it's done in performance of that contract you can pretty well bet it's CUI. The G-code that you send to machines, that's CUI. In fact, the cyber AB just had on the last town hall in June had Jim Gopal on. He's a really bright guy. He's written like three books on CUI. He's legal counsel for Future Feed and has been in and around the industry and DOD and all that for a long time. Anyway, I would say he's an authority on CUI. He said that the majority of the time that G-code is going to be CUI. You can consider it CUI. What's not CUI, surprisingly, and there's a little bit of debate on this, because in some places it's not well-defined, but what's not CUI, and everybody pretty much agrees on this, is the actual part. Now why that's not CUI, I don't know. Maybe it's not information. You can glean information from it, but anyway, generally the actual part that you're making is not considered CUI. Not that you should, you know, Go send it to a foreign country or anything. So yeah, all those things are considered CUI. I have another thing on here just to remind me. Something you mentioned, that coolant-soaked traveler. Those are also considered CUI. So paper CUI, hard copy, that's still CUI. It still needs to be protected. If you're not using it, it needs to be covered up or it needs to be

locked away in a drawer. All those drawings and prints. The travelers with part specs, specifically the specs, and G-code, pretty much rule of thumb, you can consider CY. Just a quick follow-up on that, Brooke. I know this is the CMMC Compliance Guide podcast, but in terms of the VIN diagram, we often overlap a lot with ITAR regulations and weapon systems, just naturally, being a defense regulation, right? So I want to do, although we're not ITAR experts, just specifically address ITAR data real quick because we do see that a lot. What do you do with ITAR data?

Generally, ITAR data, the biggest thing for CMMC and CUI is that that ITAR data is going to be export controlled, and only US citizens can access that data. If it's properly marked, it's going to say CUI, probably controlled technical information, and then no foreign citizens can view it, or something like that. It's going to have some sort of dissemination restriction on it. And so technically, you just have to worry about CUI, but you can pretty well bet that that ITAR data is going to be export controlled. And that means a lot for whether you go with GCC or GCC High. And there's a very small window. Well, in general with defense contractors that manufacturers, that's a really small window of people that can use GCC as opposed to GCC High. But it affects other things like that, the services, the cloud services you use and things like that.

Yeah, and I think that's a good thing to touch on, the importance of if you're not handling ITAR data right now or you're trying to maybe get into a GCC instead of GCC High, really step back and think. what might I bid on in the future so you don't exclude yourself from work. Now, if you just want to build a system that is set up to do exactly what you're doing now, then by all means, go ahead. But some of those things cost a lot of money to engineer later to satisfy a bid requirement. So understand that if you're not building out for ITAR regulations or... I'm not sure the specifics, what would get you in GCC versus GCC high, but just make sure that you're not putting yourself, backing yourself into a corner on what you can bid for in the future. So another question I want to bring up is enclaves. Machine shops, manufacturers are always told, just get an enclave, put an enclave. To enclave or not to enclave? Yes. And you'll just be good, which is often good advice, but for manufacturers, specifically manufacturers, it's different. And I'd

say specifically small manufacturers.

Specifically small manufacturers, yeah, exactly. And... There's reasons for that, and there's reasons why you might, not that it's bad advice, but can you just kind of walk us through how that doesn't, apply or is maybe not always working for a CNC shop or a small manufacturer? An enclave

cannon will work if you can separate out the CMMC work from everything else. And that may mean that you have to have two versions, two computers with solid works, depending on how you want to do your enclave. If you can separate that out, then an enclave is a good thing. Because you don't want to pierce that enclave, because once you pierce the enclave, whatever you pierced it with, now that's in scope. So you just expanded your enclave, right? So you need to think about that. And if you can do that, that'd be great. A lot of small shops, if they get the majority of their business from the DOD, and so most of their business or all their business is Well, that's understandable if it's all, but if it's most of your business that is DoD, then it's likely that everybody will have the need to touch CUI. It's possible that you might have to scope some people out of it, like whoever deals with accounting and QuickBooks. You can scope them out. But in that case, your enclave is large and your non-enclave is small. So yeah, for small shops that have most of their work with the DoD, it's kind of hard to do to create an enclave, because that enclave is basically saying we're gonna take all the CMMC stuff and we're gonna put it in this enclave and everybody else is gonna be outside of

that.

If you have a larger shop and you have 50-50 work, 50% DOD and 50% not, it makes sense. Or 25-75, or maybe even 75-25. It makes sense because you're still going to have a lot of people that don't need to be doing that work. But for small shops, sometimes the owner and Somebody else are the ones that send out the quotes and pitch in on getting drawings and whatever else. They may need access to that CUI. In a small business, you wear a lot of hats. That's just how it goes in small business. So those are the kind of reasons that a CMMC enclave might not work. But if you can do an enclave, it's a really good thing to do and to separate

everything out. Another thing I'd like to bring up, just to kind of close this question out, is like, for example, you brought up the G code earlier and how it's often considered CUI, right? Yes. So... If that G-code is created in the enclave and you need to get it to the CNC machine, does that not break the enclave? Well, you can put it on a...

on a FIPS-validated encrypted USB stick, for instance. They have these little USB sticks with a little code on them. Very handy, easy to use. They work on older equipment as well as newer equipment. It just shows up just as a regular USB. So those are really good ways to do that. Now that that now has CUI on it, and it has to be labeled, it has to be protected, the whole nine yards, but that's a good way to get it over there, is to synchronate it, basically, to

your CNC machines. The reason I bring it up is because oftentimes when people are told to get an enclave, it's in the cloud somewhere, you know, and they're wanting to get in VDI solutions, is oftentimes what people think of as an enclave. So if you're dialing into a VDI solution and you download that CUI onto a stick. To put it on the stick is the computer you download it to now in scope.

Yes.

If you use a

VDI solution and you don't kill all means to move information back and forth between the computer that connects to the VDI system and the VDI system, in other words, you've got to kill copy and paste, you've got to kill the drive mappings, you've got to kill printing, you've got to kill all those things and disallow all that. If you disallow all that, then the machine that connects to that VDI system, yes, it's out of scope. But that also means that you can't download data from that and put it on, I mean, you just killed the ability to do that. So you can't download that data to that computer. If you leave that open, and the ability to download that

data, then that machine is now in scope. I'd just like to bring that up because you get caught, the wrench gets thrown in the plan whenever the details come out, right? Yes. And that's often an enclave or a VDI solution solves all your problems as a defense contractor until you actually put it in your workflow and you need to get the dang file to the machine. Yep. the cutting file, right? It's where like a VDI solution, hosted desktops dying and just offloading all of this responsibility to a solution provider just doesn't work. If that CUI has to get into your building and onto a machine, you're gonna have to scope something in the building regardless. Okay, getting to the no BS portion of this guide for real world shops. what actually works for real world actually producing parts and getting defense work, not theoretical, not someone that wants to get into it, but shops that are actually doing this, what do they do and what works?

Well, we addressed some of it already. You know, a good solution is to have your CNC machines off the network and that way and have a USB stick that's encrypted with FIPS validated cryptography. And then one that has a little code on it that you can punch in. Again, those are, we've found that those are really good. Old machines can read them, because some of these CNC machines are a little old, and you don't want them on the network. So that works really well. You can put them on the network, but you have to be very careful what you do, and you have to secure them on a secure VLAN or a secure subnet, either one, and make sure that you cross all your T's, dot all your I's. the uh... the usbs also Just like everything else you have, they have to be inventoried, they have to be kept track of, they have to be protected. So don't forget that part. Not only do they need to have that FIPS validated encryption if they hold CUI, but they've got to be labeled, inventoried, tracked, everything. The other thing is travelers. If you have a printer in your enclave environment, you can print out that CUI and it traveler and use that traveler to go do your work. Do you have to have a cover sheet on that traveler?

Yes, you should have a cover sheet to cover it up when you're not using it. Following up on that question a little bit, Brooke, I just want to dive into the USB thing you mentioned earlier with the punch code on the stick. It's actually like a physical... like a lock or something. There's a little keypad, yeah. And so you physically punch it in and then there's a little electric card or something that unlocks the encryption once it's plugged in and you punch that code in. So it removes all passwords and typing in. I want to dive into that because... It's a very simple process. You might have to buy a bunch of$100 USBs, which seems ridiculous. It solves a lot of problems, it seems, and over-engineering solutions in a lot of shops. And it replicates the workflow that a lot of shops currently have. And I just kind of want to dive into that a little bit more because I don't think that people think I think people think really complicated solutions to solve these things. In reality, they could use a USB stick like this and avoid a lot of frickin' headache. You can design a

solution where you can get those on the network. You still have to secure the CNC machines, that is, because most of them are going to be older. You're not going to be able to secure them. You can't put all your security software on them, the whole nine yards, because they control machinery. And a lot of times you'll void the warranty with those if you put your own security software on there. Which is fun. If you, you can put them on your network again, but you have to secure it off, you have to design it right to make sure that you're taking all the proper precautions. I have seen, I went to a manufacturing show, and there was a vendor there, a large vendor, that was selling a device that was sent between a secure and an unsecure network, basically, so your CNC network and your CNC machine network, right? And it would be the director of the data, And so it could take in the encrypted data, and then it can move it over, and there's all sorts of parameters you put around this, right, to keep it safe. And then the CNC machines can then take that from the other side with less or poor encryption or whatever, anyway, and pull that off and use that for the CNC machine side. It's a great idea, and you can bridge two networks like that and still do it over the network. However, those machines were like$15,000 each, and they only go to one CNC machine. We have quite a few manufacturing customers, and I don't know any of them that just have one or two CNC machines. That expense would rack up really quick. Just like you said, a really good solution to avoid cost is to have your FIPS validated and encrypted USB drive. And like I said, the one with the little keypad on it, those work well. If you use that to move data and then cover your bases with your other things, inventory it, track it, label it, all that kind of fun stuff, then you've got your solution in place and that's a very workable and very secure

solution. I think the last question is a really good segue into this one. So I'll go ahead and ask you, how do you handle old CNCs and operational technology, OT and CMMC speak? Right. How do you handle that in terms of CMNC compliance and if you want to connect them to your network or should you? What are your thoughts on that? For CNC

machines, operational technology, internet of things, stuff like that, they're counted as specialized assets and as long as you secure them in some way, and certainly keeping them off the network does secure them. Sometimes, though, those need to connect for updates or something like that, so you may need to put them on a secure VLAN or secure subnet. You may have a rule in your firewall, for instance, to only allow access to vendorA.com or something to download updates or something like that. Rule can be turned on or off, you know, whenever you need to access it. But you could do something like that. But those specialized assets, as long as you have secured them away from your CUI network, your CMMC certified network, as long as you have secured them off from that, then as long as you have them inventoried and say, yes, we have these,

then they're out of scope. So my next question for you is, what does an assessor actually want to see? All the CMMC controls and all that stuff doesn't really ultimately matter. You know, it does, but at the end of the day, it's your assessor is the one that's certifying you, right? Right. Absolutely. Let's talk real world. No BS is the theme of this episode. So brass tacks, what do assessors actually want to see?

Well, as far as we're talking about operational technology mainly, so they're going to want to make sure that you have everything documented, you have a list of all that equipment, and that you know where it is and all that kind of fun stuff. They want to see your network diagram, how it's designed. They're going to want to see your policies, for how your policies are written, for that OT equipment, for the process to get information over to them, like the USPs we talked about. They're going to want to see your SSP and how you, your overview of how you, well, assuming that's what your SSP is, but anyway, your overview of how you how you've secured those and what you're doing with that OT. That's basically what they're going to want to see. They're also going to want to see some proof, so screenshots of how, if it's connected by network, screenshots of how it's actually configured, stuff like that. They'll also probably ask you, you know, questions about you know how do you do this how do you do that to make sure it

meshes with what you've got documented in summary what an assessor wants to see is if you're actually if you're doing it it needs to be documented if you're not doing it don't fake it because they'll be able to smell that out right yes okay so if i'm a machine shop and by the way it's july 4th Fourth America's birthday. Happy birthday, America. I got my shirt. Nice shirt there, yeah. Thank you. I think this episode comes out on July 4th, so that's why I brought that up. So if I'm at Machine Shop now listening on July 4th, America's birthday, what should I go check or do this next week when I come into the office Monday, sunburnt, and with a bunch of burgers and hot dogs in my belly? What should I do first thing when I get to work? Well, you should first of all make

sure before you get to work that all the fireworks have been cleaned up. So there's always a big mess after shooting off all the fireworks. So really what you need to do is map your CUI flow. It's a data flow diagram. Figure out where it comes from, where it goes to within your systems, cloud systems included, like Microsoft 365, for instance. figure out where it goes, figure out where it goes out to subcontractors or your vendors if it does. So do that data flow diagram. Create some network segmentation, either VLANs, subnets or air gaps or something like that to separate that operational technology. Lock down your USB usage. So just like we talked about, you can tell we like those USB sticks that have a FIS validated encryption and have the little keypads on them because they work with old equipment as well as new equipment. You don't have to worry because sometimes Sometimes you run across the newer USBs that don't really work on, some of the security features don't necessarily work on the old stuff, but those seem to work nice. Handled paper, you still need to protect paper CUI, hard copy CUI. You still need to cover it up when you're not using it, put it away when, Covered up where you're not using it at the time. If you're overnight or whatever, you know, or not using it at all, it needs to be put up and locked up. So

don't forget about your paper, your hard copy CUI. Yeah, everyone's always real bummed to hear that the paper's CUI too. Yes. And the other

bad part, and we'll just touch on it here and leave you with this bad taste in your mouth, but the old CUI you have from like stuff you did, you know, 10 years ago, guess what? That's CUI, and it matters, and it has to be protected. So don't forget about that CUI. We'll just touch on that for right now. Document all your legacy systems. Don't ignore them. Make sure you explain them. And explain them is a good segue into your SSP. Your SSP should tell a story. of a story of how you do things. They should be able to read through that and understand everything from a high-level view, how you're doing everything, how you're meeting all those controls and all those assessment objectives.

If you have any questions about what we covered here, please reach out to us. We're here to help fast-track your compliance journey. You can text, email, or call us, and we'll answer your questions for free here on the podcast. Find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure. Like, subscribe, and share.