The Cost of CMMC for Small Manufacturing Businesses

Knowing I’m a small manufacturing business owner, people occasionally ask me about various topics in the manufacturing space ranging from compliance cost expectations to business processes. This includes Cybersecurity Maturity Model Certification (CMMC).

Manufacturers such as Win-Tech Inc. can have various types of equipment on the shop floor — some new, some decades old yet tried and true. Manufacturers in the Defense Industrial Base (DIB) have long-established business processes after an industry has stressed importance on quality, price and lead time, but not cybersecurity.

Below I share some of the nuances for a company like ours relative to navigating CMMC, although this is in no way an exhaustive list. Note that these aren’t “excuses” for a manufacturer not to be secure and compliant. Rather, these are bits of context to provide insight into unique challenges manufacturers face. If you don’t know much about DIB manufacturing, this might be news to you, because you don’t know what you don’t know. And perhaps this provides some insight into those less familiar with the manufacturing space.

• Required expertise. CMMC is not something a typical small business machine shop reads and implements overnight. Similar to existing key roles on a shop floor, such as a skilled CNC programmer, expertise comes with a price. Expertise in CMMC is not a traditional expense in a small machine shop environment. These types of support roles are allocated differently in accounting, specifically in the DIB. Whether a company hires a managed service provider (MSP) or creates an internal position, the required expertise to navigate CMMC compliance and implementation in a shop environment is exceptional.
• Resource constraints. There are only so many hours in a day for shops that opt to take on many aspects of CMMC internally. Employees in a small business often wear many hats. It’s not uncommon for the owner to be in charge of business development, cutting checks to vendors and also communicating order updates to customers. The small business owner is ultimately responsible for CMMC compliance, but this priority is just one of many on the owner’s plate.
• Lack of leverage in negotiating license fees. Small businesses have limited negotiating power — software licenses are best purchased in bulk. Economies of scale matter. Many vendors have standard pricing models that do not accommodate the needs of small businesses. Some require a minimum license purchase. These challenges often limit small businesses to working with specific resellers or price-out small businesses altogether. A five-digit license bill weighs more in a small business than across a single division at a large prime supplier.
• Hidden shopfloor costs. A small business manufacturer might have millions of dollars of heavy equipment on the shop floor. Some old machines might only work with end-of-life operating systems, introducing higher risk to the data involved on that workstation and machine. A business owner is often presented with expensive options to mitigate the risk: Change a working business process or replace the functional equipment with new equipment simply to be compatible with a new operating system.

I’ve presented these points in a LinkedIn post you can find at gbm.media/cmmc-724. I welcome you to please visit and share your experiences, opinions or comments about CMMC as it relates to small manufacturing companies in the DIB.