Key Takeaways:
- CMMC Level 2 does not require turning your entire shop into a high-security environment. Properly scoped, it covers the part of your operation that touches CUI (Controlled Unclassified Information) — which for most job shops is a fraction of the network, not the whole thing.
- The single biggest cost driver in CMMC readiness is scope. Shops that scope correctly land at a fraction of the cost of shops that treat the whole environment as in-scope.
- A CUI enclave — a separated section of your network that handles defense work — is a real and accepted approach. Shops that have passed Level 2 assessments in northeast Indiana have tended to use exactly this model.
- Phase 2 of CMMC enforcement, requiring third-party C3PAO assessment for many Level 2 contracts, begins November 10, 2026 (under the current rule). If you have flow-down notices from a prime in your inbox, your scoping decision is the most important one you make this year.
- Mid-year is the right time to make this call. You have enough quoting visibility to know what 2027 DoD work is worth, and enough runway to do scoping right before the assessment market gets crowded.
You’ve heard the number. $100,000 to do CMMC. Maybe more. Your buddy at a peer shop in Columbia City put it that way at the last NIDIA meeting and you’ve been carrying that figure around ever since. It is what’skeeping you from making a decision either way on your DoD work.
Here’s what nobody tells you when they throw that number around: it depends almost entirely on one decision you haven’t made yet. The decision is called scoping, and it’s the difference between making your whole shop a fortress and making one room of it secure enough to do defense work in.
Mid-year is when this decision actually gets made. You’re looking at quoting for Q4 and into 2027. You know which contracts are likely to renew. You know which primes are sending flow-down notices and which aren’t. The math on whether DoD work is worth keeping — and what it costs to keep it — is more honest in May than it will be in October when the calendar starts squeezing you.
What does “scoping” actually mean in CMMC?
Scoping is the process of deciding which parts of your environment store, process, or transmit CUI — and which parts don’t. The controls in NIST SP 800-171 (the 110 security requirements behind CMMC Level 2) only apply to the parts that do.
If your entire network sees CUI — every workstation, every email account, every CNC machine on the floor — the whole thing is in scope. That’s the fortress version. It’s expensive because every endpoint, every user, every printer becomes part of the controlled environment.
If you scope tighter — say, three machinists who handle DoD prints work on isolated workstations, in a defined VLAN (a separated network segment), with their own email aliases that route through a controlled mail flow — only that environment is in scope. The rest of your shop runs the way it always has.
Shops that have gone through Level 2 assessments successfully in northeast Indiana have tended to use exactly this approach. The DoD work is real. It’s also a defined slice of the operation, not the whole thing.
What is a CUI enclave and why does it matter for cost?
A CUI enclave is a defined, separated section of your environment specifically for handling defense work. It can be a physical space (locked room, locked workstations), a network space (a VLAN with its own firewall rules), or both. The point is that CUI does not leak into the rest of your environment, which means the rest of your environment doesn’t have to be controlled.
Cost comparison: in-scope environment size
| Approach | What’s in scope | Typical readiness cost | Annual burden |
| Whole-shop fortress | Every workstation, server, account | Highest — affects every user | High |
| Department-level enclave | One department’s workstations + shared services | Moderate | Moderate |
| Isolated CUI enclave | 3–8 dedicated workstations, separated VLAN | Lower — fraction of fortress | Contained |
| External enclave service | Cloud-hosted environment for CUI work | Predictable monthly cost | Minimal on-prem |
The cost ranges vary by shop, but the relative differences are consistent. A correctly scoped enclave commonly lands at a fraction of the fortress approach — not because the controls are weaker (they’re not), but because they apply to fewer assets.
How do you decide which scoping approach fits your shop?
Three questions drive this:
1. How much of your work involves CUI?
- Less than 25% of revenue from DoD work → enclave model makes sense
- 25–60% → department-level scope is more realistic
- More than 60% → whole-shop scope is likely the honest answer
2. How does CUI flow through the shop?
- Email + dedicated workstations only → enclave is practical
- CUI touches your ERP system → enclave becomes harder to draw cleanly
- Every CNC operator handles controlled prints → wider scope is needed
3. Will DoD revenue grow or shrink over the next three years?
- Growing → invest in a scope that scales
- Stable → scope to current footprint
- Shrinking → smallest viable scope, or run the math on exiting DoD work entirely
For a Columbia City shop running 25% DoD revenue with prints flowing to three or four machinists, an isolated CUI enclave is usually the right call. For a shop where defense work touches every quoter, every estimator, and every program file, a wider scope is more honest.
The wrong move is to default to the fortress approach because nobody told you scoping was an option. That choice costs shops six figures they didn’t need to spend.
What does Purdue MEP have to do with this?
Purdue MEP — Indiana’s NIST Manufacturing Extension Partnership center — offers CMMC readiness guidance for Indiana manufacturers, doesn’t sell anything, and can give you an honest read on where your environment stands before you spend a dollar on remediation. Whether free assessment funding is currently available depends on active grant cycles; the best move is to contact Gene Jones directly at jonesew@purdue.edu to ask what’s available for your shop right now.
If you’ve never spoken to Purdue MEP, that’s an afternoon phone call worth making. They know northeast Indiana shops, they know the CMMC landscape, and they can tell you honestly whether Level 2 is realistic from where you are now.
When does the November 2026 deadline actually start to bite?
Under the current rule, CMMC rolls out in four phases:
- Phase 1 (November 10, 2025 – November 9, 2026): Level 1 and Level 2 self-assessments are a condition of award for applicable new DoD contracts. This phase is now in motion.
- Phase 2 (beginning November 10, 2026): Third-party C3PAO assessment becomes required for many Level 2 contracts. Self-attestation stops being enough. The assessor walks through your environment and verifies all 110 controls are actually in place.
- Phase 3 (beginning November 10, 2027): Level 3 certification requirements enter applicable contracts.
- Phase 4 (beginning November 10, 2028): Full implementation across all covered DoD contracts.
The assessor market is the practical constraint. There are fewer than 100 authorized C3PAOs nationally serving an estimated 80,000 contractors who need Level 2 certification. Shops that scoped early and started readiness work in early-to-mid 2026 are landing on assessor calendars in late 2026 or early 2027. Shops that wait until October to start scoping will be looking at the back half of 2027 — assuming nothing slips.
For more on the full timeline, Purdue MEP’s CMMC Phase-In Plan summary is worth bookmarking.
What should the next 30 minutes look like?
Pull your last six months of quoting data. Identify which jobs involved CUI — defense prints, ITAR-controlled drawings, anything marked “for official use only.” List the people in your shop who actually touched those files. Count them.
If the count is small — three machinists, one estimator, one inspector — you have a clear scoping case for an enclave. If the count is everyone, you have a different conversation to plan. Either way, you now have the data you need to ask your IT partner a specific question: “Given who actually touches CUI here, what would a properly scoped Level 2 environment cost us — versus treating the whole shop as in scope?”
If your IT partner gives you a real answer with numbers, you’re working with someone who can help. A cybersecurity risk assessment is a good starting point if you want a structured baseline before that conversation.
Want a second set of eyes on the scoping math?
Scoping is the call that decides whether CMMC costs your shop $40K or $250K. It’s not a vendor decision — it’s an honest read on how CUI moves through your operation, and most owners benefit from talking it through with someone outside the relationship.
No pitch, no follow-up campaign — just a working conversation about how strong your scoping case actually is.
Schedule a 15-minute scoping conversation: calendly.com/jnewburg-1/15min Or call Aptica directly: (260) 243-5100
Frequently Asked Questions
What is the difference between CUI and FCI?
CUI is Controlled Unclassified Information — defense-sensitive data that requires NIST SP 800-171 protection (CMMC Level 2). FCI is Federal Contract Information — basic federal contract data that requires CMMC Level 1, a lighter set of 17 controls. Most DoD-adjacent job shops handle both. The Level 2 controls are where the real cost lives.
Can I scope my CUI environment after I’ve already started the readiness work?
Yes, and many shops do — though the rework can be painful. Scoping decisions made early save money. Scoping decisions made after you’ve already built controls into the wrong environment mean tearing some of that work out. If you’re early enough that controls aren’t deployed yet, you have full flexibility.
Will my prime accept an enclave-scoped environment?
In almost all cases, yes. Primes care about how your handling of CUI meets the requirement, not where in your network the controls live. The enclave model is well-established and accepted across the defense industrial base. Confirm with your prime’s compliance contact before assuming, but the answer is rarely no.
Does the enclave have to be on-premises or can it live in the cloud?
Either works. Cloud-hosted CUI enclaves — sometimes called GCC High environments using Microsoft 365 GCC High or equivalent setups — are increasingly common because they offload some of the infrastructure burden. The control requirements are the same; the implementation is different. A virtual CIO conversation is a good place to think through which model fits your operation.
What happens if I don’t pursue Level 2 and just exit DoD work?
Some shops run the math and decide DoD work isn’t worth the readiness cost — and that can be the right answer. Run the numbers: what percentage of revenue is DoD, what’s the realistic cost of readiness, and what’s the likely growth or shrinkage of that revenue line over five years. For some Columbia City and Auburn shops, exiting DoD and reallocating to non-defense automotive or ag-equipment work is the right call. The math should drive the decision, not avoidance of the work.
About Aptica
Aptica is a locally owned IT provider serving manufacturers, distributors, engineers, healthcare practices, and professional services firms across Northern Indiana, Southern Michigan, and Northwest Ohio. Founded in 2003 and based in Angola and Fort Wayne. BBB Accredited, A+ rated.
Angola: 113 E Maumee St, Angola, IN 46703 · (260) 243-5100 Fort Wayne: 1690 Broadway, Bldg 19, Suite 10, Fort Wayne, IN 46802 · (260) 243-5182
Web: apticallc.com · Email: info@apticallc.com · Free consult: apticallc.com/free-consultation
Call us. We answer the phone.
