CMMC Level 1 Compliance for DoD CNC Machining Suppliers
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense's framework for safeguarding sensitive information in the defense industrial base. CMMC Level 1 — the Foundational tier — applies to contractors and subcontractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Olympus Machining LLC, an ITAR-registered precision CNC machine shop in Hanover, Pennsylvania (CAGE code 9V9P0, York County), maintains practices aligned with CMMC Level 1 and FAR 52.204-21.
What CMMC Level 1 Means for a DoD Subcontractor
CMMC Level 1 is built on the 17 basic safeguarding practices defined in FAR 52.204-21. Any contractor or subcontractor processing, storing, or transmitting FCI on behalf of the federal government is contractually required to meet these practices. For a precision CNC machine shop, FCI typically includes program-related information shared by a prime contractor — purchase orders, drawings marked as FCI, schedules, and technical correspondence.
Level 1 does not address CUI. Programs that flow down CUI require Level 2 (which adds the NIST SP 800-171 control set). Olympus Machining is sized and scoped for Level 1 work and does not currently bid programs that require Level 2 / SP 800-171 certification.
How Olympus Meets the 17 Practices (FAR 52.204-21)
Plain-English mapping of each practice to our implementation. No FCI- or CUI-specific details are disclosed publicly; this is the supplier-qualification-level summary.
Limit information system access to authorized users, processes, and devices. Olympus restricts shop network access to named employees with individual credentials.
Limit system access to the types of transactions authorized users are permitted to execute. Role-based access on internal systems.
Verify and control connections to and use of external systems. Outbound connections from shop systems are restricted to vetted business services.
Control information posted on publicly accessible systems. Customer-controlled or FCI material is never published on the public website or social channels.
Identify users, processes, and devices. Each employee has a unique account; no shared logins on systems that touch FCI.
Authenticate identities before granting access. Password policy with complexity and rotation; MFA on remote access.
Sanitize or destroy media containing FCI before disposal or release for reuse. Drives and media are wiped or physically destroyed when retired.
Limit physical access to information systems and operating environments to authorized individuals. Locked facility, controlled visitor access, badge entry.
Escort visitors and monitor visitor activity. Visitor log maintained; visitors are accompanied in production and inspection areas.
Maintain audit logs of physical access. Visitor sign-in records retained per the document control procedure.
Control and manage physical access devices. Keys and badges are issued, tracked, and recovered on separation.
Monitor, control, and protect organizational communications at external boundaries. Business-grade firewall at the network perimeter.
Implement subnetworks for publicly accessible system components. Public-facing services are isolated from internal shop systems.
Identify, report, and correct system flaws. OS and application updates applied on a managed schedule.
Provide protection from malicious code. Endpoint protection deployed on workstations and servers.
Update malicious code protection mechanisms when new releases are available. Automated updates configured.
Perform periodic and real-time scans. Real-time scanning enabled; periodic full scans scheduled.
Annual Self-Assessment and SPRS Posting
Under the CMMC program, Level 1 contractors perform an annual self-assessment against the 17 practices and submit the score to the Supplier Performance Risk System (SPRS) operated by the Department of Defense. Olympus Machining performs the self-assessment annually and maintains the SPRS submission as part of our supplier qualification record. A copy of our current SPRS confirmation is available to prime contractors on request.
Self-assessment is not a one-time exercise. Practice implementation is reviewed and any deficiencies are corrected before the score is submitted. Material changes to the IT environment between annual assessments — new vendor connections, new endpoints, organizational changes — trigger a between-cycle review.
Why Prime Contractors Should Care (Flow-Down)
DFARS 252.204-7012 and the CMMC program both flow down: a prime contractor cannot pass FCI to a subcontractor that does not meet the same minimum cybersecurity baseline. Awarding work to a non-compliant supplier creates contractual risk for the prime — unrecoverable in the event of an incident, and exposing the prime to corrective-action obligations.
Adding Olympus Machining to a prime's approved supplier list for Level-1 work requires only a brief documentation exchange: our SPRS submission, ITAR registration confirmation, CAGE code (9V9P0), and quality flow-down acceptance. Programs requiring Level 2 / SP 800-171 should be routed to suppliers sized for that scope.
ITAR Registration and CAGE 9V9P0
Olympus Machining is registered with the U.S. Department of State Directorate of Defense Trade Controls (DDTC) under the International Traffic in Arms Regulations (ITAR). Our Commercial and Government Entity (CAGE) code is 9V9P0, registered to our Hanover, Pennsylvania facility. ITAR registration and CMMC Level 1 alignment together cover the baseline supplier-qualification requirements for the majority of Level-1 defense subcontracting work.
Related: Compliance overview · AS9102 FAI · Quality assurance · Precision CNC machining · CNC milling · CNC turning