Home » In the Shop » Cybersecurity » The CMMC Milestone Every Defense Supply Chain Manufacturer Must Know
The CMMC Milestone Every Defense Supply Chain Manufacturer Must Know

The CMMC Milestone Every Defense Supply Chain Manufacturer Must Know

After years of preparation, the Cybersecurity Maturity Model Certification (CMMC) officially takes effect today, November 10, 2025. CMMC is now in effect, with Level 2 third-party audits beginning in this first phase. The DoD’s rollout to prime contractors may be staged, but the impact for manufacturers is immediate. CMMC requirements are already showing up in contracts across the defense supply chain.

This marks a turning point in how sensitive data is handled, protected, and audited across the defense supply chain, and a moment of validation for Paperless Parts customers who have been building on a secure foundation for years.

Why We Invested Early

Long before deadlines loomed, we made a deliberate choice to treat security as core product work. We believed two things would prove true, and they did:

  1. Protecting customer data is central to our mission.
  2. Strong security would become a competitive advantage, not just a checkbox.

We built our platform and internal program around the frameworks that matter most to manufacturers handling Controlled Unclassified Information (CUI):

  • FedRAMP Moderate controls as our baseline.
    Paperless Parts maintains FedRAMP Moderate security controls assessed by a FedRAMP-recognized third-party assessment organization. In 2023, we completed a FedRAMP Moderate Equivalency audit aligned to NIST 800-53, and we’ve maintained that posture through successful third-party audits in 2024 and 2025, with zero open POA&M items. These controls directly support customer compliance with CMMC and DFARS requirements.
  • Designed for CMMC Level 2 use.
    Our architecture, operational controls, and R&D practices align with NIST and FedRAMP standards. Customers pursuing CMMC Level 2 certifications can build on this secure foundation to accelerate their readiness.
  • Clear governance and continuous monitoring.
    We operate in accordance with DFARS 252.204-7012 for safeguarding covered defense information and cyber incident reporting. Our controls, monitoring, and continuous improvement processes ensure alignment with the evolving DoD guidance that underpins CMMC.

Security is not a switch you flip. It’s a system; people, processes, and product choices must reinforce one another every day. We built the environment, the controls, and the habits so our customers can rely on a strong foundation.

“Our goal is to make security second nature in how we design, build, and operate the manufacturing software ecosystem.” – Colton Ericksen, Chief Information Security Officer, Paperless Parts

What Today’s CMMC Milestone Means

CMMC requirements begin appearing in DoD solicitations now, and they will quickly flow down the supply chain. Prime contractors are responsible for ensuring their suppliers meet the same standards, which means manufacturers at every tier may see CMMC clauses in new contracts immediately. If you’re already running Paperless Parts, you’re starting this next phase from a position of strength. Here’s what that looks like in practice:

Confidence

Our architecture, controls, and independent assessments are built to support your compliance journey while you focus on running your shop.

Readiness

As requirements appear in contracts, you’ll need to demonstrate your ability to handle CUI and flow requirements to subcontractors. Paperless Parts helps you start from a compliant posture, then layer your internal policies and training on top.

Partnership

Compliance is shared. We secure the platform and services we operate. You own your internal policies, endpoints, access, and training. Our documentation and customer success resources, through our Trust Center, make this partnership clear and actionable.

How Paperless Parts Helps in Practice

A secure cloud platform.
Paperless Parts operates within a FedRAMP Moderate-equivalent cloud environment aligned to NIST 800-53 controls. Our systems are continuously monitored, independently assessed, and architected to meet the stringent cybersecurity requirements that defense and aerospace buyers expect.

Enterprise-grade access and control.
For our larger A&D customers, compliance goes beyond infrastructure. Paperless Parts provides Single Sign-On (SSO) for centralized identity management, role-based permissions for data access governance, and comprehensive audit logging to track user actions. These capabilities make it easier for IT and compliance teams to demonstrate accountability and satisfy auditor requests efficiently.

Secure-by-design AI.
Our Wingman™ capabilities, including Requirements Review, help estimators identify and extract key requirements from 2D drawings and RFQ documents, before they’re missed. AI runs entirely inside our FedRAMP boundary, aligned with CMMC, NIST, and FedRAMP principles. We do not send data to non-compliant third-party AI tools, and we do not train models on proprietary pricing logic or P3L. Humans remain in the loop.

Clear, transparent documentation.
We publish detailed security and compliance documentation, including our CMMC customer responsibility matrix, audit attestations, and AI governance principles. Our Customer Success and Security teams help shops integrate these materials into their own security plans and audit readiness documentation.

The Road Ahead

Today is not just a deadline, it’s the beginning of a new standard for trust in the manufacturing supply chain. Phase 1 begins now. The direction is unmistakable: security and data integrity are now fundamental to competitiveness, not only in defense but across all advanced manufacturing.

We believe the future of collaboration in manufacturing depends on trust, and trust starts with security. Our vision is to connect the industrial supply chain securely, so shops can work faster with less friction and buyers can rely on consistent, auditable processes end to end.

For Paperless Parts customers, that future is already taking shape. You have the foundation to thrive in this new era.

Learn More About Security and Compliance at Paperless Parts

For readers who want to explore our security and compliance approach in more depth, here are helpful resources:

Paperless Parts Security Overview: Learn how we protect your data through FedRAMP-aligned infrastructure, encryption, and monitoring.

CMMC Overview: Information, including our CMMC white-paper, to help you navigate the CMMC journey.

AI at Paperless Parts: Read how we provide AI capabilities with data security and privacy at its core.

Register for our upcoming webinar with for a real-world look at CMMC implementation for manufacturers.

Register Here

This blog post was written by Paperless Parts’ Chief Technology Officer, Jason Luce.