CMMC Level 2 for Texas Manufacturers: Your November 2026 Deadline Survival Guide

If your manufacturing company machines parts, builds assemblies, or supplies components for defense prime contractors, CMMC Level 2 certification is about to become a condition of doing business. Phase 2 of the CMMC program takes effect on November 10, 2026, making third-party assessments mandatory for any organization handling Controlled Unclassified Information (CUI). You have 135 days. This guide covers what Texas manufacturers specifically need to do to keep their DoD revenue intact.

The existing CMMC guidance out there is written for IT companies and defense integrators. Manufacturing is different. You’re dealing with CUI on shop floors, in CNC programming files, embedded in engineering drawings that move between CAD workstations and machine controllers. Your compliance path has challenges that a typical office-based contractor never faces.

Why Manufacturers Get Caught Off Guard

Many Texas manufacturers don’t think of themselves as defense contractors. You run a machine shop in Fort Worth. You make precision parts. But if your purchase orders reference DFARS 252.204-7012, or if your prime contractor has flowed down CUI marking requirements, you are in scope for CMMC Level 2 whether you identify as a defense contractor or not.

The trigger is CUI, not your company’s self-image. CUI shows up in manufacturing environments in specific places:

• Technical data packages (TDPs) with distribution statements B through F
• Engineering drawings and CAD files marked with CUI banners
• Manufacturing process specifications for controlled items
• Quality inspection data tied to controlled technical information
• ITAR-controlled designs that also carry CUI markings

If any of these flow through your systems, email, file servers, engineering workstations, or even USB drives plugged into CNC machines, your environment is in scope. The CMMC program rule (32 CFR Part 170) makes no distinction between a 5,000-person defense integrator and a 60-person precision machining shop. Both need the same 110 NIST SP 800-171 controls assessed by a C3PAO.

The Assessment Calendar Is Already Full

We’ve covered the C3PAO bottleneck in detail already, but the numbers bear repeating for manufacturers just waking up to this. Roughly 1,042 organizations have completed Level 2 certification out of approximately 76,598 that need it. That’s 1.4% certified with less than five months to go.

Assessor organizations are booking into Q4 2026 and beyond. A typical Level 2 assessment takes one to three weeks, and each C3PAO can only run a limited number of concurrent engagements. If you call today to schedule an assessment, you may find slots available in September or October. If you wait until August, you’re looking at 2027.

For a manufacturer, missing the deadline has a direct revenue consequence. When your prime contractor’s next contract renewal references CMMC Level 2 as an award condition, they will need to verify your certification status. No certification means you cannot be included in the contract. Your prime will source from a certified competitor.

The Manufacturing-Specific Compliance Challenges

Office-based contractors worry about laptops, email, and SharePoint. Manufacturers have all of that plus an operational technology (OT) environment that introduces unique compliance problems.

CUI on the shop floor. When an operator loads a CNC program derived from a controlled technical data package, that program is CUI. The machine controller, the network it sits on, and the workstation used to transfer the file are all within your CMMC assessment boundary. If your CNC machines connect to the same network segment as your office PCs, your assessment scope just expanded to include the entire plant network.

Network segmentation between IT and OT. NIST SP 800-171 control 3.13.1 requires boundary protection for CUI systems. For manufacturers, this typically means segmenting your OT network (machine controllers, PLCs, HMIs) from your IT network (email, ERP, file servers). Many shops run everything flat on one network. Fixing this requires firewall rules, VLANs, and potentially new switching infrastructure. Our manufacturing IT services page covers the OT/IT convergence challenges in more detail.

Legacy equipment that can’t be patched. NIST SP 800-171 requires flaw remediation (control 3.14.1). Some CNC controllers and industrial equipment run embedded operating systems that the manufacturer no longer patches. You can’t update them without voiding a warranty or breaking functionality. The workaround is compensating controls: network isolation, monitoring, and access restrictions that protect the legacy device without modifying it. Your System Security Plan needs to document these compensating controls explicitly, because your assessor will ask.

Physical access to CUI. Controlled drawings printed and posted at workstations, CUI stored on portable media carried between machines, engineering specs pinned to tooling boards. Physical security controls (3.10.1 through 3.10.6) require limiting physical access to CUI and monitoring visitors. For a manufacturing floor with shift workers, vendors, and customers walking through, this means defining controlled areas and implementing access logs.

What to Do in the Next 135 Days

The timeline is tight but workable if you move now. Here’s a realistic sequence for a manufacturer starting from minimal preparation.

Weeks 1 through 2: Scope your CUI boundary. Identify every system, device, and location where CUI is stored, processed, or transmitted. For manufacturers, this includes ERP systems, CAD workstations, file servers, email, CNC controllers that receive controlled programs, and any portable media used to transfer files. If you haven’t done this, a gap assessment against all 110 NIST SP 800-171 controls is the starting point.

Weeks 3 through 4: Fix network segmentation. Isolate CUI-handling systems from general IT and OT networks. If your plant floor and business office share a flat network, this is your most urgent infrastructure change. Define a CUI enclave that includes only the systems that need access to controlled information, and restrict everything else.

Weeks 5 through 8: Implement controls and write your SSP. Your System Security Plan documents how you meet each of the 110 requirements in your specific environment. This is not a template you download and file away. C3PAO assessors compare your SSP against what they observe during the assessment. If your SSP says you use multi-factor authentication but your shop floor workstations use shared passwords, you will fail that control. Our 90-day quickstart roadmap breaks down the SSP and POA&M process week by week.

Weeks 9 through 10: Microsoft 365 GCC High migration. If you use standard Microsoft 365 for email and file storage and any of that data includes CUI, you need to move to GCC High. Standard commercial Microsoft 365 tenants do not meet the data handling requirements for CMMC Level 2. This migration takes four to eight weeks on its own, so start the licensing conversation in week one even though the migration itself happens later.

Weeks 11 through 14: Pre-assessment readiness review and C3PAO scheduling. Run an internal readiness review against all 110 controls. Document any gaps in your Plan of Action and Milestones (POA&M). Then schedule your C3PAO assessment. POA&Ms are allowed under CMMC 2.0 but carry limits: certain high-weight controls cannot use them, and all open items must close within 180 days of your assessment.

Throughout: Employee training. Everyone who handles CUI needs to understand what it is, where it lives, and what the handling rules are. This includes shop floor operators, not just office staff. A machine operator who copies a controlled program to a personal USB drive has created a compliance violation that could affect your entire assessment.

The Cost of Waiting vs. the Cost of Losing Contracts

CMMC Level 2 preparation for a 50 to 200 employee manufacturer typically involves infrastructure changes, a GCC High migration, documentation, employee training, and the C3PAO assessment itself. That’s a significant investment of time and money.

But compare it to the alternative. Texas has one of the largest concentrations of defense manufacturing in the country. Dallas-Fort Worth alone hosts hundreds of manufacturers in the Lockheed Martin, Bell, and Raytheon supply chains. When those primes start requiring CMMC Level 2 certification from their suppliers (and the November deadline is the trigger for that requirement appearing in contracts), uncertified manufacturers will be replaced by certified ones.

Your competitors are preparing now. The Phase 2 deadline analysis we published in April showed that organizations reaching out for assessment scheduling in mid-2026 may already find slots filled through year-end. That window is closing.

If you’re a Texas manufacturer with DoD subcontracts and you haven’t started CMMC preparation, the single most important thing you can do this week is schedule a gap assessment. It tells you exactly where you stand against all 110 controls, what needs to change, and how long it will take. Everything else follows from that.