The Drawing on the Shop Floor
There is a precision machine shop in Dutchess County—call them “Alpine CNC”—that has been cutting titanium parts for a Tier 1 defense prime since 2018. The work comes in as a set of ITAR-controlled CAD files and engineering drawings stamped CUI//SP-EXPT. For years those drawings lived on a shared Windows folder, accessible by anyone on the company Wi-Fi, backed up to a USB drive the owner kept in his truck. Nobody from the prime ever audited the arrangement. That era is over.
When CMMC 2.0 enforcement ramps up across DOD contracts, Alpine CNC—and dozens of shops like it along the Route 9 corridor, in Newburgh’s industrial parks, and tucked into the hills around Kingston—will need to demonstrate compliance with NIST SP 800-171 Revision 3. The good news: you do not have to rearchitect your entire network or write a six-figure check to a Beltway consulting firm. You can build a CUI enclave that satisfies the standard for roughly fifteen thousand dollars and a few weekends of focused work.
What SP 800-171 Rev. 3 Actually Requires
SP 800-171 has been the de facto security standard for any non-federal organization that handles Controlled Unclassified Information on behalf of the Department of Defense. Revision 3, published in final form in May 2024, reorganized and tightened the framework. Here is what matters for a small manufacturer.
The standard defines 110 security requirements across 17 families—from Access Control (AC) through System and Information Integrity (SI). Rev. 3 aligned the control language more closely with NIST SP 800-53 Rev. 5, which means the wording is more precise but also more verbose. Several previously “implied” expectations are now explicit. Organization-defined parameters (ODPs) require you to specify things like session timeout values and audit retention periods rather than leaving them vague. The assessment methodology shifted too: each requirement now has a set of determination statements that map directly to what a CMMC Level 2 assessor will evaluate. If you write your System Security Plan (SSP) around those determination statements, you are building your evidence pack at the same time.
The 17 requirement families cover access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity, planning, supply chain risk management, and program management. For a small shop, the families that tend to cause the most pain are Audit and Accountability (AU), System and Communications Protection (SC), and Configuration Management (CM)—because they require actual technical controls, not just policy documents.
The Enclave Strategy: Shrink the Boundary
Here is the single most important concept for any Hudson Valley sub with fewer than fifty employees: you do not have to make your entire network 800-171 compliant. You need to make the systems that process, store, or transmit CUI compliant. Everything else just needs to be separated from those systems with a defensible boundary.
This is the CUI enclave approach. Think of it as building a clean room inside your existing facility. The CNC machines, the accounting PC running QuickBooks, the break room Roku—none of that needs to meet 110 security requirements. You carve out a subnet, put the machines that touch CUI drawings on it, wrap it in firewall rules and access controls, and focus all of your compliance energy on that enclave. The rest of your network becomes “out of scope,” provided you can demonstrate the boundary is enforced.
For Alpine CNC, the enclave is three workstations in the engineering office, one file server, and the link between those machines and the prime’s secure file transfer portal. That is it. The shop floor PLCs, the front desk laptop, the owner’s phone—all outside the boundary. This dramatically reduces the cost and complexity of compliance.
Architecture on a $15,000 Budget
Let me walk through the actual architecture, component by component, with real products and approximate street prices as of late 2025.
Network Segmentation
The enclave starts at the network layer. You need a firewall or router that can enforce a dedicated VLAN for CUI systems and block all traffic between the CUI VLAN and the corporate/guest VLANs except for explicitly allowed flows. A pfSense or OPNsense appliance running on a Protectli Vault (the FW4B or FW6B model) gives you enterprise-grade stateful firewalling, VLAN trunking, and VPN termination for around $400. Pair it with a managed switch—a Ubiquiti USW-24-PoE or a TP-Link TL-SG3428 will do—that supports 802.1Q VLAN tagging. Budget another $300 for the switch. Total network segmentation cost: roughly $700.
Configure VLAN 100 as your CUI enclave. Assign it a distinct subnet—say 10.171.100.0/24. Set your firewall rules to deny all traffic from any other VLAN into VLAN 100 except for the specific ports required for DNS, NTP, Windows Update, and your SIEM collector. Document the ruleset. That documentation becomes evidence for SC-7 (Boundary Protection) and SC-3 (Security Function Isolation).
Multi-Factor Authentication
Every account that can reach the CUI enclave needs MFA. For a three-workstation environment, the simplest path is Duo Security’s free tier (up to 10 users) or, if you want more control, a set of YubiKey 5 NFC tokens at about $50 each. For three engineers and one admin, that is $200 in hardware. Duo integrates with Windows logon via their Authentication Proxy, so you get MFA at the desktop and at the RDP session level. This covers IA-2 (Identification and Authentication) and its enhancement for multi-factor.
Encrypted File Storage
The CUI drawings need to be stored on an encrypted share with access limited to authorized personnel. A Synology DS423+ NAS (around $550) running in the CUI VLAN with volume-level encryption enabled (AES-256) and Active Directory-joined for access control gives you a proper file server. Enable SMB signing, disable SMB1, turn on the Synology audit log, and restrict share permissions to the specific AD group you create for CUI-authorized users. That NAS also gives you versioning and snapshot-based backups to an encrypted USB volume or a second NAS. This satisfies MP-4 (Media Storage), SC-28 (Protection of Information at Rest), and portions of AC-3 (Access Enforcement).
Endpoint Protection
The three enclave workstations and the NAS need endpoint detection and response (EDR) that actually logs telemetry, not just consumer antivirus. CrowdStrike Falcon Go runs about $100 per endpoint per year. For four devices, that is $400 annually. If that feels steep, Microsoft Defender for Business at $3 per user per month works out to roughly $150 per year and integrates neatly with Windows Event Forwarding. Either way, you need centralized logging of process execution, file access, and network connections. This addresses SI-3 (Malicious Code Protection), SI-4 (System Monitoring), and AU-2 (Event Logging).
SIEM-Lite: Wazuh
You need a place to collect, correlate, and retain security logs. For a small enclave, Wazuh is hard to beat. It is open source, it runs on a modest Linux VM, and it provides file integrity monitoring, log aggregation, vulnerability detection, and compliance dashboards out of the box. Stand up an Ubuntu 22.04 VM on a repurposed desktop or a $300 mini PC (a Beelink SER5 with 16 GB of RAM handles it comfortably), install the Wazuh all-in-one deployment, and point your enclave workstations and NAS at it via the Wazuh agent. Total cost: the hardware. Configure log retention for at least one year to satisfy AU-11 (Audit Record Retention). Wazuh’s built-in NIST 800-171 compliance module will map your alerts directly to control families, which is genuinely useful when you sit down to write your SSP.
Secure Remote Access
If any of your engineers need to reach the CUI enclave from outside the building—say, from a home office in Beacon or a client site in Poughkeepsie—you need a VPN that terminates inside the enclave boundary. The pfSense/OPNsense box you already bought can run WireGuard or OpenVPN. Combine it with the MFA tokens you already bought. Total additional cost: zero. Just configuration and documentation. This addresses AC-17 (Remote Access) and SC-12 (Cryptographic Key Establishment).
Backup and Recovery
NIST wants you to back up CUI and test your restores. The Synology NAS supports Hyper Backup to an encrypted external USB drive. Buy a pair of 4 TB IronWolf drives ($120 each) and a USB 3.0 dock ($40). Rotate the drives weekly and store the off-site copy in a locked safe or a bank safe deposit box in town. This covers CP-9 (System Backup) pragmatically. Total: $280.
Bill of Materials
| Component | Product | Purpose | Approx. Cost |
|---|---|---|---|
| Firewall/Router | Protectli Vault FW4B + OPNsense | VLAN enforcement, VPN, boundary protection | $400 |
| Managed Switch | Ubiquiti USW-24-PoE or TP-Link TL-SG3428 | 802.1Q VLAN trunking for enclave segmentation | $300 |
| MFA Tokens | YubiKey 5 NFC (x4) | Phishing-resistant multi-factor authentication | $200 |
| Encrypted NAS | Synology DS423+ (2x 4 TB drives, RAID 1) | CUI file storage, encrypted at rest, audit logging | $900 |
| SIEM Server | Beelink SER5 Mini PC (16 GB RAM) + Wazuh | Log aggregation, FIM, compliance dashboards | $300 |
| EDR Licensing | CrowdStrike Falcon Go (4 endpoints, Year 1) | Endpoint detection, telemetry, malware protection | $400 |
| Backup Hardware | 2x Seagate IronWolf 4 TB + USB 3.0 Dock | Encrypted offline backups with rotation | $280 |
| Cabling & Misc. | Cat6 patch cables, rack shelf, labels | Physical installation | $120 |
| Total Estimated Hardware & Year-1 Licensing | $2,900 | ||
That hardware total leaves substantial headroom in a $15,000 budget. The remaining roughly $12,000 covers the labor-intensive part: writing the System Security Plan, conducting a risk assessment, developing your incident response plan, training your staff, and—if you want a second set of eyes—engaging a consultant for a pre-assessment readiness review. For a three-to-five person enclave, a competent CMMC Registered Practitioner can do a gap assessment and SSP review in 20 to 30 hours. At regional rates, that is $4,000 to $7,500. The rest goes toward your time, your IT person’s time, and the inevitable surprises (a Windows license upgrade here, a domain controller tweak there).
The Evidence Pack: What Your Assessor Wants to See
Building the enclave is half the job. The other half is proving it works. A CMMC Level 2 assessor is going to ask for artifacts that map to each of the 110 requirements. Here is a starter list of the documents and technical evidence you should prepare alongside the build.
| Artifact | Covers Requirements | What to Include |
|---|---|---|
| System Security Plan (SSP) | All 110 (narrative for each) | System boundary description, enclave network diagram, data flow diagram, per-requirement implementation narrative addressing each determination statement, POA&M for any gaps |
| Network Diagram | SC-7, AC-4, SC-3 | Enclave VLAN topology, firewall rule summary, data flow arrows showing CUI ingress/egress paths, clear boundary marking between CUI and non-CUI zones |
| Access Control Matrix | AC-2, AC-3, AC-6 | Table of users, roles, CUI share permissions, MFA enrollment status, principle-of-least-privilege justification for each account |
| Audit Log Samples | AU-2, AU-3, AU-6, AU-11 | Wazuh dashboard screenshots, sample syslog entries showing logon events, file access events, and failed authentication attempts; evidence of one-year retention configuration |
| Incident Response Plan | IR-2, IR-4, IR-5, IR-6 | Roles and responsibilities, escalation procedures, DOD reporting timelines (72-hour notification), tabletop exercise records |
| Configuration Baselines | CM-2, CM-6, CM-7 | CIS Benchmark output for enclave workstations, GPO export, disabled services list, software whitelist |
| Risk Assessment Report | RA-3, RA-5 | Vulnerability scan results (Wazuh or Nessus Essentials), risk register with likelihood/impact ratings, remediation plan for identified findings |
| Training Records | AT-2, AT-3 | Sign-off sheets for annual CUI handling and cybersecurity awareness training, training content outline, dates and attendees |
| Media Protection Log | MP-2, MP-4, MP-6 | Encrypted backup rotation log, sanitization records for decommissioned drives, physical media inventory |
How This Connects to CMMC Level 2
CMMC Level 2 maps directly to the 110 requirements of SP 800-171. There is no daylight between them. If you build an enclave that satisfies every 800-171 Rev. 3 requirement and you can produce the evidence pack described above, you are ready for a CMMC Level 2 assessment by a Certified Third-Party Assessor Organization (C3PAO). The assessment itself involves a review of your SSP, examination of your artifacts, interviews with your staff, and testing of your technical controls.
For contracts requiring only Level 2 self-assessment (which applies to many lower-tier subs), you submit your score to the Supplier Performance Risk System (SPRS) based on your own evaluation against the 110 requirements. A perfect score is 110. You lose points for each requirement you have not fully met, though you can partially offset gaps with a Plan of Action and Milestones (POA&M) if the remaining risk is documented and time-bound. The enclave approach, done properly, should get a small shop to a score of 100 or above without heroics.
For contracts that require a C3PAO assessment, the enclave boundary becomes your best friend during the evaluation. The assessor only needs to examine the systems inside the boundary and the controls that enforce it. A three-workstation enclave is a three-workstation assessment. That is a two-day engagement, not a two-week one. It saves you money, reduces disruption to your shop floor, and keeps the assessor focused on a well-documented, well-controlled environment instead of wandering through an unmanaged flat network asking uncomfortable questions.
Getting Started This Quarter
If you are a Hudson Valley machine shop, engineering firm, or defense subcontractor reading this in late 2025, here is the sequence I would follow. First, identify exactly which data in your environment qualifies as CUI—check your contract’s DFARS 252.204-7012 clause and the markings on any drawings or technical data packages you receive. Second, identify the minimum set of machines that need to touch that data. Third, order the hardware in the bill of materials above and spend a weekend building the enclave VLAN. Fourth, install Wazuh and your EDR, configure your encrypted NAS, and enroll your users in MFA. Fifth, start writing the SSP, one requirement family at a time, while the configuration is fresh in your mind. Sixth, run a vulnerability scan, fix what it finds, and save the before-and-after reports. Seventh, train your CUI-handling personnel and document it.
None of this requires a massive IT department. It requires a methodical approach, a free weekend or two, and the willingness to treat cybersecurity as part of your manufacturing process—the same way you treat calibration records or material certifications. You already know how to maintain quality systems. This is just a quality system for information.