Do we really need CMMC if we're a subcontractor?

Yes if your prime is a defense contractor and any of your work involves Federal Contract Information or Controlled Unclassified Information. The DoD CMMC 2.0 rule (final rule published October 2024, phased rollout 2025-2028) flows attestation requirements down through the entire supply chain. Level 1 (basic FCI safeguarding) is self-attestation; Level 2 (CUI protection) requires third-party assessment by a C3PAO and costs $30k-$120k for small-to-mid plants. The DFARS 252.204-7012 clause that mandates NIST SP 800-171 has been in defense contracts since 2017 — CMMC just makes enforcement teeth real. Talk to your prime; they know exactly which level your contracts require.

How do we segment IT from OT without disrupting production?

You don't do it overnight. The pattern that works for small and mid-market plants: (1) start with passive OT discovery — Nozomi, Claroty, Dragos community tier, or even a documented walk-down — so you know what's actually on the OT network; (2) deploy a one-way firewall or data diode for the few necessary IT-to-OT flows (ERP order tickets, MES data, recipe downloads); (3) deny everything else by default; (4) put engineering workstations on a jump-host pattern, not direct OT connectivity. The full project typically takes 3-6 months at a plant with 30-100 controllers and runs $40k-$180k.

What does an EFROS engagement look like for a plant?

A 10-day fixed-fee scoping engagement that produces a CMMC level scoping assessment, a NIST SP 800-171 gap analysis (110 controls mapped to your environment), an IT/OT segmentation review, a BEC and AP-fraud defense audit, and a 90-day remediation roadmap with a CMMC attestation runway if you're in DoD scope. If you continue on retainer, the audit fee credits toward your first quarter. Most small and mid-market manufacturers retain at $7,500-22,000/month depending on revenue, plant count, OT footprint, and CMMC level.

We have one IT person and a managed services contract. Why do we need EFROS?

Your IT person manages Outlook, printers, and the ERP help desk. Your MSP keeps the firewall licensed and the backups running. Neither of them is qualified to attest to NIST SP 800-171 controls, scope your CMMC boundary, or design IT/OT segmentation. We don't replace your IT person or your MSP — we sit on top and run the security program that the contract attestations and the cyber insurance carrier require you to have. Most engagements include direct coordination with your existing MSP.

What should our plant do this week?

Three things. First, ask your top three customers in writing whether they require CMMC attestation in current or pending contracts, and at what level — most plant owners are guessing on this. Second, pull a list of every device on the shop floor with a network port and document whether it's on the OT VLAN or sitting on the corporate flat network. Third, audit your AP wire-verification protocol — every change to a vendor wire instruction should be confirmed by a phone call to a number from the original vendor contract, not from email. None of these take a budget. All three surface the bulk of the conversation.

For owners of manufacturers

Cybersecurity for plant owners — not Fortune 500 CISOs.

Your plant runs on equipment from 5 different decades. Your shop floor controllers don't speak modern security. Ransomware that hits a server can stop production for weeks. Your buyer's contracts — DoD, OEM, automotive — now require CMMC. Most CISOs would tell you to buy 8 tools. We tell you what to actually do.

This is the owner version: how mid-market plants in your band actually get hit, what production downtime really costs, what CMMC and NIST SP 800-171 require for the contracts you bid, and what an EFROS engagement looks like at your scale.

Run the Cost-of-Getting-Hit Calculator →Book 20 min

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS

Reviewed by CSO · May 13, 2026

The shift

Why owners of manufacturers are getting hit more, not less

Manufacturing has been the #1 ransomware-targeted industry in every Verizon DBIR since 2021. The reason is mechanical: production downtime costs you immediately and visibly, attackers know it, and your insurance premium pays the ransom anyway most of the time. Add the OT complexity — controllers, HMIs, and engineering workstations from the 1990s sharing a flat network with corporate IT — and the average mid-market plant is a soft, high-pressure target.

The second pressure is CMMC. The DoD's final CMMC 2.0 rule published in October 2024 puts the attestation clock on every defense supply chain participant from prime to bench-grade subcontractor. Your OEM customers in automotive and aerospace are starting to flow similar requirements through their own contracts. The cost of becoming compliant surprises most plant owners; the cost of losing the contract for non-compliance is worse.

Industry stat: Average ransomware hit on US mid-market manufacturers was 24 days of production downtime plus $4.4M direct cost, per Verizon DBIR 2024. Manufacturing was 25% of all ransomware incidents in the report — the largest single sector.

The five ways manufacturers get hit

The 5 ways manufacturers get attacked

Drawn from Verizon DBIR, CISA ICS advisories, FBI IC3 reports, and the incident pattern across small and mid-market plants we've worked with.

Ransomware on the shop floor and ERP

Ransomware encrypts your MRP/ERP and any unsegmented HMIs or engineering workstations. The line stops. Customer orders pile up. Verizon DBIR puts mid-market manufacturer average downtime at 24 days.

CMMC supply-chain compliance pressure

Your DoD prime, your aerospace OEM, your top-3 automotive customer is pushing CMMC 2.0 Level 1 or Level 2 attestation to your contracts. Miss the attestation date and you fall out of the bid list. The cost of attestation surprises most plant owners.

Business email compromise on vendor payments

An attacker spoofs your steel supplier or tooling vendor and emails AP an updated wire instruction. The wire hits a mule account. The real vendor still wants their $480k. You absorb it, dispute the insurance claim, and rebuild the AP controls under pressure.

Industrial IP theft and design exfiltration

Your CAD files, your CNC programs, your jig and fixture designs are the moat. A spear-phishing campaign or a departing engineer with a USB drive removes the moat in 20 minutes. Discovery comes months later when a Chinese competitor shows up at a trade show with your part.

ICS/OT exposure (unsegmented controllers)

Your PLCs, HMIs, and SCADA gear were never meant to be on the same network as Outlook. Cheap ransomware operators stumble into the OT network by accident and stop the line. Sophisticated operators do it on purpose.

What it costs when it happens

Best, average, worst — the dollar reality

Modeled on Verizon DBIR 2024 data, IBM Cost of a Data Breach Report, NetDiligence Cyber Claims studies, and the work we've done for small and mid-market plants.

Best case

Insured + prepared

$120k – $480k

Strong network segmentation between IT and OT. Cyber policy active without ICS exclusion. Ransomware contained to corporate IT. Backup restoration in 3 days. Deductible + forensics + lost output.

Average case

Partial preparation

$850k – $3.5M

Ransomware crosses into OT. Line down 8-14 days. Lost customer orders + expedite costs to recover schedule. CMMC attestation slips. One key OEM customer puts you on the watch list for next contract cycle.

Worst case

Unprepared

$4.2M – $14M

Per Verizon DBIR 2024 mid-market average: 24 days of production downtime, $4.4M direct cost, plus IP theft, contract loss, and a 2-year recovery on a key customer relationship. Some plants don't reopen.

Ranges are illustrative. For a personalized estimate calibrated to your revenue, plant count, and current controls, run the Cost-of-Getting-Hit calculator.

The compliance edges

Manufacturer-specific risk highlights

1
CMMC 2.0 Level 1 — basic safeguarding of FCI (Federal Contract Information); annual self-attestation; required for any DoD contract
2
CMMC 2.0 Level 2 — protection of CUI (Controlled Unclassified Information); third-party C3PAO assessment every 3 years; based on NIST SP 800-171 (110 controls)
3
NIST SP 800-171 — the 110 controls that underpin CMMC Level 2; required by DFARS 252.204-7012 since 2017 (most defense subs still aren't fully compliant)
4
ITAR / EAR — if you export controlled technical data; cybersecurity is part of the export-control compliance posture
5
State breach laws and tort exposure — operational downtime can trigger contract penalty clauses with prime customers; document your business interruption coverage gap

What we actually do

What an EFROS engagement looks like for a plant

We start with a 10-day fixed-fee scoping engagement. We walk your plant — or remote-walk it via your operations team — and document every device on the shop floor with a network connection. We pull your customer contracts and identify which of them reference DFARS 252.204-7012, NIST SP 800-171, or CMMC. We map your CMMC scope boundary.

We then run the 110-control NIST SP 800-171 gap analysis against your environment, prioritized by what your prime customers actually require. We design IT/OT segmentation that you can roll out over 90-180 days without taking the line down. We audit your AP vendor-payment workflow against the BEC playbook. We pull your DMARC, MTA-STS, and email impersonation defenses.

On retainer we run the operating model: monthly CMMC progress report against your attestation runway, quarterly tabletop on a ransomware-meets-OT scenario, joiner/mover/leaver workflow that includes ICS access, MDM for engineering laptops, vendor security review for your top 10 suppliers, and a 1-page quarterly board-grade summary your top customer's supply chain risk officer will accept.

Flat-fee retainer — typically $7,500-22,000 per month for small and mid-market plants depending on revenue, plant count, OT footprint, and CMMC level. We coordinate with your existing IT and MSP relationships. We don't replace them; we run the security program that the contract attestations and your cyber insurance carrier require.

What these incidents actually look like

Three ways to start

The calculator and quiz are anonymous and take under 5 minutes. The 20-minute call is a scoping conversation, not a sales pitch.

Run Cost-of-Getting-Hit Run Are-You-Ready Quiz Book 20 min