Issue link: https://iconnect007.uberflip.com/i/1541985
28 PCB007 MAGAZINE I DECEMBER 2025 executive affirmation. Level 2 centers on protect- ing controlled unclassified information and man- dates full compliance with the 110 controls in NIST SP 800-171. Depending on contract risk, assess- ments will either be self-conducted annually or performed by an accredited third-party auditor every three years. Level 3, reserved for the highest-priority defense programs, adds portions of NIST SP 800-172 and requires assessment by the DoD's Defense Indus- trial Base Cybersecurity Assessment Center. Most PCB, EMS, and electronics manufacturers that han- dle sensitive design data, stackups, Gerber files, or test programs will be expected to operate at Level 2. What Changed on November 10 The DoD's final rule integrating CMMC 2.0 into DFARS took effect, making the program a contrac- tual requirement rather than a long-term roadmap. The three-year phased implementation is sched- uled to run through late 2028. The earliest phase emphasizes Level 1 and Level 2 self-assessments submitted through the Supplier Performance Risk System (SPRS), with third-party audits and Level 3 oversight increasing later. A significant change is the formalization of POA&Ms. While contractors may still defer some requirements temporarily, only specific items qual- ify, and the window to close them is capped at 180 days. Another major shift is flowdown enforce- ment: Primes are now explicitly responsible for ensuring their subcontractors meet the correct cybersecurity level. PCB fabricators, assemblers, and component suppliers will feel this pressure immediately as primes seek to protect their own compliance standing. Impact on PCB and Electronics Manufacturers Determining the appropriate CMMC level now becomes a contract-by-contract decision. Compa- nies handling only basic order and delivery infor- mation may operate under Level 1. Those touching technical data—including controlled designs, firm- ware, test programs, or manufacturing documenta- tion—will almost certainly fall under Level 2. For factories, Level 2 compliance extends far beyond IT. It affects daily production operations. Manufacturers will need to implement role-based access to engineering software and production systems, multifactor authentication for any sys- tem interacting with CUI, and strong segmenta- tion between corporate IT networks and shop-floor equipment. Even common practices, such as using USB drives to load machine programs, must now follow documented, tightly controlled procedures. Logging, monitoring, and configuration manage- ment become critical responsibilities for engineer- ing and operations teams, not just cybersecurity staff. Supply-chain security is another major area of change. Design files must be transmitted securely and stored with encryption, and subcontractors handling any portion of the data will need NDAs and cybersecurity commitments aligned with CMMC expectations. Manufacturers will also need a clear system security plan and a realistic POA&M tailored to how their actual production environ- ment functions. The Practical Checklist Going Forward As of Nov. 10, PCB and electronics manufacturers involved in Defense programs face several imme- diate steps. They must map their current con- tracts to the required CMMC level and define a CUI enclave so that compliance efforts remain con- tained. They also need to complete and document a Level 1 or Level 2 self-assessment and enter both the score and executive affirmation into SPRS. Beyond that, companies should update their system security plans and focus early remedia- tion efforts on controls with the largest impact, including MFA, robust logging, reliable data back- ups, and network segmentation. Coordination with primes will be essential as third-party audit time- lines begin to emerge. The Bottom Line CMMC 2.0 is now a binding contract requirement for defense work. PCB and electronics manufac- turers that can demonstrate credible Level 2 com- pliance will continue to compete in high-value defense programs. Those that cannot will increas- ingly be filtered out before the bid is even consid- ered. PCB007