By Charles Swihart, Founder & CEO, Preactive IT Solutions
| Compliance frameworks did not create the security requirements manufacturers are now being asked to meet. They formalized requirements that were already the difference between a resilient operation and a vulnerable one. The frameworks are just making that difference visible to customers, insurers, and regulators at the same time. |
Manufacturers who have not historically thought of themselves as regulated businesses are increasingly finding compliance obligations arriving from three directions at once: customer flow-down requirements from larger OEMs and defense contractors, cyber insurance underwriting questionnaires that have gotten dramatically more specific, and, for those in or adjacent to the defense supply chain, direct federal requirements under NIST 800-171 and CMMC. Each of these has its own vocabulary and its own audit process, and it is easy for a manufacturer to end up managing three overlapping compliance efforts instead of one coherent security program.
UNDERSTANDING THE LAYERS
NIST CSF 2.0
The NIST Cybersecurity Framework is voluntary and general-purpose, organized around five functions — Identify, Protect, Detect, Respond, and Recover. It is not a checklist so much as a structure for organizing a security program, and it is frequently the framework a cyber insurer’s questionnaire is implicitly built around, even when the insurer does not name it directly.
NIST 800-171 AND CMMC
NIST 800-171 sets specific security requirements for protecting Controlled Unclassified Information, and it applies to manufacturers in the defense supply chain whether or not they hold a contract directly with the Department of Defense — a subcontractor two or three tiers removed can still be in scope. CMMC is the certification model layered on top of it, verifying that those requirements are actually implemented rather than self-attested. Manufacturers who assume this only applies to prime contractors are frequently wrong, and finding that out during a customer’s compliance review rather than in advance is an expensive way to learn it.
CYBER INSURANCE REQUIREMENTS
Underwriting requirements have shifted substantially in the past few years. Multi-factor authentication, endpoint detection and response, tested and immutable backups, and documented incident response plans have moved from being differentiators to being baseline requirements for coverage — and increasingly, for coverage at a reasonable premium. A manufacturer that has not reviewed its security posture against current underwriting standards may find at renewal that either the premium has increased substantially or that a claim is at risk of being contested on the basis of a control that was represented but not actually in place.
WHY THESE FRAMEWORKS OVERLAP MORE THAN THEY DIFFER
The practical relief here is that these frameworks share a common foundation. Access control, network segmentation, monitoring and logging, incident response planning, and backup integrity show up, in some form, in nearly all of them. A manufacturer that builds a security program against NIST CSF as the organizing structure will find the large majority of that work directly applicable to 800-171/CMMC requirements and to what cyber insurers are asking for, rather than needing three separate, disconnected efforts.
THE GAP ASSESSMENT AS THE STARTING POINT
- Identify which frameworks actually apply to your business today, and which are likely to apply within the next contract cycle based on your customer base.
- Map current controls against the relevant framework’s specific requirements, rather than against a general sense of “we have decent security.”
- Prioritize gaps by combined risk — where a control gap creates both operational exposure and compliance exposure, that gap moves to the top.
- Document what is in place, not just implement it — auditors, insurers, and customer compliance reviews all require evidence, and undocumented controls are functionally invisible to them.
- Revisit the assessment on a defined cycle, since customer requirements, insurer questionnaires, and CMMC rollout timelines are all still evolving.
THE REFRAME THAT MAKES THIS MANAGEABLE
I encourage manufacturers to stop treating compliance as a separate obligation layered on top of their real security work and start treating it as documentation of security work they should be doing regardless. A manufacturer with genuine network segmentation, monitored access control, and tested backups is already most of the way to meeting NIST CSF, well positioned for 800-171/CMMC if it becomes relevant, and in a strong position with cyber insurers. The frameworks did not invent the bar. They just made it visible to everyone asking about it at once.
About the Author
Charles Swihart is the Founder and CEO of Preactive IT Solutions, a process-driven Managed IT Services provider founded in 2003 and specializing in manufacturing, engineering, and construction organizations across Houston, Austin, Beaumont, and San Antonio, Texas. He is the author of On Thin Ice, an Amazon best-selling book on cybersecurity, and was named MSP Titan of the Industry in 2024.