It Takes the Whole Shop  ·  Chapter 3

He Already Runs One

Mike Dalton runs a 40-person AS9100 shop in Grand Rapids, making flight-critical components for a prime that feeds the F/A-18 Super Hornet program. His document control hasn't missed a revision in eleven years. Four consultants have told him to “build a cybersecurity program.” Nobody told him what they are asking him to build is what he already runs.

Mike Dalton's office is a glass-walled room at the corner of the shop floor. From his desk he can see all three CNC mills, both lathes, the wire EDM in the back corner, and the coordinate measuring machine that cost more than his first house. He has sat in this chair, in this room, for twenty-two years. The glass is there because Mike believes a shop owner should see the floor. The floor is where the work happens.

Mike runs an AS9100-certified machine shop in Grand Rapids, Michigan. Forty employees. He makes flight-critical components for a Tier 1 prime that feeds the F/A-18 Super Hornet program. His work has to be perfect every time, and it is, because his quality management system makes it so.

Mike can tell you the revision status of every procedure in his quality manual. He can tell you when the last surveillance audit was, what the findings were, and what corrective actions were taken. He can pull a calibration record for any tool in the shop in under two minutes. He knows which operators are certified on which machines, when their certifications expire, and what training they need to maintain currency. His document control process has not missed a revision in eleven years.

Mike has been told — by four different consultants, two webinars, his prime's supply chain director, and a pamphlet from his MEP center — that he needs to “build a cybersecurity program.”

Every time he hears that phrase, he glazes over.

Three Years of Paralysis

Mike's relationship with CMMC began in 2023, when his prime sent a letter informing him that the cybersecurity requirements flowing from DFARS were tightening and that he should “begin preparing.” He attended a webinar hosted by an RPO that spent ninety minutes talking about NIST SP 800-171, 110 controls, CUI identification, enclave architecture, and System Security Plans. He left the webinar knowing less than when he started — not because the information was wrong, but because every word of it was in a language he does not speak.

Mike does not think in terms of enclaves, system security plans, or security control baselines. He thinks in terms of procedures, work instructions, training records, and audit findings. He thinks in terms of management systems. He has run one his entire career.

The first consultant who visited his shop quoted him $150,000 for a “CMMC readiness engagement” that would take twelve to eighteen months. Mike walked the consultant to the door, shook his hand, and stood in the parking lot for five minutes afterward, staring at the building he built and wondering whether the defense work that pays forty families was still worth pursuing.

The second consultant quoted $85,000. The third suggested he start with a “gap assessment” for $25,000. All three described the work in cybersecurity language. All three assumed he was starting from zero.

Mike is not starting from zero. Mike has been running a management system that governs people, processes, and technology across his shop floor for twenty-two years. The system scopes which operations are in and out of the AS9100 certification boundary. It documents how each process works — not aspirationally, but actually. It trains every person in the organization on their role within the system. It maintains the system between audits through internal audits, management reviews, and corrective action processes. It generates evidence — not for the auditor, but as a natural output of how the shop operates.

That is exactly what NIST SP 800-171 requires for information protection.

Nobody has told Mike this.

What Mike Already Runs

Mike's quality management system already covers the organizational disciplines that form the backbone of CMMC Level 2. Consider the parallels:

His access control is rigorous. Not everyone can access the production floor. Not everyone can use the CMM. Not everyone can approve a first-article inspection. Access is granted based on role, verified through training, and revoked when people leave or change positions. Extending this to information access — who can reach which systems, which folders, which applications — follows the same governance logic Mike already applies every day.

His document control is meticulous. Every procedure has a revision number. Every change goes through a review and approval process. Superseded documents are removed from circulation. The current version is always the version in use. Extending this to IT configuration management — ensuring that system configurations are documented, changes are controlled, and the operating baseline is always current — is the same discipline applied to a different asset.

His training program is comprehensive. Every new hire is trained on the quality manual before they touch a machine. Operators are certified on specific equipment. Training records are maintained and reviewed. Competency is verified, not assumed. Extending this to information protection training — what CUI is, how it flows through the shop, what each person's responsibilities are — fits inside the training management infrastructure Mike already operates.

His nonconformance process is proven. When something goes wrong — a dimension is out of tolerance, a customer returns a part, an internal audit finds a gap — the process is clear: document, contain, investigate root cause, implement corrective action, verify effectiveness. A cybersecurity incident — a phishing email opened, an unauthorized device connected, a suspected data exposure — follows the same logic. It is a nonconformance in the information domain.

His management review process drives continuous improvement. Quarterly, Mike sits down with his leadership team and reviews quality system performance: audit results, customer feedback, corrective action trends, training currency, process metrics. Extending this to include information protection metrics — security incidents, access review completion, training currency on CUI handling, evidence generation rates — adds a dimension to an existing meeting, not a new meeting to the calendar.

Mike does not need to build a cybersecurity program. Mike needs to extend the quality management system he already runs to cover a new asset class: information.

The Language Barrier

The reason Mike has spent three years paralyzed is not that the task is beyond him. It is that every person who has described the task used the wrong language.

“Build a cybersecurity program” tells Mike he needs to create something he doesn't have. “Extend your quality management system to cover information protection” tells Mike he needs to expand something he already runs. The first framing produces paralysis. The second produces action. The task is the same. The encoding is different.

When a consultant tells Mike he needs “110 security controls,” Mike hears an alien imposition from a world he doesn't belong to. When someone tells Mike he needs to “apply the same quality disciplines you already practice — access control, training, documentation, change management, incident response, evidence generation — to the information that flows through your shop,” Mike knows exactly what to do. He's done it for twenty-two years.

The consultants weren't wrong about what Mike needs. They were wrong about the language they used to describe it. The language created a barrier that didn't need to exist.

One Thursday afternoon, after the third consultant left, Mike sat in his glass-walled office and looked at the 110-control printout on his desk. He picked up a highlighter — the yellow one Linda Chen at Precision Aero would have recognized — and started reading. By control thirty, he stopped highlighting. Not because the controls didn't apply. Because he realized he was highlighting things his quality system already did. Access control. Training. Document management. Change control. Incident response. He was staring at his own management system, described in a language he had been told was foreign.

He put the highlighter down. He looked through the glass at the shop floor — the three CNC mills, the two lathes, the wire EDM, the CMM. He thought: I already run one. Why did they tell me to build another?

“Nobody — not one person — has ever told me that protecting information is the same kind of discipline as my quality system. That it fits inside the management system I already run. Every time I hear 'cyber,' I think 'I need to hire an IT person I can't afford.' If someone told me 'extend your quality system to cover information protection,' I'd know exactly where to start.”

— Shop Owner, Tier 2–4 Manufacturer, 40 Employees

Mike already runs a quality management system. It governs people, processes, and technology. It is scoped, documented, trained, maintained, and evidenced. It survives audits because it operates between audits. It is, in every structural sense, the operating model CMMC requires.

He already runs one. He just needs someone to tell him.

From It Takes the Whole Shop by David Kirubi. Published by Qualified Capacity Press.

The characters and organizations depicted in the narrative chapters are composites drawn from interviews, practitioner conversations, and industry experience across the Defense Industrial Base. They are representative of patterns observed across the sector and do not portray specific individuals, companies, or organizations.

If it's not qualified, it's not capacity.™