The CMMC requirement arrived at Precision Aero Components on a Tuesday in March, embedded in a contract modification from their prime. Page twenty-eight, paragraph 4.3.2: “The Contractor shall implement cybersecurity practices in accordance with DFARS 252.204-7021 and achieve CMMC Level 2 certification as a condition of continued performance.”
The plant manager, Ray Kowalski, read it standing at the mailroom counter. He flipped back to the cover page, confirmed it was real, and walked it down the hall to IT.
IT, at Precision Aero, is Brian. Brian also manages the phone system, the ERP server, the Wi-Fi, and the badge readers on the front door. Brian has a CompTIA A+ certification he earned in 2019 and a desk covered in sticky notes. He is good at what he does. What he does has never included implementing 110 security controls mapped to NIST SP 800-171, writing a System Security Plan, building an evidence architecture, or maintaining a continuous compliance posture between assessments.
Brian took the contract modification, leaned back in his chair, and did what any competent person would do: he Googled it. He found the NIST document. He found vendor websites selling assessment readiness. He found acronyms — POA&M, SSP, SPRS, CUI, FCI, C3PAO — that he had never encountered in his career. He printed the 110 controls. He read the first thirty and felt the familiar vertigo of being handed a problem that was not designed for one person to solve.
He walked back to Ray's office. “This is big,” he said. “Like, really big. I don't even know where to start.”
Ray said, “Figure it out. We have twelve months.”
Down the hall, twelve steps from Brian's desk, sat Linda Chen.
What Linda Already Does
Linda has managed Precision Aero's quality system for fourteen years. She built their AS9100 certification from scratch — wrote the quality manual over a long Thanksgiving weekend in 2012, sitting at this same desk with a pot of coffee and a highlighter, mapping every process in the shop against the standard. She designed the document control process. She developed the training program that every new hire goes through in their first week. She runs the internal audit schedule. She manages corrective action reports. She prepares for surveillance audits, hosts the auditor, responds to findings, and ensures the system stays current between visits.
Every year, Linda's quality system is examined by a third-party auditor who verifies that the management system governing people, processes, and technology at Precision Aero is functioning as documented. Every year, Linda produces evidence — not evidence she gathered for the audit, but evidence that was generated as a natural output of operating discipline. Training records. Document revision histories. Calibration logs. Nonconformance reports. Corrective action closures. Access control matrices for controlled documents and areas.
Linda keeps a whiteboard behind her desk. On it, in dry-erase marker that gets refreshed every Monday, are three columns: Open CARs, Upcoming Audits, Training Due. The whiteboard has been there for eleven years. It is the most reliable information system in the building.
Linda knows how to scope a management system. She knows how to document it so it reflects what actually happens, not what someone wishes happened. She knows how to train people so the procedures live in muscle memory, not in a binder on a shelf. She knows how to maintain it between audits because she knows that a management system that exists only on audit day is not a management system — it is theater. She knows how to generate evidence as a natural byproduct of operating discipline because she has been doing exactly that for fourteen years.
Nobody asked Linda about CMMC.
The Routing Problem
The contract modification said “cybersecurity.” That word triggered a mental model in Ray's head: IT department, technical controls, network security, passwords, firewalls. The requirement was routed to Brian not because Brian was the most qualified person to implement a management system, but because the label on the requirement matched the label on Brian's function.
This is a routing problem, and it is endemic across the Defense Industrial Base. The word “cybersecurity” acts as a filter. When a manufacturer hears “cybersecurity requirement,” the requirement is routed to the IT function — regardless of what the requirement actually demands. And what CMMC Level 2 actually demands is, in large part, the implementation and continuous maintenance of a management system that governs people, processes, and technology.
Of the 110 practices in NIST SP 800-171 Rev 2, organized across fourteen control families, the majority are not exclusively technical controls. Access management. Training and awareness. Configuration management. Media handling. Personnel security. Physical security. Incident response planning. Audit procedures. Risk assessment. These are operational management disciplines. They require organizational processes, documentation, training, evidence collection, and continuous maintenance.
That is not a description of an IT project. It is a description of a quality management system.
Linda has been running one for fourteen years.
The Parallel
Consider what CMMC Level 2 requires, and what Linda already practices:
Access Control. CMMC requires that the organization control who can access what — systems, data, and physical spaces. Linda already manages access control for controlled documents, calibrated equipment, restricted areas of the production floor, and the tool crib. She maintains access matrices. She processes access requests and revocations. Extending this discipline to information systems — who can access which servers, folders, and applications — follows the same logic she has applied to physical and document access for over a decade.
Awareness and Training. CMMC requires role-based security training with verified competency. Linda already runs the training management program for the entire shop. New hires complete quality orientation in their first week. Operators are trained on procedures before they touch a machine. Competency is verified. Training records are maintained. Extending this to information protection training — what CUI is, how to handle it, what to do if something goes wrong — fits inside the training infrastructure she already operates.
Configuration Management. CMMC requires change control for system configurations. Linda already manages change control for the quality system — document revisions, process changes, equipment modifications all flow through a formal change process with review, approval, and documentation. Extending this to IT configuration changes — server updates, software installations, network modifications — follows the same change management logic.
Incident Response. CMMC requires a plan for detecting, reporting, and responding to security incidents. Linda already manages the nonconformance and corrective action process. When something goes wrong on the production floor — a quality escape, a process deviation, a customer complaint — there is a structured process: detect, document, contain, analyze root cause, implement corrective action, verify effectiveness. A cybersecurity incident is a nonconformance in the information domain. The response framework is the same.
Brian does not know how to build these systems. He knows how to configure a firewall, set up multi-factor authentication, and manage endpoint protection. Those skills are essential — they are the technical inputs that the management system requires. But Brian cannot build the management system. Linda can. Linda already has.
Brian is one essential input. Linda is the operating envelope.
The Cost of the Bypass
Six months after the contract modification arrived, Precision Aero's CMMC readiness looks like this: Brian has purchased a SIEM tool he does not fully understand. He has written a System Security Plan that reads like a technical specification rather than a management system document. He has conducted one training session — a lunch-and-learn where he showed slides about phishing to an audience that politely ate their sandwiches and went back to work. He has not built an evidence architecture because he does not think in terms of evidence — he thinks in terms of configurations. The controls exist on paper. They do not exist in the operating rhythm of the organization.
Linda, meanwhile, has watched this from twelve steps away. She overheard Brian on the phone with the SIEM vendor last Tuesday, asking what “log aggregation” meant and how long the data retention policy should be. She thought about walking over. She thought about saying: “Brian, what you're describing is an evidence trail. I can show you how we do that for quality.” She didn't. Because the requirement said “cybersecurity” and she respects the boundary. Cybersecurity is Brian's area. Quality is hers. The labels told her it was not her problem.
The labels were wrong.
If someone had told Linda on that Tuesday in March — “This is a management system requirement. It uses NIST SP 800-171 as the standard. The management system needs to cover information protection the same way your quality system covers product quality. You already know how to scope it, document it, train people on it, maintain it between audits, and evidence it. Brian handles the technical controls — encryption, network segmentation, endpoint protection. You own the system” — Precision Aero would be six months ahead of where it is today.
Instead, it is six months behind. Not because the people are wrong. Because the word “cyber” routed the requirement past the one person in the building most equipped to carry it.
“My quality manager is the person you're writing about. She's been running our AS9100 system for twelve years. When the CMMC requirement came in, I gave it to my IT guy because it said 'cybersecurity' on it. She watched him struggle for six months. She never said anything because it wasn't her area. But everything he was trying to do — she does that in her sleep for our quality system.”
— Shop Owner, Tier 2–4 Manufacturer, 40 Employees
She already knew how. Nobody asked her.