✓ Key Takeaways
- Senior Flexonics Pathway, a defense-sector manufacturer with three U.S. facilities, engaged ITECS to build the technology and policy infrastructure required for CMMC Level 2 certification
- ITECS deployed dual next-generation firewalls in high-availability mode at each location, established NIST 800-171 policy documentation, and implemented EDR/MDR across all endpoints
- After achieving compliance readiness, ITECS transitioned into an ongoing 24/7 NOC relationship providing managed firewall services, network monitoring, and continuous threat detection
- The engagement demonstrates how a manufacturing company with ITAR-regulated operations can move from compliance gap to certification-ready posture with a single managed security partner
When Senior Flexonics Pathway — a manufacturer of precision metal expansion joints and damper systems used in defense, aerospace, and industrial applications — realized that CMMC certification was no longer optional for their DoD supply chain work, they faced a question that thousands of defense contractors across the country are now confronting: how do you build a compliance-ready cybersecurity posture from the ground up, across multiple facilities, without disrupting the manufacturing operations that keep contracts moving?
The answer, for Senior Flexonics Pathway, was a partnership with ITECS that started with documentation and policy architecture, moved through enterprise firewall deployment at three locations, and evolved into an ongoing managed security relationship that now serves as their 24/7 network operations center.
This is the story of how that engagement unfolded — and what it teaches other manufacturers about the practical path to CMMC compliance.
About Senior Flexonics Pathway
Senior Flexonics Pathway — a subsidiary of Senior plc, headquartered in New Braunfels, Texas
Senior Flexonics Pathway is a division of Senior plc, a FTSE-listed international manufacturing group. The company engineers and manufactures metal expansion joints, fabric expansion joints, and industrial damper products at facilities in New Braunfels, Texas; Lewiston, Maine; and an additional U.S. site. Their products serve power generation, petrochemical, aerospace, and defense applications — including work governed by International Traffic in Arms Regulations (ITAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
With over 100 years of combined engineering expertise and a workforce that handles Controlled Unclassified Information (CUI) as part of defense supply chain operations, Senior Flexonics Pathway fell squarely into the category of contractors that would need CMMC Level 2 certification to continue bidding on DoD contracts [DoD CMMC Program].
The Challenge: CMMC Compliance Across Three Manufacturing Facilities
CMMC Level 2 maps directly to the 110 security controls defined in NIST SP 800-171 Revision 2. For a manufacturing company operating across multiple physical locations, meeting these controls is significantly more complex than for a single-site office environment. Senior Flexonics Pathway faced several compounding challenges:
- Multi-site network architecture: Three geographically dispersed facilities, each with its own network topology, operational technology (OT) systems, and connection requirements
- CUI data flows: Controlled Unclassified Information moving between sites, to defense prime contractors, and through engineering and manufacturing systems that were never designed with CMMC controls in mind
- Legacy infrastructure: Manufacturing environments that included a mix of modern IT systems and legacy equipment typical of industrial operations
- Policy vacuum: The company needed not just technical controls but the full complement of written policies, procedures, and documentation required to demonstrate compliance to a C3PAO assessor
- Operational continuity: Any security improvements had to be implemented without interrupting active manufacturing operations and contract deliverables
The scope of work was clear: Senior Flexonics Pathway needed a partner who could handle the full spectrum — from writing the System Security Plan to deploying enterprise firewalls to providing ongoing monitoring — as a single, accountable relationship.
3
Manufacturing facilities secured
110
NIST 800-171 controls addressed
6
Next-gen firewalls deployed (HA pairs)
Senior Flexonics Pathway CMMC engagement scope
Phase 1: Building the CMMC Documentation and Policy Foundation
Before a single firewall was racked or an endpoint agent deployed, ITECS started where every successful CMMC engagement must begin: documentation. A C3PAO assessor doesn't just verify that controls exist — they verify that controls are documented, that policies govern their operation, and that evidence demonstrates ongoing compliance. For Senior Flexonics Pathway, this meant building the entire policy architecture from scratch.
System Security Plan (SSP) Development
The System Security Plan is the cornerstone of CMMC Level 2 compliance. ITECS developed a comprehensive SSP that mapped every one of the 110 NIST 800-171 controls to Senior Flexonics Pathway's specific environment — documenting how each control was implemented, which systems were in scope, and how CUI boundaries were defined across the three-site network.
This wasn't a template exercise. Each facility had different network configurations, different user populations, and different CUI touchpoints. The SSP had to reflect the actual operational reality of each site while demonstrating consistent control implementation across the organization.
Policy and Procedure Documentation
ITECS created the full suite of security policies required by NIST 800-171, including:
- Access Control Policy: Defining role-based access, least privilege principles, and session management requirements across all three facilities
- Incident Response Plan: Establishing detection, containment, eradication, and recovery procedures with specific escalation paths for CUI-related incidents
- Configuration Management Policy: Documenting baseline configurations for all in-scope systems, change control procedures, and hardening standards
- Media Protection Policy: Governing how CUI is stored, transported, and sanitized across physical and digital media
- Personnel Security Policy: Including screening requirements, access termination procedures, and ITAR-specific workforce controls
- Risk Assessment Policy: Establishing the cadence and methodology for ongoing vulnerability assessments and risk evaluations
- Audit and Accountability Policy: Defining logging requirements, retention periods, and review procedures for security-relevant events
Each policy was written to satisfy not only CMMC assessor requirements but also the broader DFARS 7012 and ITAR compliance obligations that Senior Flexonics Pathway operates under as a defense manufacturer.
Plan of Action and Milestones (POA&M)
For controls that could not be immediately implemented — a reality in any complex manufacturing environment — ITECS developed a detailed Plan of Action and Milestones documenting each gap, the planned remediation, responsible parties, and target completion dates. This document served as the roadmap for the technical implementation phases that followed.
Why Documentation Matters for C3PAO Assessments:
During a CMMC Level 2 assessment, C3PAO assessors evaluate three things for each control: the policy that governs it, the technical implementation that enforces it, and the evidence that proves it operates continuously. Without thorough documentation, even perfectly implemented technical controls can receive a "Not Met" finding. ITECS builds documentation that satisfies all three assessment dimensions from the start.
Phase 2: Enterprise Firewall Deployment — Dual HA Pairs Across Three Sites
With the policy foundation established, ITECS moved into the most technically demanding phase of the engagement: deploying enterprise-grade network security infrastructure across Senior Flexonics Pathway's three manufacturing facilities.
The Architecture: Dual Firewalls in High-Availability Mode
NIST 800-171 Control Family 3.13 (System and Communications Protection) requires boundary protection that monitors, controls, and protects organizational communications at external and key internal boundaries [NIST SP 800-171]. For a multi-site manufacturer handling CUI, this means enterprise-grade firewalls that can enforce segmentation between IT and OT networks, inspect traffic at the application layer, and log every relevant event for audit purposes.
ITECS designed and deployed a managed firewall architecture consisting of dual next-generation firewalls at each of Senior Flexonics Pathway's three facilities — six firewalls total — configured in active-passive high-availability (HA) mode. This architecture ensures that:
- Zero single points of failure: If the primary firewall at any site experiences a hardware or software failure, the secondary unit assumes all traffic processing within seconds, with no interruption to manufacturing operations or CUI data flows
- Stateful failover: Active sessions, VPN tunnels, and security policies transfer seamlessly to the standby unit, so users and systems experience no disruption during a failover event
- Consistent policy enforcement: All six firewalls are managed centrally by ITECS, ensuring identical security policies, intrusion prevention signatures, and access rules across every site
- CUI boundary protection: Network segmentation isolates CUI-processing systems from general-purpose IT and guest networks, with firewall rules that enforce NIST 800-171 boundary protection requirements
Senior Flexonics Pathway — Multi-Site Firewall Architecture
New Braunfels, TX
Primary manufacturing facility
FW-1A
Active
FW-1B
Standby
Lewiston, ME
Secondary manufacturing facility
FW-2A
Active
FW-2B
Standby
Facility 3
Additional U.S. site
FW-3A
Active
FW-3B
Standby
ITECS 24/7 NOC — Centralized Management, Monitoring & Incident Response
Figure: All six firewalls managed centrally by ITECS with real-time monitoring and automated failover
Multi-site firewall architecture with dual HA pairs at each Senior Flexonics Pathway facility, centrally managed by the ITECS 24/7 NOC
Procurement and Implementation
ITECS handled the full lifecycle: hardware procurement, rack installation, firmware updates, HA pair configuration, VPN tunnel establishment between sites, and rule set development. The firewall rule sets were designed specifically to enforce the CUI boundaries defined in the System Security Plan, with explicit allow/deny policies for every traffic flow that touches systems processing controlled information.
The implementation was staged site-by-site to minimize risk and ensure manufacturing operations continued uninterrupted throughout the transition. Each site cutover included a validation period with parallel monitoring before the legacy perimeter equipment was decommissioned.
Phase 3: Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR)
Firewall protection secures the network perimeter, but CMMC Level 2 also requires controls at the endpoint level — every workstation, server, and mobile device that accesses CUI must be protected against malware, monitored for anomalous behavior, and capable of producing audit logs that satisfy NIST 800-171 requirements.
ITECS deployed endpoint detection and response (EDR) agents across all endpoints in Senior Flexonics Pathway's environment. The EDR solution provides:
- Real-time threat detection: Behavioral analysis and threat intelligence that catches malware, ransomware, and fileless attacks that signature-based antivirus misses
- Automated response: Immediate isolation of compromised endpoints to prevent lateral movement — critical in environments handling CUI where a breach could trigger DFARS 7012 reporting obligations
- Forensic telemetry: Detailed event logs that satisfy NIST 800-171 audit and accountability controls (Control Family 3.3)
- Centralized management: All endpoints across all three facilities are monitored from the ITECS SOC, providing consistent visibility regardless of site location
The EDR deployment was paired with ITECS's managed detection and response (MDR) service, which adds human-led threat hunting and investigation to the automated detection capabilities. ITECS security analysts review alerts, correlate events across the firewall and endpoint layers, and escalate confirmed threats with full context and remediation guidance — 24 hours a day, 365 days a year.
Phase 4: ITECS as the 24/7 Network Operations Center
With the technical infrastructure in place and the documentation foundation established, the ITECS engagement transitioned from a project-based implementation into an ongoing managed services relationship. ITECS now serves as Senior Flexonics Pathway's 24/7 Network Operations Center (NOC), providing:
| Service | What ITECS Delivers | CMMC Controls Addressed |
|---|---|---|
| Managed Firewall Services | 24/7 monitoring, rule management, firmware updates, and HA failover validation for all six firewalls | 3.13.1, 3.13.2, 3.13.5, 3.13.6 |
| Network Monitoring | Infrastructure health, bandwidth utilization, uptime tracking, and anomaly detection across all three sites | 3.14.6, 3.14.7, 3.3.1 |
| EDR/MDR | Continuous endpoint monitoring, threat hunting, automated containment, and incident investigation | 3.14.1, 3.14.2, 3.14.3, 3.14.5 |
| Incident Response | Defined escalation paths, containment procedures, and DFARS 7012 breach notification support | 3.6.1, 3.6.2, 3.6.3 |
| Compliance Maintenance | Ongoing SSP updates, POA&M tracking, evidence collection, and quarterly executive reporting | 3.12.1, 3.12.2, 3.12.3, 3.12.4 |
This ongoing relationship is what separates a compliance project from a compliance posture. CMMC certification isn't a moment in time — it's a continuous obligation. The controls that satisfy a C3PAO assessor during the initial assessment must remain operational, documented, and evidenced on an ongoing basis. ITECS's role as the 24/7 NOC ensures that Senior Flexonics Pathway's security posture doesn't degrade after the assessment team leaves.
The CMMC Timeline: From Engagement to Certification Readiness
Weeks 1–4: Discovery and Policy Development
ITECS conducted site visits to all three facilities, inventoried systems, mapped CUI data flows, and developed the complete SSP, POA&M, and policy documentation suite.
Weeks 5–8: Firewall Procurement and Staging
Hardware procurement, firmware standardization, HA pair configuration in the ITECS lab, and rule set development based on the CUI boundary definitions in the SSP.
Weeks 9–14: Staged Deployment
Site-by-site firewall installation, VPN tunnel establishment, EDR agent deployment, and parallel monitoring validation. Each site cutover completed with zero production downtime.
Weeks 15–18: Hardening and Evidence Collection
MFA enforcement, access control tightening, logging configuration, and systematic evidence collection for all 110 controls. SSP updated to reflect as-built configurations.
Ongoing: 24/7 NOC and Compliance Maintenance
Transition to managed services model. ITECS operates as the continuous monitoring, managed firewall, and EDR/MDR provider — maintaining the compliance posture between assessments.
Why This Engagement Model Works for Manufacturing
The Senior Flexonics Pathway engagement illustrates a pattern that applies broadly across the defense industrial base: manufacturing companies need a compliance partner that can handle both the policy layer and the technology layer, because in CMMC, they are inseparable.
A consulting firm that writes great policies but doesn't deploy and manage the firewalls leaves a gap between documentation and reality. A technology vendor that racks firewalls but doesn't write the SSP leaves the manufacturer scrambling for documentation when the C3PAO arrives. ITECS closes both gaps by delivering cybersecurity consulting, managed firewall services, and network monitoring under a single managed relationship.
For manufacturers evaluating their CMMC readiness, the key lessons from this engagement are:
- Start with documentation, not technology. The SSP defines the CUI boundaries that determine your firewall architecture, your endpoint scope, and your access control policies. Technology decisions flow from the SSP, not the other way around.
- Plan for high availability. Manufacturing can't tolerate network outages. Dual-firewall HA pairs are not a luxury for defense manufacturers — they are an operational necessity that also satisfies NIST 800-171 system availability requirements.
- Treat compliance as an operating model, not a project. The controls don't stop mattering after the assessment. A 24/7 NOC relationship ensures that firewall rules stay current, endpoints stay protected, and evidence stays fresh for the next assessment cycle.
- Choose a partner with the full stack. Compliance readiness requires policy expertise, infrastructure engineering, endpoint security, and ongoing operations. Splitting these across multiple vendors creates accountability gaps that assessors will find.
What CMMC Phase 2 Means for Manufacturers in 2026
The timing of Senior Flexonics Pathway's engagement is significant. CMMC Phase 2, which begins in November 2026, will require most contractors handling CUI to undergo third-party C3PAO assessments — not just self-assessments [DoD CMMC Program]. Defense primes including Lockheed Martin, Boeing, and Northrop Grumman are already requiring compliance documentation from their supply chains, and assessment fees are projected to range from $75,000 to $150,000 as demand outstrips the supply of certified assessors [Petronella Cybersecurity].
For manufacturers that have not yet started their compliance journey, the window is narrowing. The typical path from gap assessment to certification readiness takes six to twelve months of dedicated effort — and that timeline assumes you have a partner who can execute the policy, technology, and operational components in parallel rather than sequentially.
Is Your Manufacturing Company Ready for CMMC?
ITECS delivers the same policy-to-operations CMMC compliance model used by Senior Flexonics Pathway — from SSP development and firewall deployment to 24/7 managed security. Start with a free assessment to identify your gaps.
Get Your Free CMMC Assessment →The Ongoing Partnership: How ITECS Maintains Compliance Posture
Today, the ITECS–Senior Flexonics Pathway relationship is a 24/7 managed security operation. The project phase is complete, but the operational phase — which is arguably more important for sustained compliance — continues daily.
ITECS engineers monitor all six firewalls, all endpoints, and all network infrastructure around the clock. When a firewall rule change is needed — whether triggered by a new application deployment, a vendor access request, or a change in the CUI boundary — ITECS manages the change through a documented change control process that maintains SSP accuracy. When the EDR platform detects a potential threat, ITECS analysts investigate, contain if necessary, and provide Senior Flexonics Pathway leadership with a clear incident summary.
ITECS engineers provide ongoing 24/7 monitoring, managed firewall services, and incident response as Senior Flexonics Pathway's dedicated NOC partner
This is the model that managed IT services looks like when it's purpose-built for defense manufacturing: not just keeping systems running, but keeping compliance current, evidence fresh, and the organization ready for its next C3PAO assessment at any moment.
Sources
- DoD CMMC Program — CMMC 2.0 Details and Key Resources
- NIST SP 800-171 Revision 2 — Protecting Controlled Unclassified Information
- Petronella Cybersecurity — CMMC 2.0 Complete Guide: Requirements, Levels & Timeline (2026)
- Senior Flexonics — ITAR Compliance