CMMC Level 2 Compliance for Defense Manufacturing: Senior Flexonics Pathway Case Study
✓ Key Takeaways
- Senior Flexonics Pathway, a defense-sector manufacturer of precision expansion joints and damper systems with three U.S. facilities, engaged ITECS to build the complete technology and policy infrastructure required for CMMC Level 2 certification.
- ITECS delivered end-to-end compliance readiness: System Security Plan development, NIST 800-171 policy documentation, Plan of Action and Milestones, dual high-availability firewall deployment at all three sites, EDR/MDR implementation across all endpoints, and structured evidence collection for all 110 controls.
- The multi-site firewall architecture — six next-generation firewalls deployed in active-passive HA pairs across three geographically dispersed manufacturing facilities — provides zero-single-point-of-failure boundary protection with CUI-specific network segmentation.
- Following the project phase, ITECS transitioned into an ongoing 24/7 Network Operations Center relationship, providing managed firewall services, network monitoring, EDR/MDR, and continuous compliance maintenance — ensuring the security posture remains assessment-ready at all times.
- The engagement demonstrates a repeatable model for defense manufacturers: a single managed security partner that delivers both the policy documentation and the technical infrastructure required by CMMC, eliminating the accountability gaps that arise from multi-vendor compliance approaches.
Executive Summary
The Cybersecurity Maturity Model Certification (CMMC) program represents the most significant cybersecurity compliance mandate to affect the U.S. defense industrial base in a generation. With CMMC Phase 2 requiring third-party assessments for contractors handling Controlled Unclassified Information (CUI) beginning in November 2026, thousands of manufacturers, subcontractors, and suppliers across the defense supply chain must demonstrate compliance with all 110 security controls defined in NIST SP 800-171 — or risk losing eligibility for Department of Defense contracts.
This white paper documents how ITECS planned and executed a comprehensive CMMC Level 2 compliance program for Senior Flexonics Pathway, a defense-sector manufacturer of precision metal expansion joints and damper systems operating across three U.S. facilities. The engagement encompassed every dimension of compliance readiness: policy and documentation development, enterprise network security architecture, endpoint protection, and the transition into an ongoing 24/7 managed security operations relationship.
The case illustrates a model that is directly applicable to other manufacturers in the defense industrial base — particularly those operating across multiple physical facilities, handling ITAR-regulated work, and seeking a single accountable partner to deliver both the policy layer and the technology layer that CMMC demands.
For a narrative account of this engagement, see the companion blog post: How The Dallas ITECS Team Helped a Manufacturing Company Achieve Full CMMC Compliance.
Industry Context: CMMC and the Defense Manufacturing Supply Chain
The defense industrial base (DIB) encompasses approximately 300,000 companies that supply goods and services to the Department of Defense. Of these, the vast majority are small and mid-sized manufacturers, machine shops, and engineering firms that produce components, assemblies, and specialized products for defense prime contractors. These organizations process Controlled Unclassified Information — technical drawings, specifications, test data, and logistics information — as a routine part of their operations.
The CMMC Compliance Mandate
CMMC 2.0 establishes three certification levels. Level 1 requires basic cyber hygiene (17 practices, self-assessment). Level 2 — the focus of this white paper — requires implementation of all 110 security controls from NIST SP 800-171 Revision 2, verified by a certified third-party assessment organization (C3PAO). Level 3 adds additional controls from NIST SP 800-172 for organizations handling the most sensitive programs.
For manufacturers handling CUI — which includes the majority of companies in the defense supply chain that work with technical data — CMMC Level 2 certification will be required as a condition of contract award. Phase 1 (December 2024) began including CMMC requirements in select contracts. Phase 2 (November 2026) will expand this requirement broadly, making C3PAO assessments a prerequisite for the majority of CUI-handling contractors.
The Manufacturing Compliance Challenge
Manufacturing environments present unique CMMC challenges that distinguish them from office-based contractors:
- Operational technology (OT) convergence: Manufacturing facilities operate CNC machines, PLCs, SCADA systems, and industrial control equipment that may reside on the same network as IT systems processing CUI. Segmentation and boundary protection must account for both IT and OT requirements without disrupting production.
- Multi-site complexity: Manufacturers often operate across multiple facilities with different network topologies, equipment profiles, and operational requirements. Each site must independently satisfy boundary protection, access control, and monitoring requirements.
- ITAR overlay: Defense manufacturers handling articles or technical data covered by the International Traffic in Arms Regulations (ITAR) face additional access control requirements that must be integrated with — not layered on top of — their CMMC implementation.
- Uptime requirements: Manufacturing operations cannot tolerate network outages. Security infrastructure must be designed for continuous availability with automated failover, not just security effectiveness.
- Resource constraints: Most defense manufacturers lack dedicated cybersecurity staff. The compliance program must be implementable and maintainable without building an internal security operations team.
Client Profile: Senior Flexonics Pathway
Senior Flexonics Pathway — a subsidiary of Senior plc, headquartered in New Braunfels, Texas
Senior Flexonics Pathway is a division of Senior plc, a FTSE-listed international manufacturing group. The company engineers and manufactures metal expansion joints, fabric expansion joints, and industrial damper products at facilities in New Braunfels, Texas; Lewiston, Maine; and an additional U.S. site. Their products serve power generation, petrochemical, aerospace, and defense applications — including work governed by International Traffic in Arms Regulations (ITAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
With over 100 years of combined engineering expertise and a workforce that handles Controlled Unclassified Information (CUI) as part of defense supply chain operations, Senior Flexonics Pathway fell squarely into the category of contractors that would need CMMC Level 2 certification to continue bidding on DoD contracts.
| Attribute | Detail |
|---|---|
| Industry | Defense Manufacturing — Precision Expansion Joints & Damper Systems |
| Parent Company | Senior plc (FTSE-listed) |
| Headquarters | New Braunfels, Texas |
| Facilities | Three U.S. manufacturing sites (New Braunfels, TX; Lewiston, ME; additional site) |
| Regulatory Environment | ITAR, DFARS 7012, NIST 800-171, CMMC Level 2 |
| Engagement Model | Project-based CMMC implementation transitioning to 24/7 managed security (NOC) |
The Challenge: CMMC Compliance Across Three Manufacturing Facilities
CMMC Level 2 maps directly to the 110 security controls defined in NIST SP 800-171 Revision 2. For a manufacturing company operating across multiple physical locations, meeting these controls is significantly more complex than for a single-site office environment. Senior Flexonics Pathway faced several compounding challenges:
- Multi-site network architecture: Three geographically dispersed facilities, each with its own network topology, operational technology (OT) systems, and connection requirements. Each site represented a distinct security boundary that needed to satisfy controls independently while maintaining consistent policy enforcement across the organization.
- CUI data flows: Controlled Unclassified Information moving between sites, to defense prime contractors, and through engineering and manufacturing systems that were never designed with CMMC controls in mind. Mapping these data flows was essential to defining the CUI boundary that would drive every subsequent technical decision.
- Legacy infrastructure: Manufacturing environments that included a mix of modern IT systems and legacy equipment typical of industrial operations. The security architecture had to accommodate systems that could not be easily patched or reconfigured without impacting production.
- Policy vacuum: The company needed not just technical controls but the full complement of written policies, procedures, and documentation required to demonstrate compliance to a C3PAO assessor. No existing documentation framework existed.
- Operational continuity: Any security improvements had to be implemented without interrupting active manufacturing operations and contract deliverables. Downtime in a defense manufacturing environment has direct contractual and financial consequences.
The scope of work was clear: Senior Flexonics Pathway needed a partner who could handle the full spectrum — from writing the System Security Plan to deploying enterprise firewalls to providing ongoing monitoring — as a single, accountable relationship.
Engagement Scope at a Glance
Secured
Addressed
Deployed (HA Pairs)
& Managed Security
Senior Flexonics Pathway CMMC Level 2 compliance engagement metrics
The ITECS Approach: Full-Stack CMMC Compliance
The ITECS methodology for CMMC compliance is built on a principle that separates successful engagements from compliance failures: documentation and technology must be developed in lockstep. A consulting firm that writes great policies but doesn't deploy and manage the firewalls leaves a gap between documentation and reality. A technology vendor that racks firewalls but doesn't write the SSP leaves the manufacturer scrambling for documentation when the C3PAO arrives.
ITECS closes both gaps by delivering cybersecurity consulting, managed firewall services, endpoint detection and response, and network monitoring under a single managed relationship. For Senior Flexonics Pathway, this translated into a four-phase engagement that moved from policy architecture through technical deployment to ongoing operations.
Phase 1: CMMC Documentation and Policy Foundation
Before a single firewall was racked or an endpoint agent deployed, ITECS started where every successful CMMC engagement must begin: documentation. A C3PAO assessor doesn't just verify that controls exist — they verify that controls are documented, that policies govern their operation, and that evidence demonstrates ongoing compliance. For Senior Flexonics Pathway, this meant building the entire policy architecture from scratch.
System Security Plan (SSP) Development
The System Security Plan is the cornerstone of CMMC Level 2 compliance. ITECS developed a comprehensive SSP that mapped every one of the 110 NIST 800-171 controls to Senior Flexonics Pathway's specific environment — documenting how each control was implemented, which systems were in scope, and how CUI boundaries were defined across the three-site network.
This was not a template exercise. Each facility had different network configurations, different user populations, and different CUI touchpoints. The SSP had to reflect the actual operational reality of each site while demonstrating consistent control implementation across the organization.
Policy and Procedure Documentation
ITECS created the full suite of security policies required by NIST 800-171, including:
- Access Control Policy: Defining role-based access, least privilege principles, and session management requirements across all three facilities
- Incident Response Plan: Establishing detection, containment, eradication, and recovery procedures with specific escalation paths for CUI-related incidents and DFARS 7012 breach notification requirements
- Configuration Management Policy: Documenting baseline configurations for all in-scope systems, change control procedures, and hardening standards
- Media Protection Policy: Governing how CUI is stored, transported, and sanitized across physical and digital media
- Personnel Security Policy: Including screening requirements, access termination procedures, and ITAR-specific workforce controls
- Risk Assessment Policy: Establishing the cadence and methodology for ongoing vulnerability assessments and risk evaluations
- Audit and Accountability Policy: Defining logging requirements, retention periods, and review procedures for security-relevant events
Each policy was written to satisfy not only CMMC assessor requirements but also the broader DFARS 7012 and ITAR compliance obligations that Senior Flexonics Pathway operates under as a defense manufacturer.
Plan of Action and Milestones (POA&M)
For controls that could not be immediately implemented — a reality in any complex manufacturing environment — ITECS developed a detailed Plan of Action and Milestones documenting each gap, the planned remediation, responsible parties, and target completion dates. This document served as the roadmap for the technical implementation phases that followed.
Why Documentation Matters for C3PAO Assessments:
During a CMMC Level 2 assessment, C3PAO assessors evaluate three dimensions for each control: the policy that governs it, the technical implementation that enforces it, and the evidence that proves it operates continuously. Without thorough documentation, even perfectly implemented technical controls can receive a "Not Met" finding. ITECS builds documentation that satisfies all three assessment dimensions from the start — so that the technology deployment and the compliance documentation are always in alignment.
Phase 2: Enterprise Firewall Deployment — Dual HA Pairs Across Three Sites
With the policy foundation established and CUI boundaries defined in the SSP, ITECS moved into the most technically demanding phase of the engagement: deploying enterprise-grade network security infrastructure across Senior Flexonics Pathway's three manufacturing facilities.
Architecture: Dual Firewalls in High-Availability Mode
NIST 800-171 Control Family 3.13 (System and Communications Protection) requires boundary protection that monitors, controls, and protects organizational communications at external and key internal boundaries. For a multi-site manufacturer handling CUI, this means enterprise-grade firewalls that can enforce segmentation between IT and OT networks, inspect traffic at the application layer, and log every relevant event for audit purposes.
ITECS designed and deployed a managed firewall architecture consisting of dual next-generation firewalls at each of Senior Flexonics Pathway's three facilities — six firewalls total — configured in active-passive high-availability (HA) mode. This architecture ensures:
- Zero single points of failure: If the primary firewall at any site experiences a hardware or software failure, the secondary unit assumes all traffic processing within seconds, with no interruption to manufacturing operations or CUI data flows
- Stateful failover: Active sessions, VPN tunnels, and security policies transfer seamlessly to the standby unit, so users and systems experience no disruption during a failover event
- Consistent policy enforcement: All six firewalls are managed centrally by ITECS, ensuring identical security policies, intrusion prevention signatures, and access rules across every site
- CUI boundary protection: Network segmentation isolates CUI-processing systems from general-purpose IT and guest networks, with firewall rules that enforce NIST 800-171 boundary protection requirements
Senior Flexonics Pathway — Multi-Site Firewall Architecture
New Braunfels, TX
Primary manufacturing facility
FW-1A
Active
FW-1B
Standby
Lewiston, ME
Secondary manufacturing facility
FW-2A
Active
FW-2B
Standby
Facility 3
Additional U.S. site
FW-3A
Active
FW-3B
Standby
ITECS 24/7 NOC — Centralized Management, Monitoring & Incident Response
Figure 1: All six firewalls managed centrally by ITECS with real-time monitoring and automated failover
Multi-site firewall architecture with dual HA pairs at each Senior Flexonics Pathway facility, centrally managed by the ITECS 24/7 NOC
Procurement, Staging, and Implementation
ITECS handled the full lifecycle: hardware procurement, rack installation, firmware updates, HA pair configuration, VPN tunnel establishment between sites, and rule set development. The firewall rule sets were designed specifically to enforce the CUI boundaries defined in the System Security Plan, with explicit allow/deny policies for every traffic flow that touches systems processing controlled information.
The implementation was staged site-by-site to minimize risk and ensure manufacturing operations continued uninterrupted throughout the transition. Each site cutover included a validation period with parallel monitoring before the legacy perimeter equipment was decommissioned.
Why High Availability Is Non-Negotiable for Manufacturing:
A single-firewall deployment at a manufacturing facility creates an unacceptable risk: if the firewall fails, the site loses all network connectivity — halting CNC machines dependent on network-delivered toolpaths, preventing access to engineering drawings, and stopping all email and communication. For defense manufacturers with contractual delivery obligations, an hour of network downtime can cascade into missed deadlines and contract penalties. Dual HA firewalls eliminate this risk by providing automatic failover in seconds, with no manual intervention required.
Phase 3: Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR)
Firewall protection secures the network perimeter, but CMMC Level 2 also requires controls at the endpoint level — every workstation, server, and mobile device that accesses CUI must be protected against malware, monitored for anomalous behavior, and capable of producing audit logs that satisfy NIST 800-171 requirements.
ITECS deployed endpoint detection and response (EDR) agents across all endpoints in Senior Flexonics Pathway's environment. The EDR solution provides:
- Real-time threat detection: Behavioral analysis and threat intelligence that catches malware, ransomware, and fileless attacks that signature-based antivirus misses
- Automated response: Immediate isolation of compromised endpoints to prevent lateral movement — critical in environments handling CUI where a breach could trigger DFARS 7012 reporting obligations within 72 hours
- Forensic telemetry: Detailed event logs that satisfy NIST 800-171 audit and accountability controls (Control Family 3.3), providing the evidence trail that C3PAO assessors require
- Centralized management: All endpoints across all three facilities are monitored from the ITECS SOC, providing consistent visibility regardless of site location
The EDR deployment was paired with ITECS's managed detection and response (MDR) service, which adds human-led threat hunting and investigation to the automated detection capabilities. ITECS security analysts review alerts, correlate events across the firewall and endpoint layers, and escalate confirmed threats with full context and remediation guidance — 24 hours a day, 365 days a year.
ITECS Security Stack — NIST 800-171 Control Family Coverage
Network Security Layer
Technology: Dual HA Next-Gen Firewalls (6 units)
Controls: 3.13 System & Communications Protection
Capabilities: Boundary protection, CUI segmentation, IPS, VPN, application-layer inspection
Coverage: 3.13.1, 3.13.2, 3.13.5, 3.13.6, 3.13.8
Endpoint Security Layer
Technology: EDR/MDR across all endpoints
Controls: 3.14 System & Information Integrity
Capabilities: Threat detection, automated containment, forensic telemetry, threat hunting
Coverage: 3.14.1, 3.14.2, 3.14.3, 3.14.5, 3.14.6, 3.14.7
Monitoring & Audit Layer
Technology: ITECS 24/7 NOC + SIEM integration
Controls: 3.3 Audit & Accountability
Capabilities: Log aggregation, event correlation, anomaly detection, retention
Coverage: 3.3.1, 3.3.2, 3.3.5, 3.3.6, 3.3.8
Policy & Compliance Layer
Deliverables: SSP, POA&M, full policy suite
Controls: 3.12 Security Assessment + all families
Capabilities: Evidence collection, quarterly reviews, SSP updates, assessment readiness
Coverage: 3.12.1, 3.12.2, 3.12.3, 3.12.4
Figure 2: Layered security architecture covering network, endpoint, monitoring, and policy dimensions of NIST 800-171
Phase 4: ITECS as the 24/7 Network Operations Center
With the technical infrastructure in place and the documentation foundation established, the ITECS engagement transitioned from a project-based implementation into an ongoing managed services relationship. ITECS now serves as Senior Flexonics Pathway's 24/7 Network Operations Center (NOC).
| Service | What ITECS Delivers | NIST 800-171 Controls Addressed |
|---|---|---|
| Managed Firewall Services | 24/7 monitoring, rule management, firmware updates, and HA failover validation for all six firewalls | 3.13.1, 3.13.2, 3.13.5, 3.13.6 |
| Network Monitoring | Infrastructure health, bandwidth utilization, uptime tracking, and anomaly detection across all three sites | 3.14.6, 3.14.7, 3.3.1 |
| EDR/MDR | Continuous endpoint monitoring, threat hunting, automated containment, and incident investigation | 3.14.1, 3.14.2, 3.14.3, 3.14.5 |
| Incident Response | Defined escalation paths, containment procedures, and DFARS 7012 breach notification support within the 72-hour reporting window | 3.6.1, 3.6.2, 3.6.3 |
| Compliance Maintenance | Ongoing SSP updates, POA&M tracking, evidence collection, and quarterly executive reporting | 3.12.1, 3.12.2, 3.12.3, 3.12.4 |
This ongoing relationship is what separates a compliance project from a compliance posture. CMMC certification isn't a moment in time — it's a continuous obligation. The controls that satisfy a C3PAO assessor during the initial assessment must remain operational, documented, and evidenced on an ongoing basis. ITECS's role as the 24/7 NOC ensures that Senior Flexonics Pathway's security posture doesn't degrade after the assessment team leaves.
ITECS engineers provide ongoing 24/7 monitoring, managed firewall services, and incident response as Senior Flexonics Pathway's dedicated NOC partner
Project Timeline: From Engagement to Certification Readiness
Weeks 1–4: Discovery and Policy Development
ITECS conducted site visits to all three facilities, inventoried systems, mapped CUI data flows, and developed the complete SSP, POA&M, and policy documentation suite.
Weeks 5–8: Firewall Procurement and Staging
Hardware procurement, firmware standardization, HA pair configuration in the ITECS lab, and rule set development based on the CUI boundary definitions in the SSP.
Weeks 9–14: Staged Site-by-Site Deployment
Site-by-site firewall installation, VPN tunnel establishment, EDR agent deployment, and parallel monitoring validation. Each site cutover completed with zero production downtime.
Weeks 15–18: Hardening and Evidence Collection
MFA enforcement, access control tightening, logging configuration, and systematic evidence collection for all 110 controls. SSP updated to reflect as-built configurations.
Ongoing: 24/7 NOC and Compliance Maintenance
Transition to managed services model. ITECS operates as the continuous monitoring, managed firewall, and EDR/MDR provider — maintaining the compliance posture between assessments.
What CMMC Phase 2 Means for Manufacturers in 2026
The timing of Senior Flexonics Pathway's engagement is significant. CMMC Phase 2, which begins in November 2026, will require most contractors handling CUI to undergo third-party C3PAO assessments — not just self-assessments. Defense primes including Lockheed Martin, Boeing, and Northrop Grumman are already requiring compliance documentation from their supply chains, and assessment fees are projected to range from $75,000 to $150,000 as demand outstrips the supply of certified assessors.
For manufacturers that have not yet started their compliance journey, the window is narrowing. The typical path from gap assessment to certification readiness takes six to twelve months of dedicated effort — and that timeline assumes you have a partner who can execute the policy, technology, and operational components in parallel rather than sequentially.
CMMC Phase 2 Timeline for Defense Manufacturers:
December 2024 (Phase 1): CMMC requirements begin appearing in select DoD contracts. Self-assessment acceptable for Level 1; select Level 2 contracts require C3PAO assessment.
November 2026 (Phase 2): Broad expansion of CMMC requirements across DoD contracting. Most CUI-handling contractors will require C3PAO-verified Level 2 certification as a condition of contract award.
Ongoing: Annual affirmation required. Controls must remain operational and documented between assessment cycles. A compliance failure discovered post-certification can result in contract termination and False Claims Act exposure.
Decision Framework: Evaluating CMMC Readiness for Manufacturers
The Senior Flexonics Pathway engagement provides a reference framework for other defense manufacturers evaluating their CMMC compliance readiness. The following criteria can help leadership assess their organization's starting position and the scope of work required.
Critical Success Factors
- Start with documentation, not technology. The SSP defines the CUI boundaries that determine your firewall architecture, your endpoint scope, and your access control policies. Technology decisions flow from the SSP, not the other way around. Deploying firewalls without a defined CUI boundary is like installing locks without knowing which rooms need them.
- Plan for high availability. Manufacturing can't tolerate network outages. Dual-firewall HA pairs are not a luxury for defense manufacturers — they are an operational necessity that also satisfies NIST 800-171 system availability requirements.
- Treat compliance as an operating model, not a project. The controls don't stop mattering after the assessment. A 24/7 NOC relationship ensures that firewall rules stay current, endpoints stay protected, and evidence stays fresh for the next assessment cycle.
- Choose a partner with the full stack. Compliance readiness requires policy expertise, infrastructure engineering, endpoint security, and ongoing operations. Splitting these across multiple vendors creates accountability gaps that assessors will find — and that adversaries will exploit.
- Account for ITAR overlay requirements. Defense manufacturers handling ITAR-regulated technical data must integrate export control requirements into their CMMC implementation from the start. Access control policies, personnel screening, and data handling procedures must satisfy both frameworks simultaneously.
Readiness Assessment Questions
- Can you identify every system, application, and network segment that processes, stores, or transmits CUI?
- Do you have a written System Security Plan that maps each of the 110 NIST 800-171 controls to your specific environment?
- Are your network boundaries protected by enterprise-grade firewalls with intrusion prevention, application-layer inspection, and centralized logging?
- Is every endpoint that touches CUI protected by an EDR solution with automated containment and forensic capabilities?
- Do you have 24/7 monitoring coverage, or is your security posture dependent on business-hours staffing?
- Can you produce evidence of continuous control operation for every NIST 800-171 requirement on demand?
If the answer to any of these questions is "no" or "not sure," the gap between current state and CMMC Level 2 readiness requires structured remediation — and with the Phase 2 deadline approaching, the time to begin is now.
Is Your Manufacturing Company Ready for CMMC?
ITECS delivers the same policy-to-operations CMMC compliance model used by Senior Flexonics Pathway — from SSP development and firewall deployment to 24/7 managed security. Start with a free assessment to identify your gaps.
Get Your Free CMMC Assessment →Sources and References
- DoD CMMC Program — CMMC 2.0 Details and Key Resources
- NIST SP 800-171 Revision 2 — Protecting Controlled Unclassified Information in Nonfederal Systems
- Petronella Cybersecurity — CMMC 2.0 Complete Guide: Requirements, Levels & Timeline (2026)
- Senior Flexonics — ITAR Compliance
- ITECS Blog — How The Dallas ITECS Team Helped a Manufacturing Company Achieve Full CMMC Compliance