● 5 miles from TACOM / Detroit Arsenal — Michigan-sovereign, American-built
Defense & Compliance — Kavanagh Industries

NIST 800-171 for Small Manufacturers in Michigan

NIST 800-171 and CMMC 2.0 compliance is mandatory for any Michigan manufacturer in the DoD supply chain — including Tier 2 and Tier 3 suppliers. Most compliance guides assume you have an IT department. This one does not. Here is what you actually need to do.

Schedule Compliance Call → See Defense Services →
Who This Applies To

If you have a DoD contract, this applies to you.

NIST SP 800-171 applies to any organization that handles Controlled Unclassified Information (CUI) for the Department of Defense. This includes prime contractors, Tier 2 suppliers, and Tier 3 suppliers who receive or generate CUI as part of a defense contract.

Michigan is home to thousands of manufacturers in the defense supply chain — TACOM suppliers, automotive-defense dual-use shops, precision machining firms, and electronics manufacturers. Many are aware of CMMC but have not yet assessed where they stand against the 110 controls in NIST 800-171.

The deadline is real. CMMC Level 1 self-assessment is already required. CMMC Level 2 third-party assessment is being phased into contracts. If you have a DoD prime contract or are a Tier 2 supplier to one, you need a compliance path now.

The 14 control families in NIST 800-171

  • Access Control (AC) — who can touch what
  • Awareness and Training (AT) — does your team know the rules
  • Audit and Accountability (AU) — logging and traceability
  • Configuration Management (CM) — what runs on your systems
  • Identification and Authentication (IA) — verifying who logs in
  • Incident Response (IR) — what you do when something goes wrong
  • Maintenance (MA) — how systems are serviced
  • Media Protection (MP) — protecting data on drives, USBs, paper
  • Personnel Security (PS) — screening and offboarding
  • Physical Protection (PE) — controlling physical access
  • Risk Assessment (RA) — finding and fixing vulnerabilities
  • Security Assessment (CA) — testing your controls actually work
  • System and Communications Protection (SC) — network architecture
  • System and Information Integrity (SI) — malware, patching, monitoring
The Sovereign Hardware Advantage

Air-gapped Michigan hardware eliminates your hardest controls.

Most NIST 800-171 guides focus on software configuration — cloud settings, firewall rules, user permissions. That approach works, but it requires ongoing maintenance and creates risk every time something changes.

The architecture that Kavanagh Industries builds eliminates several of the hardest requirements at the infrastructure level — meaning they are simply not possible to violate because the system is physically designed to prevent them.

Controls that air-gapped Michigan sovereign hardware addresses

  • SC-7 (Boundary Protection) — Air-gapped NAS has no external network boundary to protect. Data cannot exfiltrate because it has no path out.
  • SC-8 (Transmission Confidentiality) — Data that never leaves the building cannot be intercepted in transit.
  • SC-28 (Protection of Information at Rest) — RigidVault uses RAID-redundant, encrypted-at-rest Michigan hardware under your physical control.
  • MP-6 (Media Sanitization) — Physical control of hardware means you control the disposal chain.
  • PE-3 (Physical Access Control) — Hardware on your premises means you control physical access directly.
  • SA-9 (External System Services) — No foreign cloud dependencies means no third-party services processing your CUI.

This does not mean sovereign hardware alone achieves CMMC Level 2. You still need access control, logging, incident response, and training policies. But it gives you a significantly cleaner starting point than a cloud-first architecture.

Michigan state resources: The Michigan Manufacturing Technology Center (MMTC) and the CyberSmart program offer gap assessments for qualifying small manufacturers. Kavanagh Industries’ infrastructure complements these programs — we provide the sovereign hardware layer that software-focused assessors assume you already have.
What We Offer Defense Manufacturers

Sovereign infrastructure. Michigan jurisdiction. TACOM proximity.

RigidVault — Sovereign Storage
Air-gapped storage on Michigan hardware under Michigan law. No foreign cloud. No third-party data processors. RAID-redundant, encrypted at rest. Addresses SC-7, SC-28, SA-9.
See RigidVault →
Compliance Readiness Call
Free 30-minute call. We map your current infrastructure against the 110 NIST controls, identify your highest-risk gaps, and outline a remediation path. No obligation.
Book Call →
Capability Brief (PDF)
One-page defense capability brief covering our infrastructure, compliance architecture, TACOM proximity, and NDA terms. Forward to your prime contractor or contracting officer.
Download Brief (PDF) →
Questions

NIST 800-171 for Michigan manufacturers.

If CUI flows through any part of your work — drawings, specs, technical data packages — then yes, CMMC requirements apply to you regardless of tier. The DoD is expanding flow-down requirements to ensure that CUI is protected at every level of the supply chain, not just at the prime. Check your contract terms for DFARS 252.204-7012 — if it is in there, 800-171 applies.
CMMC Level 1 covers 17 basic safeguarding practices (a subset of NIST 800-171) and requires annual self-assessment. Level 2 covers all 110 practices of NIST 800-171 and requires third-party assessment (C3PAO) for most contracts. Level 1 is already required for most DoD contracts with FCI. Level 2 is being phased in for contracts involving CUI.
SAM.gov registration and CAGE code assignment are in progress as of Q2 2026. EIN, Michigan LLC documentation, and a letter of intent are available immediately for procurement conversations that require it. Contact us and we will provide current registration status.
We can support the infrastructure sections of your SSP — specifically the architecture documentation for storage, boundary protection, and data handling. Full SSP development as a compliance consultant is a service we are building toward. For now, the compliance readiness call gives you a gap analysis you can hand to whoever is writing your SSP.

Michigan manufacturer. Defense supply chain. Need a compliance path?

We are 5 miles from TACOM. We respond to defense inquiries within 1 business day. NDA executed at first contact.

Schedule Compliance Call → Download Capability Brief → See Defense Page →