Ensure your estimating office is ready for CMMC Level 2 audits. Find compliance checklists for secure local CAD quoting on-device.
Compliance deadline
The Cybersecurity Maturity Model Certification program has been in motion for years. Phase 2 begins November 10 2026. This is when the compliance stakes become contractual consequences.
For defence contractors handling Controlled Unclassified Information, Phase 2 ends the era of self-attestation. Third-party certification by a C3PAO becomes mandatory. Organisations that are not ready will not be eligible for covered contracts, according to Strikegraph's Phase 2 guide. This is not a gentle nudge toward compliance. It is a hard stop for any shop processing CUI without a certified assessment.
Phase 1 (November 10 2025 to November 9 2026) focused on self-assessments and affirmations submitted through SPRS (Supplier Performance Risk System). Phase 2 flips the model: where Phase 1 trusted contractors to assess themselves, Phase 2 sends an independent assessor to verify. The difference is the difference between saying your quoting software is secure and having someone audit whether it actually is.
CUI requirements
Controlled Unclassified Information covers a broad set of technical data that flows through a machine shop every day. For a defence subcontractor, CUI includes engineering drawings, CAD models, material specifications, inspection reports, and manufacturing process details. It covers anything a prime contractor marks as export-controlled or security-sensitive.
Here is where the quoting software question becomes critical. When a shop receives an RFQ that includes a CAD file marked as CUI, that file must be processed, stored, and transmitted within certified systems. If the shop's quoting tool uploads that CAD file to a cloud server for analysis, the CUI has left the shop's controlled environment. The 48 CFR acquisition rule, which cleared regulatory review in August 2024, makes clear that CMMC requirements flow down to every subcontractor handling CUI, not just prime contractors.
The practical impact is stark. A shop that uses a cloud quoting platform like Paperless Parts (FedRAMP Moderate / CMMC-compliant) or Machine Research (AWS GovCloud) can demonstrate compliance through their vendor's certification. But the cost of that certification passes through to the shop in subscription fees, and the shop still relies on the vendor's security posture rather than its own. A shop that uses a local-first quoting tool that never transmits CUI off the estimator's machine eliminates the data transmission risk entirely. There is no cloud server to audit because the CAD file never left the desktop.
Local-first advantage
Local-first quoting software processes CAD files on the estimator's machine without uploading them to any external server. For CMMC compliance, this architecture provides a structural advantage: no CUI data transmission means the quoting tool itself is not a compliance vector.
The Department of War (formerly DoD) CIO page on CMMC makes clear that certification covers the entire flow of CUI: processing, storage, and transmission. A quoting tool that keeps all three on the estimator's machine reduces the CMMC assessment scope to the local workstation and user access controls. Compare that to a cloud quoting tool, where the assessment must cover the vendor's entire infrastructure: their data centre, their encryption, their access logs, their staff vetting, their incident response plan, and every third-party integration they use.
This is not an argument against cloud quoting for all shop workflows. ERP systems, scheduling tools, and CRM platforms are legitimate cloud services that handle non-CUI data. The argument is specifically about the quoting tool that processes CAD files. If that tool handles CUI, the estimator needs to know exactly where the data goes and what certification that path carries.
Founder-style observation: the most common CMMC gap we see is not a missing firewall or unpatched server. It is the estimator who uploaded a CAD drawing to a quoting website without thinking about it because that is what the tool required. Local-first means that decision never has to be made. The drawing stays on the machine.
Defence opportunities
The AUKUS security partnership creates fabrication opportunities that directly intersect with CMMC compliance. The SSN-AUKUS submarine program, the largest defence industrial project in Australia's history operated by ASC, requires thousands of fabricated components from Australian shops. Many of those components will involve US-origin CUI.
For Australian fabricators, the risk profile is different but the requirement is the same. US-origin defence data must be protected under US standards regardless of where the fabrication occurs. If an Australian shop uses a cloud quoting tool with servers outside Australia, the CUI is subject to both US export control laws and Australian privacy law. A local-first quoting tool eliminates this jurisdictional complexity because the data never leaves the shop.
The AUKUS opportunity is not theoretical. ASC is actively seeking Australian fabrication suppliers for submarine components. Shops that can demonstrate CMMC-ready quoting workflows, including local-first CAD processing, will have a competitive advantage over shops that still rely on cloud-based quoting platforms.
Cloud quoting risks
Not all cloud quoting platforms are equal on CMMC compliance. Paperless Parts Wingman 2.0, launched in May 2026, is marketed as FedRAMP Moderate Equivalent and CMMC-compliant. Machine Research runs on AWS GovCloud with ITAR registration. AMFG claims CMMC and ITAR compliance for its instant quoting portal. These platforms have invested in compliance infrastructure.
But there is a structural difference between cloud-compliant and inherently compliant. A cloud quoting platform stores your CAD files on a third-party server. Even if that server is FedRAMP-certified, the data has left your control. The prime contractor who sent you the CUI-marked CAD file must trust not just your shop but also your quoting vendor, their cloud provider, and every sub-processor in between. The RFQ data sovereignty guide explains why local-first architecture eliminates this trust chain.
For shops that handle a mix of defence and commercial work, cloud quoting also creates an operational problem: how do you ensure estimators never accidentally upload a CUI-marked file to the wrong workflow? The estimator processes dozens of RFQs a day. One misclick sends a defence drawing to the commercial quoting pipeline, and the compliance incident is underway. Local-first quoting eliminates that scenario because there is no upload step to make.
Checklist for shops
For defence subcontractors evaluating quoting software ahead of the November deadline, here is the practical checklist:
Does the quoting tool ever transmit CAD files to an external server for processing? If yes, what is the vendor's CMMC certification level and who audited it?
Can the estimator process a CUI-marked RFQ entirely on their local machine without any data leaving the workstation?
Are quote data, pricing assumptions, and customer records stored locally or synced to a cloud database?
If the quoting tool integrates with an ERP (like JobBOSS or Epicor), does that integration transmit CAD files or only structured data?
What happens to CUI data when the estimator closes the quoting tool? Is it cached in a cloud sync folder or kept only on the local machine?
ERP quoting module limitations for defense shops are covered in our breakdown of why JobBOSS and Epicor quoting modules create the same CUI transmission risk.
Integration requirements
CMMC compliance does not mean every tool must be air-gapped. The key requirement is that CUI is handled within certified boundaries. A quoting tool that processes CAD files locally but pushes structured estimate data (material costs, cycle times, markup rates) to a cloud ERP is functionally compliant because the CUI (the CAD drawing) never left the estimator's machine.
This distinction is important for shops that rely on integrated workflows. The local-first quoting software guide explains how Kwantflow processes CAD files on the desktop and pushes only structured estimate data to JobBOSS, Epicor, or SAP. The estimator keeps CUI on the local machine while the ERP gets the pricing data it needs to generate purchase orders and production schedules.
For tooling cost tracking for defense shops, the same local-first principle applies. Tooling consumption data, which can reveal production volumes and manufacturing capabilities, stays on the estimator's machine rather than being exposed through a cloud quoting pipeline.
Next steps
The November 10 deadline is fixed. Phase 2 will not be delayed. For defence subcontractors, the choice is not whether to certify but whether to prepare now or scramble later.
Start with the quoting tool. It is the one piece of software in your workflow that processes CAD files every single day. If your current quoting tool uploads CAD files to a cloud server, you have a CMMC compliance gap that needs attention before November.
<a href="/platform">See how Kwantflow works offline</a> to process CAD files locally without any cloud transmission. The estimator keeps control of every CUI-marked drawing, and the ERP gets the structured estimate data it needs.
Ways estimators can keep quote review clear:
- CMMC Phase 2 begins November 10 2026, requiring third-party certification for all Level 2 contracts involving Controlled Unclassified Information (CUI).
- Cloud quoting platforms that transmit CAD drawings to external servers introduce CUI exposure risk that complicates CMMC compliance.
- Local-first quoting software processes CAD files entirely on the estimator's machine, creating an inherently CMMC-friendly architecture with no CUI data transmission.
- Defence subcontractors must verify that every tool in their quoting workflow handles CUI within certified boundaries, including email triage, CAD processing, and quote data storage.
- The AUKUS SSN-AUKUS submarine program creates a significant fabrication opportunity for Australian shops, with the same IP security requirements.
