Compare Paperless Parts cloud-centric FedRAMP envelope against Kwantflow local-first desktop software for compliance with CMMC audits.
CMMC deadline
November 2026: The Cybersecurity Maturity Model Certification Phase 2 takes full effect on November 10 2026, with Level 2 third-party audits beginning in this phase. CMMC requirements are already showing up in contracts across the Defence Industrial Base. For defence subcontractors handling Controlled Unclassified Information, certification is no longer optional.
The Department of Defense rollout to prime contractors may be staged, but the impact for subcontractors is immediate. Any shop quoting defence work must demonstrate CMMC Level 2 compliance for the systems that process, store, or transmit CUI. Quoting systems that handle CAD files containing CUI are squarely in scope.
The CMMC Phase 2 local-first quoting requirements article covers the full compliance landscape and timeline for defence shops.
Wingman 2.0 offers
Paperless Parts approach: Paperless Parts Wingman is an AI-powered quoting assistant that reads CAD files, extracts technical elements, and assists with quote setup. Wingman 2.0, launched in 2026, identifies 14x more technical elements per drawing than the previous version, including surface finish, bend lines, chamfers, and weld symbols.
Wingman recognises over 10,000 ASTM, AMS, MIL-SPEC, NADCAP, GD and T, and OEM-specific process and material specifications. It highlights them on prints and presents their definitions alongside the drawing. It pulls threads, process keywords, part and revision numbers, CUI, material, and 3D models with PMI from 3D PDFs.
Paperless Parts maintains FedRAMP Moderate security controls as their baseline and hosts the Wingman AI model within FedRAMP Moderate Equivalent/CMMC-Compliant boundaries in Amazon GovCloud, with data touched solely by U.S. Persons.
Cloud compliance question
The distinction: Paperless Parts achieves CMMC compliance through cloud infrastructure controls. The architecture is FedRAMP Moderate plus GovCloud hosting plus U.S. person data handling. For many defence primes, this meets the contractual requirement. The certification is valid.
But cloud compliance depends on the service provider maintaining those controls continuously. It requires network connectivity to process data. It means CUI traverses the internet to reach the GovCloud environment. And it means the defence subcontractor relies on the quoting vendor's security infrastructure rather than their own.
For shops quoting sensitive defence work, the cloud compliance question is not whether Paperless Parts holds a certification. It is whether the shop's security posture benefits from data leaving the local machine at all. When CUI leaves the device, even to a certified GovCloud environment, the attack surface includes the network path, the cloud API, and the shared infrastructure layer.
Local-first compliance
Different architecture: Kwantflow achieves CMMC compliance through local-first architecture. Data never leaves the estimator's desktop. CAD files are processed on-device. Quote data is stored locally. There is no cloud upload, no API call to a remote model, no data transmission that could be intercepted.
The practical implication for defence shops is straightforward: if the data never leaves the machine, the attack surface is limited to that machine. There is no GovCloud configuration to maintain. No network security boundary to verify. No third-party infrastructure audit to rely on. The shop controls the entire security chain.
This distinction matters most for AUKUS defence supply chain work. The RFQ intake software comparison for 2026 covers how different vendors approach data sovereignty across international defence programs. For Australian fabricators quoting AUKUS SSN build work, local-first quoting avoids cross-border data sovereignty issues entirely.
Wingman vs local-first
Comparison context: Paperless Parts Wingman is a capable AI quoting assistant. The print extraction capability is genuinely useful. The CMMC compliance approach is valid and certified. The choice between Wingman and Kwantflow is not about feature completeness. Both handle CAD file ingestion, drawing extraction, and quote setup.
The choice is architectural. Paperless Parts is a cloud platform with CMMC controls applied at the infrastructure layer. Kwantflow is a desktop application where data never leaves the machine, with compliance achieved through local data handling rather than infrastructure certification.
For defence primes who require FedRAMP Moderate certification from their quoting providers, Paperless Parts meets that requirement directly. For shops that prefer to control their own data security without relying on a cloud vendor's compliance infrastructure, local-first architecture provides a different risk profile. The 18.8 billion AI funding backdrop article provides the broader market context for why both approaches exist.
DFARS requirements
Regulatory context: The DFARS clause governing CMMC compliance requires defence contractors to protect CUI at rest and in transit. Cloud quoting solutions meet this through infrastructure controls. Local-first quoting meets it by eliminating transit entirely.
The practical difference shows up in audits. A Paperless Parts customer needs to demonstrate that their GovCloud configuration is correct, that data handling is restricted to U.S. Persons, and that their vendor's FedRAMP Moderate certification applies to their specific use case. A Kwantflow customer demonstrates that quoting data never left their local machine. The audit evidence is simpler.
Both approaches satisfy the regulatory requirement. The operational burden differs significantly. A local-first shop does not rely on a third-party cloud provider maintaining continuous compliance certification. Their compliance posture is their own.
International data flows
AUKUS implications: For Australian and UK defence subcontractors quoting AUKUS SSN build program work, data sovereignty adds another dimension. Cloud quoting solutions that store data in US-based GovCloud environments create a cross-border data flow that may conflict with national security requirements in Australia and the UK.
Local-first quoting avoids this issue entirely. Data processed and stored on a desktop in an Australian fabrication shop stays in Australia. No data crosses a border. No cloud jurisdiction questions arise. For AUKUS supply chain participants, this architectural difference may be the deciding factor.
The CMMC Phase 2 local-first quoting requirements article covers the full compliance landscape for defence shops across AUKUS member nations.
Who should use what
Decision framework: Shops that already use Paperless Parts and need quoting AI with CMMC compliance should evaluate whether Wingman's cloud architecture meets their specific contractual requirements. For many defence prime contractors, the FedRAMP Moderate certification is sufficient.
Shops processing sensitive CUI that prefer not to transmit data to a cloud environment should consider local-first quoting. Shops participating in AUKUS or international defence programs where data must remain within national borders should evaluate whether a cloud quoting solution can meet those residency requirements.
<a href="/download">Get Kwantflow</a> and evaluate local-first CMMC quoting for your defence work.
Ways estimators can keep quote review clear:
- Paperless Parts Wingman operates within FedRAMP Moderate Equivalent/CMMC-Compliant boundaries hosted in Amazon GovCloud, with data handled solely by U.S. Persons.
- Kwantflow achieves CMMC compliance through local-first architecture , data never leaves the estimator desktop, eliminating cloud attack surface entirely.
- CMMC Phase 2 takes full effect on November 10, 2026, with Level 2 third-party audits required for defence subcontractors handling CUI.
- The practical difference for shops is data sovereignty: cloud CMMC relies on infrastructure controls; local-first CMMC relies on device-level controls with no data transmission risk.
- For AUKUS defence supply chain participants, local-first architecture avoids cross-border data sovereignty issues that cloud CMMC solutions face in Australia and the UK.
