Defense contractors and medical device manufacturers operate under the most demanding IT compliance regimes in American industry. CMMC 2.0 assessments are underway. The FDA’s QMSR is live. ITAR violations carry criminal penalties. And the convergence of operational technology (OT) with enterprise IT has created an attack surface that most manufacturers are not equipped to defend. If you’re responsible for IT at a defense or med-device facility in Arizona, California, or Utah — this is the landscape you’re navigating in 2026.
If you’re a CTO, VP of Operations, CISO, or plant manager in defense manufacturing or medical device production — the compliance clock is running, and the infrastructure decisions you make in the next 12 months will determine whether your organization can win contracts, pass audits, and survive a breach.
The Federal Compliance Landscape Has Changed — Permanently
The era of self-attestation is over. Federal agencies are moving from trust-based compliance to verified, audited, and continuously monitored security postures. For manufacturers in the defense industrial base (DIB) and FDA-regulated medical device space, this means your IT infrastructure is now a gating factor for revenue — not just an operational cost center.
The manufacturing sector reported $5.56 million in average breach costs in 2025, a 13% year-over-year increase. Nation-state actors targeted defense supply chains with a 41% increase in supply chain intrusion attempts. And the DoD has made it clear: if you can’t prove your cybersecurity posture, you don’t get the contract.
CMMC 2.0: The Contract Killer Your Competitors Aren’t Ready For
The Cybersecurity Maturity Model Certification (CMMC) 2.0 final rule took effect in December 2024, and the first wave of contract solicitations requiring CMMC certification began appearing in Q1 2026. This is no longer a future requirement — it is the current standard for any organization handling Controlled Unclassified Information (CUI) on DoD contracts.
What CMMC 2.0 Actually Requires
Level 1 (Foundational) applies to organizations handling Federal Contract Information (FCI) — 17 practices, annual self-assessment. Level 2 (Advanced) applies to CUI — requires implementation of all 110 controls from NIST SP 800-171 Rev 3, with third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years. Level 3 (Expert) adds NIST SP 800-172 enhanced security requirements with government-led assessments. The majority of defense manufacturers in Arizona, California, and Utah will fall under Level 2.
The Real Cost of Non-Compliance
Without CMMC certification at the required level, your organization cannot bid on or win DoD contracts that specify CMMC requirements. For Arizona manufacturers supporting Luke AFB, Boeing Mesa, Honeywell Aerospace, and Raytheon — and Utah contractors near Hill AFB serving Northrop Grumman and L3Harris — this is existential. The NIST assessment procedures leave zero room for partial implementation. Every control must be fully implemented or documented in a Plan of Action and Milestones (POA&M) — and C3PAOs are trained to catch shortcuts.
ITAR Adds Another Layer
For manufacturers working with defense articles, technical data, or defense services, the International Traffic in Arms Regulations (ITAR) impose restrictions on data storage, access, and transmission that go beyond CMMC. ITAR data must reside on US-person-controlled infrastructure — no foreign nationals, no offshore data centers, no cloud providers without FedRAMP authorization. Violations carry penalties up to $1.3 million per violation and criminal prosecution. For Arizona’s defense manufacturing corridor — one of the densest concentrations of ITAR-regulated facilities in the country — getting this wrong is not an option.
Medical Device Manufacturers: The FDA Has Made Cybersecurity a Design Requirement
If you manufacture medical devices, your IT and cybersecurity posture is no longer separate from your product. The FDA has made it a condition of market access.
QMSR Is Live — and It Changes Everything
The Quality Management System Regulation (QMSR) took effect February 2026, harmonizing FDA device requirements with ISO 13485. Cybersecurity risk management is now embedded directly into QMS processes. Premarket submissions require a Security Risk Management Report, a Software Bill of Materials (SBOM), and architecture documentation that demonstrates secure-by-design principles. For Orange County’s medical device corridor — Edwards Lifesciences, Masimo, ICU Medical — and San Diego’s device manufacturers, this means your IT infrastructure decisions directly impact your ability to get products to market.
21 CFR Part 11 Enforcement Is Intensifying
The FDA’s 21 CFR Part 11 governs electronic records and signatures. In H2 2025, the FDA issued 327 warning letters — a 73% increase — with data integrity and quality-system failures as leading citations. For device manufacturers, this means every system that touches production records, design history files, or complaint management must have validated access controls, complete audit trails, and tamper-evident logging.
Post-Market Surveillance Demands Connected Infrastructure
The FDA’s 2026 guidance on cybersecurity in medical devices requires manufacturers to maintain the ability to patch, update, and monitor devices throughout their lifecycle. This requires secure connectivity between manufacturing environments, field-deployed devices, and your enterprise IT systems — a bridge between OT and IT that most device manufacturers are still building.
OT/IT Convergence: The Biggest Security Blind Spot in Manufacturing
Historically, operational technology (OT) — PLCs, SCADA systems, CNC machines, cleanroom controls, test equipment — operated on isolated networks with no connection to enterprise IT. That isolation is gone. Modern manufacturing requires real-time data flow between the factory floor and the business network for production analytics, quality management, supply chain coordination, and regulatory reporting.
This convergence has created an attack surface that is expanding faster than most manufacturers can secure it. Dragos reported a 87% increase in ransomware attacks targeting manufacturing OT environments in 2025, with threat groups like CHERNOVITE and VOLTZITE developing purpose-built ICS malware.
Why Manufacturing OT Is Uniquely Vulnerable
Legacy equipment cannot be patched. Many PLCs and SCADA systems run embedded operating systems that haven’t received security updates in years — and can’t, without risking production stability. Flat networks create lateral movement paths. Without proper segmentation, a phishing email that compromises a workstation in accounting can reach the production floor in seconds. Uptime requirements prevent traditional security controls. You can’t reboot a semiconductor fab line for a patch cycle. You can’t run endpoint scans on a CNC controller. Security must be architected around the reality that production cannot stop.
What Secure OT/IT Convergence Looks Like
The NIST SP 800-82 Rev 3 (Guide to OT Security) and the ISA/IEC 62443 standard define the architecture. In practice, it means:
- Network segmentation — Purdue Model zones separating enterprise IT (Levels 4-5), DMZ (Level 3.5), manufacturing operations (Levels 1-3), and physical process controls (Level 0)
- Unidirectional data diodes — allowing production data to flow to business systems without exposing OT to inbound traffic
- OT-specific threat monitoring — passive network monitoring that detects anomalies without injecting traffic into sensitive control systems
- Air-gapped backup and recovery — production system images stored offline with tested recovery procedures and documented RTOs
- Identity and access management — role-based access with MFA at the IT/OT boundary, restricting who and what can cross between zones
Where This Hits Home: Arizona, California, and Utah
ProTelesis serves manufacturers across three of the country’s most critical defense and medical device corridors. The compliance and OT/IT challenges are consistent — but the regional context matters.
Arizona — The Defense Manufacturing Epicenter
Arizona’s defense manufacturing base is one of the largest in the country. Boeing’s AH-64 Apache production in Mesa, Honeywell Aerospace in Phoenix, General Dynamics in Scottsdale, Raytheon Missiles & Defense in Tucson, and the TSMC semiconductor fab in North Phoenix represent billions in DoD contract value. Luke Air Force Base generates a dense ecosystem of Tier 2 and Tier 3 defense subcontractors — all of whom will need CMMC Level 2 certification to maintain their supply chain position. ProTelesis provides managed IT services across the Greater Phoenix metro from our Scottsdale office.
California — Medical Device and Defense Dual Corridor
Orange County’s MedTech corridor — Edwards Lifesciences, Masimo, ICU Medical, Allergan — operates at the intersection of FDA regulation and manufacturing cybersecurity. San Diego adds defense contractors supporting Naval Base San Diego and Marine Corps Air Station Miramar, alongside biotech manufacturers in Sorrento Valley and Carlsbad. Northern California adds defense electronics and semiconductor manufacturing. ProTelesis serves California manufacturers from our Irvine office with on-site capabilities across Southern and Northern California.
Utah — Defense Tech and Aerospace Manufacturing
Hill Air Force Base is the state’s largest single-site employer and anchor of Utah’s defense manufacturing ecosystem. Northrop Grumman’s missile defense operations, L3Harris, Boeing’s Salt Lake operations, and a growing network of defense tech startups along the Wasatch Front all face CMMC compliance deadlines. ProTelesis delivers managed IT services across Utah’s Wasatch Front.
What a Managed IT Partner Must Deliver for Manufacturing
The gap between a standard MSP and a manufacturing-capable IT partner is enormous. Most MSPs are built for office environments — not factory floors with PLCs, cleanrooms, and ITAR-controlled data. Your managed IT partner should demonstrate:
- CMMC and NIST 800-171 implementation expertise — not just awareness, but the ability to architect, implement, and document all 110 controls for C3PAO assessment readiness
- ITAR-compliant infrastructure management — US-person-only access controls, FedRAMP-authorized cloud environments, and documented data handling procedures
- OT network segmentation and monitoring — purpose-built network architectures that protect production systems while enabling the data flows your business requires
- FDA compliance support — 21 CFR Part 11 validated systems, QMSR-aligned cybersecurity documentation, and SBOM generation for premarket submissions
- Structured cabling for manufacturing environments — industrial-grade CAT6A, fiber backbone, and low-voltage design for facilities with EMI, temperature, and vibration considerations
- Physical security integration — access control, video surveillance, and intrusion detection that meet both ITAR facility security and FDA site requirements
- Disaster recovery with manufacturing-grade RTOs — because 24 hours of downtime on a production line costs orders of magnitude more than 24 hours of email downtime
Why Manufacturers Choose ProTelesis
ProTelesis has served as a managed IT partner for over 31 years, supporting 7,149 clients and managing 755,750 endpoints across defense, medical device, aerospace, and advanced manufacturing environments in Arizona, California, and Utah.
- Fully Managed IT and Co-Managed IT — complete infrastructure management or augmentation of your internal team with enterprise-grade support built for manufacturing environments
- Cybersecurity and Compliance — multi-layered security designed for CMMC, ITAR, HIPAA, FDA, and SOC 2 compliance
- Network Architecture — managed network services with OT/IT segmentation, zero trust, and industrial-grade monitoring
- Cloud Services — IaaS, DRaaS, BaaS, and DaaS from US-based Tier 5 Platinum data centers
- Structured Cabling — industrial-grade cabling for manufacturing facilities, cleanrooms, and production environments
- Physical Security — video surveillance and access control meeting ITAR facility security requirements
90% of support calls are answered within one minute. Every engagement begins with a free, non-intrusive network assessment — identifying compliance gaps, OT exposure, and infrastructure risks before a single change is made.
Frequently Asked Questions
What is CMMC 2.0 and when do defense manufacturers need to be certified?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD’s framework for verifying cybersecurity practices across the defense industrial base. The final rule took effect December 2024, and contract solicitations requiring certification began in Q1 2026. Most manufacturers handling CUI need Level 2 certification, which requires implementing all 110 NIST SP 800-171 controls and passing a third-party C3PAO assessment.
What is OT/IT convergence and why is it a security risk for manufacturers?
OT/IT convergence refers to the integration of operational technology (PLCs, SCADA, CNC machines, cleanroom controls) with enterprise IT networks. While this enables real-time production analytics and quality management, it creates attack paths between business networks and production systems. Ransomware groups increasingly target manufacturing OT, with Dragos reporting an 87% increase in OT-targeted attacks in 2025.
How does ITAR affect IT infrastructure for defense manufacturers?
ITAR requires that defense-related technical data and articles are stored and accessed only by US persons on US-controlled infrastructure. This means no offshore data centers, no foreign national access, and cloud providers must be FedRAMP authorized. Violations carry penalties up to $1.3 million per incident and potential criminal prosecution.
What does the FDA’s QMSR mean for medical device IT?
The Quality Management System Regulation (QMSR), effective February 2026, harmonizes FDA requirements with ISO 13485 and embeds cybersecurity risk management into quality system processes. Premarket device submissions now require a Security Risk Management Report, a Software Bill of Materials (SBOM), and secure-by-design architecture documentation.
How should manufacturers segment OT and IT networks?
Best practice follows the Purdue Model and NIST SP 800-82 Rev 3: enterprise IT in Levels 4-5, a DMZ at Level 3.5, manufacturing operations at Levels 1-3, and physical process controls at Level 0. Data diodes allow production data to flow to business systems without exposing OT to inbound traffic. Passive monitoring detects anomalies without injecting traffic into control systems.
What managed IT services do Arizona defense manufacturers need?
Arizona defense manufacturers need CMMC-ready managed IT with NIST 800-171 implementation, ITAR-compliant infrastructure, OT/IT network segmentation, 24/7 security monitoring, industrial-grade structured cabling, physical security integration, and disaster recovery with manufacturing-grade RTOs. ProTelesis provides these services from our Scottsdale office to manufacturers across the Greater Phoenix metro.
What is the cost of a cyberattack on a manufacturing facility?
The average manufacturing breach cost $5.56 million in 2025, a 13% increase year-over-year. For defense manufacturers, the consequences extend beyond financial impact — a breach involving CUI can result in loss of DoD contracts, ITAR violations, and debarment from future government work. Production downtime on a manufacturing line typically costs $10,000 to $50,000 per hour depending on the operation.
How can medical device manufacturers meet FDA cybersecurity requirements?
Medical device manufacturers need 21 CFR Part 11 validated systems with complete audit trails, QMSR-aligned cybersecurity risk management, SBOM generation, secure post-market surveillance infrastructure, and incident response plans that account for both IT systems and connected medical devices. A managed IT partner with FDA compliance experience can architect and maintain these capabilities without requiring dedicated internal resources.