Somewhere on a manufacturing floor, there’s a workstation with permanent local admin rights that hasn’t been touched in a policy review for months. It runs a CAD program, or a CNC control interface, or a legacy quality-assurance tool that expects every user to be an administrator.
The machine works. The operator gets their job done. The line keeps moving.
That’s why the shortcut exists. It also happens to be the single biggest security exposure most manufacturers have, and it’s about to become a CMMC audit failure.
I’ve watched this same pattern repeat across thousands of deployments. Most of the manufacturers I talk to are running their entire IT operation with two or three people for a 300-person shop floor.
They’re not staffing a security operations center. They’re fixing printers, keeping production software updated, and trying not to let the line go down. When an application throws a “you need admin rights to continue” dialog at 7 a.m., the fastest fix is to hand the user admin access and move on. It’s not carelessness. It’s triage.
But the cumulative effect of hundreds of those triage decisions, across hundreds of endpoints, is an environment where an attacker who lands on one machine can move laterally across your entire operation before anyone knows they’re there.
Two Pressures, One Surface Area
Manufacturing IT teams are being squeezed from two directions right now, and both pressures are landing on the same endpoints.
On one side, production needs to keep running. CNC machines, diagnostic tools, MES applications, CAD software. Some of this was written 15 or 20 years ago, back when nobody thought twice about applications demanding local admin rights. Now those applications are stuck in production, running on workstations that can’t be easily replaced, updating multiple times a week.
On the other side, the compliance pressure is intensifying fast. CMMC 2.0 Phase 1 enforcement took effect November 10, 2025. Phase 2, which makes C3PAO third-party assessments mandatory for most Level 2 contracts, starts November 10, 2026.
If you hold or want DoD work, you have less than a year to prove to a certified assessor that your access controls are actually in place. Not documented. In place.
Cyber insurance carriers are asking harder questions, too. Questionnaires that were one page two years ago are 20 pages now, with privileged access controls front and center. And primes like Lockheed Martin, Boeing, and Northrop Grumman are already demanding CMMC readiness documentation from suppliers before they’ll renew contracts.
Both pressures are converging on the same endpoints. The shop-floor workstation with standing admin rights isn’t just a security problem anymore. It’s a contract problem.
Why “Lock It Down” Backfires on a Production Floor
I talked to manufacturing IT leaders, and when CMMC is brought into the discussion, our conversations follow a predictable pattern. A consultant or auditor tells them least privilege is non-negotiable, so the manufacturing organization will attempt to remove administrative rights from each user in their entire environment.
Two weeks later, production is complaining. An engineer can’t update CAD license validation. A shop-floor tech can’t install a firmware update. Quality control can’t run a diagnostic. The help desk queue hits triple digits by lunch.
A few days later, management will contact IT and say “fix it.” Admin rights will be quietly restored for the users who complained the loudest. The policy hasn’t changed. The risk is back. And now the organization has a documented gap between what the security policy says and what’s actually running. This is worse than not having the policy at all.
This is the cycle. Regulatory compliance documents state that all access controls need to be shut off completely. In practice, operations require an exception in less than a week. IT has to create these exceptions so production can continue to run. At that point, the regulatory compliance document becomes a fictional representation. Then, when an auditor arrives to review what was implemented (as opposed to what's written) we have a completely different conversation.
CMMC assessors are trained to look for this gap. The Access Control domain accounts for 22 of the 110 practices at Level 2, including explicit requirements around least privilege and account management. A C3PAO is not going to accept a policy document as evidence. They want to see the controls running and they want to see the audit trail.
What Actually Works
The middle ground isn’t a compromise. It’s a different approach to the problem. Instead of taking away admin rights and hoping users don’t find workarounds, remove standing admin rights and replace them with application-specific temporary elevation that happens in the background.
This is how you transition into a zero-trust model without disrupting production. The operator clicks to install or upgrade their diagnostic tools. The operating system identifies the tool, applies a pre-authorized rule, and elevates the access for just this one process. Once completed, the access will expire on its own.
There’s no help desk ticket. No production delay. No permanent admin rights sitting on the endpoint waiting to be exploited. Set it and forget it, instead of another tool that creates more work for a team that already has enough.
This is where manufacturing IT teams tend to get skeptical, and fair enough. Most of them have been burned by tools that promised simplicity and delivered complexity, or worse, promised a quick deployment and delivered a six-month consulting engagement. So here’s what a realistic implementation looks like.
Start in observation mode. Before you enforce anything, run the tool in monitoring-only mode for two to three weeks. Watch which applications are actually requesting elevation, who’s requesting it, and how often. In most manufacturing environments, a surprisingly small number of applications drive the majority of elevation requests. Five or ten programs, usually, not hundreds.
Once you have that pattern, write rules for the known-good applications. The CAD application that requires an admin to validate licensing every 30 days. The diagnostic software that updates three times a week. The production monitoring application that requires admin approval to apply its latest patch. Each of these tools can be granted elevation through a scoped rule for a short amount of time, while creating a complete audit trail.
Then turn on enforcement. Because you’ve already mapped the real-world workflow, this process is almost invisible. Users receive their elevation when they need it, without a ticket. IT gets a clean audit log. The production line keeps moving.
The CMMC Connection
CMMC Level 2 requires 110 security practices as stated om NIST SP 800-171. The Access Control domain is the largest, with 22 practices. Several of them, including account management, least privilege, and separation of duties, map directly to what temporary elevation controls actually do. A manufacturer who has deployed application-specific elevation with an audit trail isn’t writing a new policy to satisfy the assessor. They’re showing the assessor a control that’s been running.
That’s the difference between a CMMC assessment that goes well and one that doesn’t. The C3PAO is not grading your documentation. They’re grading whether the practices are implemented correctly, operating as intended, and producing the intended outcome. An audit log that shows who had elevated access, to which applications, for how long, going back months, is exactly that evidence.
And here’s the part most manufacturers are missing: the same controls that satisfy the CMMC assessor also satisfy the cyber insurance underwriter, the prime contractor’s supplier questionnaire, and any SOC 2 or NIST audit that might hit the organization next year.
You’re not implementing four different compliance programs. You’re implementing one control that counts for all of them.
Where to Start
You don’t need a six-figure consulting engagement to fix this. You need a deployment you can run yourself, in hours, not months.
- Inventory standing admin rights. How many workstations on your production floor and engineering network have users running as permanent local administrators? Almost every manufacturer I talk to underestimates this number by a factor of two or three. Find out what it actually is.
- Run a privilege management tool in observation mode for a few weeks. Get the real data on which applications are driving elevation requests. Don’t guess. Measure.
- Roll out rules for your top 10 applications. Those alone will handle the vast majority of day-to-day elevation needs. You can expand from there.
- Build your audit evidence as you go. The assessor who shows up in 2027 is going to want to see historical records, not a policy you wrote last week. Start the clock on that documentation now.
Privileged access management is the control that shows up on every compliance questionnaire and every auditor’s checklist, but it works best when it’s sitting on top of the other two foundations most small IT teams are missing: password management and DNS filtering.
Together, those three layers stop most of what actually lands in front of a technician on a Monday morning. None of it requires a consultant or a six-month rollout. It requires a few weeks of observation, a set of rules that reflect how your environment actually works, and a tool your IT team can run without a dedicated operator.
The shortcut of giving every production workstation permanent admin rights made sense when nobody was checking. Starting November 10, 2026, somebody is going to be checking. Your insurance carrier is already checking. Your prime contractor is already checking. The shortcut had a shelf life. Now that shelf life is showing up on a calendar.
Fix it before the assessor does.
