PCB fabs, EMS, and component suppliers — the supply-chain security ask is coming next.
Electronics manufacturing supports critical DoD platforms — and DoD's supply-chain security focus on Section 889, ITAR, and CMMC is now landing on tier-2 and tier-3 suppliers.
The specific reasons your contracts changed.
Section 889 + CMMC overlap
Restrictions on covered telecom equipment intersect with CMMC's supply-chain risk family. Cincra's evidence locker keeps both attestations in one place.
ITAR + CMMC are not the same
ITAR is export control; CMMC is information protection. Being ITAR-registered does not cover you.
Gerbers and BOMs are CUI
Design files, BOMs, and test fixtures for controlled programs carry CUI markings — your CAM stations are in scope.
JIT inventory complicates scope
Multiple programs flowing through the same SMT line means your CUI enclave needs careful definition.
Cincra's scope wizard separates corporate IT from the controlled engineering/manufacturing enclave, so you're not paying to harden front-office laptops that never touch a controlled drawing.