CMMC Certified Manufacturer – Modus Advanced – Share Their Stories

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with the Modus Advanced Team.

In episode 12 of That CMMC Show Daniel & the Modus team share their stories about their CMMC journey, things to look out for in yours, and what their assessment experience was like.

• Connect with Daniel here:   / danielakridge  
• Learn more about Modus Advanced: https://www.modusadvanced.com/

Transcript

Hello everybody, and welcome back to That CMMC Show. Today I’m joined by the team at Modus Advanced, a long-term partner of Summit 7. We’re excited to celebrate a few things. First, their successful CMMC Level 2 certification, which we’re going to talk about today. Second, the real “why” behind doing CMMC in the first place. Rick and I have talked a lot about this: it’s not just about checking a box, it’s about protecting the American dream and what that really looks like. I’ve started calling it the new, modern “invisible space race” because cyber lives in ones and zeros, but it is absolutely critical to protecting the warfighter both at home and abroad. So thank you all for joining me today. Rick, I’m going to point to you first, my friend. We’ve worked together for about five years now, going back to when I was running the MSP here at Summit 7. Why don’t you introduce yourself and then let your team introduce themselves?

Rick: “Thanks for having us on, we appreciate it. It’s been a wonderful, amazing journey with Summit 7 and our team. I’m Rick McCurdy, CEO at Modus Advanced, and I led the project to get us to CMMC certification with a lot of help from my friends and associates. It was an incredible journey, but we made it, and I’m happy to share some of the lessons learned and the deeper ‘why’ behind why we decided to pursue CMMC. With that, I’ll pass it over to Lance.”

Lance: “I’m Lance Harvey, director of operations for Modus Advanced. I head up the manufacturing side and partnered with Rick and the IT team throughout this effort. CMMC compliance is more than just IT; it touches the operational side as well. I played a big role in helping get it rolled out from inception all the way through the audit, audit completion, and final certification. With that, Will, do you want to introduce yourself?”

Will: “I’m Will Gardner, VP of revenue and innovation for Modus. I oversee most of the pre-production, customer-facing activities and all of the product development for Modus. The CMMC journey has been interesting, and I’ve got a very vested interest, along with all of our customers, in making sure we keep their data safe and ultimately protect the warfighter.”

At this point I paused to point out something that I find really encouraging: in most organizations there’s a lot of tension between revenue and BD on one side and operations and execution on the other. The fact that both sides are not only aligned but on the same call talking about CMMC is already a big win. For everyone listening, it really is possible to have both your BD and sales team and your operations team get along and make CMMC a success. Then I turned it over to Stacy.

Stacy: “Lance and Will are best friends. We don’t have to worry about that here. I’m Stacy Willis. I oversee marketing and HR. I interact with the CMMC journey primarily through our onboarding and offboarding processes for new employees on the HR side, and by running and maintaining all the security trainings we need in order to stay in compliance. From the marketing side, my focus is on how we message our CMMC certification to our customers and how we work it into our materials.”

From there, I wanted to make sure people listening really understood who Modus Advanced is and what they actually do. I asked them to explain how they support the DoD, who they serve outside the DoD, and what kind of innovation they’re driving so that anyone listening who needs those services can connect the dots.

Rick explained that, first and foremost, the company culture is built around deeply caring about protecting the warfighter, the defense community, and the health of the nation. Modus focuses heavily on defense and space-related capabilities but also supports a number of life-saving medical technologies. They are a vertically integrated, fully domestic rapid manufacturing company combining a range of processes under one roof across two facilities with duplicate capabilities. They offer CNC machining, form-in-place gasketing, a variety of converting capabilities, and specialty coatings geared toward the space industry for optical and thermal control on avionics components. In short, they are a rapid manufacturer with a wide range of capabilities.

I added that, from firsthand experience working with Modus for years, I know their bench can handle incredibly innovative and advanced work, like what’s being discussed around things like Golden Dome, all the way down to what some might consider “standard” work. Their portfolio truly spans R&D through mass production, and they’re open to conversations across that full spectrum. We’ll be putting their contact information in the show notes for anyone who needs a trusted, certified subcontractor in the supply chain. Even if you’re not a prime, primes have to use certified companies if that’s what the contract requires, and we need more companies that can step up and deliver the kind of capabilities Modus brings.

Stacy added one important nuance: the desire to serve the Defense Industrial Base and the military is deeply woven into their culture. They have multiple former military members on staff, including Lance, and she herself is married to a service member. There’s a deep personal connection to the mission that goes beyond a standard business relationship.

That led us into a bigger conversation about their “why.” For years, even before CMMC was a “real thing,” Modus has stood out because their primary motivation was never just to avoid losing revenue. A lot of companies think, “I don’t want to lose contracts, so I’ll check the CMMC box.” But from my very first conversations with Rick and his team, their posture was, “We want to do this because it is the right thing to do.” They care deeply about the people using the equipment they help produce. If there is volatility, compromise, or any cyber risk that could harm a warfighter using those tools, they want to do everything in their power to protect them. They see it as doing their part in protecting the American dream and pushing back against adversaries who would exploit vulnerabilities.

So I asked Rick to walk us through the origin of their journey. They knew they needed to do something about security long before a formal CMMC certification existed and have been at this for years, starting with DFARS 252.204-7012 compliance and arriving seven years later with a built-out, compliant environment that is not only secure but also productive and usable for the business.

Rick explained that Modus came out of a Google environment into the Microsoft ecosystem around 2018 or 2019. At that point, they found Summit 7 and made a deliberate decision to go all-in on Azure and Microsoft 365 GCC High as the foundation for the company. They knew they wanted to focus on defense and grow into space work as that domain ramped up, so they prioritized picking the right partner and the right infrastructure from the start. The goal was to avoid yet another platform switch and instead build on a secure, durable foundation. That early decision, combined with the belief that it is an honor and privilege to be part of the Defense Industrial Base, set the tone. Even though Modus plays a “small” role, they see it as part of who they are and part of Rick’s personal why. He was not in the military himself but feels a deep responsibility. Because of that, investing in protecting government data and secrets was a no-brainer. For them, it was simply the right thing to do.

We then talked about ROI and how so many companies only view it as dollars and cents. I pointed out that, yes, there are tangible benefits and business upside as CMMC becomes a formal requirement. As of the recording, the CMMC final rule had dropped, and by November 10th it would start appearing in solicitations as a requirement for contract award. There will absolutely be new opportunities for companies who are prepared. But the intangible ROI that Rick described, around honoring the warfighter and doing their part to protect human lives, is often ignored. That perspective is what makes the conversation with Modus so refreshing. They weigh both sides: the business benefit and the moral responsibility.

From there, we zoomed in on the journey itself and the potholes they’d want other manufacturers to avoid. CMMC is not easy. Modus has been at some form of this work for roughly seven years. I asked Lance what he wished other manufacturers knew before they started.

From the operations side, and as a 12-year Marine Corps veteran, Lance noted that it wasn’t lost on him that their compliance aligned with the Marine Corps birthday. For him, CMMC goes far beyond IT. There’s a common misconception that it’s just an IT problem, but in reality it touches every department: HR, operations, purchasing, facilities, and the shop floor. You have to ingrain it into your culture. That includes building physical security, restricting phones and photos in certain areas, creating policies and procedures, and enforcing those rules so that everyone holds each other accountable.

In terms of pitfalls and advice, Lance highlighted the importance of a robust gap analysis at the start. You need to understand your current IT configuration and how you operate on the manufacturing floor. Are you doing direct file transfers? Are you using USB drives? Are you paperless? How do packets and job travelers move? Once you understand that, you can look at both IT and operational gaps including HR and purchasing and then build a realistic roadmap. That roadmap should account for the impacts of changes, plan around downtime and stoppages, and sequence the work in a logical order.

He also pointed out that CMMC contains a lot of embedded best practices for manufacturing, especially if you are already ISO or AS9100 certified. There are many synergies between CMMC, ISO, and AS9100. Following those best practices means you’re already headed down the right path in terms of workflows and data control. Modus tried to keep as much alignment as possible, especially since they’re audited for all of these frameworks. Where they deviated was primarily around file storage and structure. They adopted clearer labeling, visual management for what is and isn’t CUI, and positive control over job packets and USB drives to maintain a chain of custody. Lance emphasized that much of the audit boils down to “What did you say you were going to do, and can you show that you’re actually doing it?” So clear documentation and simple, enforceable processes are key.

We then pivoted from operations to revenue and HR. I joked that salespeople can be a bit “squirrely” when it comes to things like marketing, CMMC, and CUI. From a revenue standpoint, I asked Will how they turned that ship and ensured the “tip of the spear” handled information correctly, especially since so many people mistakenly view CMMC as only an IT concern.

Stacy jumped in first. On the marketing side, they have strong processes around reviewing public-facing content to ensure that no CUI is used. They start guardrails as early as possible: video or photography is not allowed to happen when CUI materials are present, so there is no risk of it slipping into a campaign. By preventing CUI from entering the content pipeline at all, the later review process becomes straightforward.

On the HR and training side, Stacy highlighted something critical: security training is often dense and confusing, especially for operators who have never thought much about cybersecurity beyond a password for personal email. Modus put a lot of effort into tailoring training to different audiences. IT staff get one level of depth; shop-floor operators get another. For an operator, the most important thing might be recognizing that a job packet printed on a certain color paper means CUI and understanding the related responsibilities. If training is over their heads, they won’t know what’s expected and gaps will appear. So they focused on making concepts approachable, understandable, and relevant while still meeting CMMC requirements.

I shared one of my favorite lines from pastor John Tyson: “Clarity is kindness.” Modus is a great example of using clarity as an act of kindness, especially in how they design and deliver training. It is harder work on the front end to carve out different training experiences and expectations by role, but it pays off in sustained adoption.

Then it was Will’s turn to talk about sales. He tied together Lance and Stacy’s points and brought it back to culture and training. On his side, the training emphasis is less “here’s your cybersecurity course” and more about connecting the work to real customer applications. In quarterly all-hands meetings, the sales team presents customer applications: specific weapon systems, missile systems, satellite communication payloads, and so on. That helps everyone understand what the parts they are producing actually go into. When an operator sees a job packet, they now understand it might be tied to a satellite communication system and that what they’re doing really matters. On top of that foundation, Modus layers the cyber and CUI protocols, explaining why drawings and models must be handled a certain way and how to distinguish between different CUI designations, CTI, and distribution statements that dictate special handling. Will and Lance work closely together to build a file structure and workflow that makes the handoff from sales to operations seamless inside the protected environment.

I pointed out how rare it is to hear a revenue leader use language like “distribution statement” correctly. Having someone on the sales side who understands things like CTI and DoD distribution statements is almost unheard of, even though those are among the most common data types in the defense space. That level of understanding shows how deeply Modus has integrated CUI awareness across the organization.

From there, we moved to the “final boss” of their journey: the actual CMMC assessment with a C3PAO. I asked what that experience was like, how the onsite component worked, and what the auditors actually asked for.

Rick shared that, going in, he wasn’t totally sure what to expect because it’s still relatively early days for CMMC. They took the approach of over-preparing. They assumed they’d need to address all 320 assessment objectives and have clear evidence for each one. They did that work in advance: policies, procedures, technical evidence, and documentation. When the assessment came, it lasted four working days, with hours decreasing as the week went on, and was definitely challenging but manageable because of the preparation.

He emphasized how important it was not to do it alone. Rick is a businessperson by background, not a lifelong technologist. Modus had their internal team, the Summit 7 team, and another partner all working together. When questions went deep into the technical stack, Summit 7’s engineers stepped in to explain how the environment was configured and to “speak the auditor’s language.” That combination of administrative leadership, technical expertise, and prior prep is what helped them succeed. Rick described it as probably the most significant project of his career.

I contrasted their proactive posture with another conversation I’d had recently with a manufacturer whose executives had literally issued a “cease and desist” on CMMC work until the rule was final. That attitude is widespread. Many believe IT is solely responsible, think they can do it alone, or feel they shouldn’t move until everything is finalized. Now that the final rule has dropped, those organizations will scramble to hire internal staff, bring in third parties, get executive buy-in, and shift culture in a very compressed timeline. Meanwhile, Modus spent years laying the groundwork and is now a model of what “doing it the right way” looks like.

To wrap things up, I asked each person for closing remarks. Rick said that, for him, CMMC became part of who they are and how they do business. It is not an “extra” anymore; it is simply how Modus operates. Manufacturers in the US already want to protect data. We should accept that responsibility and weave it into our identity instead of treating it as bolt-on overhead.

Lance reiterated that the devil is in the details. Do a thorough gap analysis, leverage synergies between ISO, AS9100, and CMMC wherever possible, and plan carefully. Use the assessment methodology to honestly audit yourself. Don’t convince yourself you’re passing when something is gray; if it’s gray, fix it. Keep things as simple as possible. Some of the few hits they took during the audit were self-inflicted: they had documented one way of doing something but the actual practice had drifted. Make sure you are truly doing what you say you do.

Will spoke from the revenue side. As with quality management systems like ISO and AS9100, CMMC is becoming another core topic that customer-facing teams must be able to discuss. It’s no longer just an IT issue, and it’s not even just a “problem.” It’s a differentiator and a unique selling position. Customers are going to care about it more and more. That means understanding it, living it, and embedding it into culture at every level, from sales to operations.

Stacy closed us out by coming back to the “why.” When you think “assessment,” it’s easy to drift back to checkboxes. But this entire process is hard, and if you don’t have a meaningful why, it will feel like a burden. Remembering the why makes it easier to do what’s hard and leads to better execution. That’s true in training as well: you can pass an assessment on paper, but if your employees don’t really understand what CUI is, they will mishandle it sooner or later. Bringing it back to the why at every level helps close that gap.

I wrapped the conversation by thanking Rick, Lance, Stacy, and Will for their time and for being such a clear example in this space. As a Summit 7 employee, I couldn’t be more proud to partner with a company like Modus Advanced. For everyone listening, make sure to reach out to them for your manufacturing needs. They are a CMMC Level 2 certified manufacturer and a trusted partner in the defense supply chain. Like and subscribe, and we’ll see you next time.