Skip to content
Quality manager reviewing the correct document revision at a manufacturing workstation using Doc-Trak
Defense and Regulated Manufacturing · SyteLine ERP

Defense and Regulated Manufacturers: Your CUI Doesn't Belong on Your Internal File Servers.

Doc-Trak DoD CMMC and Shop-Trak DoD CMMC move your Controlled Unclassified Information off your internal systems and into Amazon S3 GovCloud — the DoD-certified, FedRAMP-authorized environment where it belongs. Your workers don't see credentials. They don't know where the documents live. They scan a smart card and the right document opens. Behind the scenes, the combined product addresses 48 CMMC and NIST 800-171 requirements, with documented technical alignment to 10 specific Level 2 controls. Whether you're an aerospace prime sub, an ITAR-controlled exporter, or a Tier 2/Tier 3 defense supplier facing flow-down requirements, the architecture is the same.

40+ Years on SyteLine | Infor Gold Partner | CUI Stored in Amazon S3 GovCloud (FedRAMP-Authorized) | 48 CMMC/NIST 800-171 Requirements Addressed

The Problem

Compliance gaps in defense manufacturing don’t stay hidden.

Defense and regulated manufacturers typically discover their CUI exposure during an audit, a contract review, or a prime contractor's security questionnaire — at exactly the moment when there's no time to fix it.

Your CUI is on the wrong server

Federal Contract Information, Controlled Unclassified Information, and Controlled Technical Information stored on shop floor file servers, network drives, and shared folders is the most obvious target for cyber-theft. A breach doesn't just cost the active contract — it can disqualify you from future work and cascade into your commercial business.

Benchmark The fix isn't tighter permissions on the same servers. It's getting the documents off your servers entirely and into a DoD-certified, FedRAMP-authorized environment where your internal IT team is no longer the last line of defense.

MFA on the shop floor doesn't work

CMMC requires multi-factor authentication, but most MFA approaches use mobile phones — and mobile phones on the shop floor are typically prohibited because employees can photograph CUI with no endpoint control. The phone that satisfies the MFA requirement in your IT office creates a compliance violation the moment it enters the manufacturing floor.

Benchmark Biometric scanners are expensive and difficult to maintain in a manufacturing environment. Most defense manufacturers have no compliant MFA path for shop floor workers — and CMMC assessors know it.

Every file app is a leakage path

Microsoft Office, Adobe Acrobat, and every browser natively allow Save As, print, email, download, format conversion, and copy/paste. None of these actions are permitted under CMMC for CUI — but there's no native control in any of these applications that prevents them.

Benchmark A single uncontrolled Save As on a CUI document is a CMMC violation. Manufacturers who give shop floor workers direct access to CUI documents through standard applications have no way to prove those actions didn't happen — because they have no log.

Audit evidence takes weeks to assemble

CMMC AU.2.042 requires audit logs of every CUI access — including failed attempts, session takeovers, and privilege changes — that can be produced on demand to support investigation and reporting. Most manufacturers reconstruct this evidence after the fact, under audit pressure, from disparate system logs that were never designed to work together.

Benchmark Quality Managers at manufacturers without integrated audit logging routinely spend two to four weeks assembling evidence that a properly configured system should produce in minutes. The audit isn't the hard part — the manual process behind it is.
How It Works

Before: CUI on your internal servers, every file application a leakage path, audit evidence assembled by hand.

The architecture is the same for every defense and regulated manufacturer — CUI moves off your systems, access is RFID-controlled at source, and every document event is logged automatically. Nothing your auditor needs has to be reconstructed.

1

CUI moves from your servers to a dedicated S3 GovCloud instance

Documents containing FCI, CUI, or CTI are migrated from internal file servers to a dedicated Amazon S3 GovCloud instance — DoD-certified, FedRAMP-authorized, isolated from every other tenant including Amazon and the U.S. government. SyteLine stays where it is. Only the CUI documents move.

Lake + preferred implementation partner provide: CUI off your servers, S3 GovCloud instance live and isolated
2

Document access working, zero credential exposure confirmed

Doc-Trak handles the linking between SyteLine records and documents in S3 GovCloud. When an authorized user needs a drawing or work instruction, Doc-Trak retrieves it through AWS IAM-issued temporary federated tokens (AWS STS, 15-minute expiration by default). Credentials are never exposed to the user, never stored on the workstation, and never reusable

What Lake Companies provides: Document access working, zero credential exposure confirmed
3

Shop-Trak RFID controls who enters and locks down what they can do

On the shop floor, every CUI access requires a personal RFID smart card or fob scan — cryptographic authentication that works the way facility badges already work. Shop-Trak Kiosk Mode locks down the workstation simultaneously: no Windows Start Menu, no File Explorer, no hot keys, no external drives, no screen capture. If a card is copied or shared, the system detects it, disables the card immediately, and generates a full audit record of everything accessed since the compromise.

Shop floor workers see: RFID authentication live, Kiosk Mode active, cloned-card detection running
4

The Document Viewer closes every leakage path

Documents open in the Doc-Trak Document Viewer — read-only, no save, no print, no email, no download, no format conversion. Shop-Trak Kiosk Mode adds OS-level enforcement at the workstation: no Windows Start Menu, no File Explorer, no hot keys, no external drives, no screen capture. Every common exfiltration path is closed before a document is ever opened.

Quality Manager sees: All leakage paths verified closed at every DoD-flagged workstation
5

Every event is captured, continuously and automatically

Every access, every badge scan, every denial, and every policy change is captured in the Security Device Activity log with user ID, workstation, document, timestamp, and reason code. The log integrates with the S3 GovCloud audit log for cross-system traceability. Audit evidence exports on demand — individual access events, full compliance reports, or investigation exports. Nothing requires reconstruction before an assessor arrives; the evidence is always current.

Compliance Lead sees: Complete audit record live, first on-demand evidence export reviewed and filed
Typical Results

What changes when CUI is out of your building and access is controlled at source

Zero
Credential Exposure
 
AWS STS issues temporary federated tokens (15-minute expiration by default). Credentials are never stored on workstations, never visible to users, and never reusable. Every access is a new credential — there is nothing persistent to steal or copy.
48
CMMC and NIST 800-171 Requirements Addressed
 
Documented across Doc-Trak DoD CMMC + Shop-Trak DoD CMMC. 10 of those are CMMC Level 2 controls with full technical alignment documented in the Solution Mapping — see Zone 5.
None
SyteLine Migration Required
 
SyteLine stays where it is — on-prem, hosted, or Infor GovCloud. Only CUI documents move to S3 GovCloud.
Minutes, not weeks
Audit Evidence Assembly
 
The Security Device Activity log and S3 GovCloud audit log capture every CUI access event with timestamp. The evidence package an assessor requests exports on demand. What previously required 2–4 weeks of manual reconstruction across disconnected logs is a single report run.
None
Non-DoD operational friction
 
When a worker runs commercial (non-DoD) jobs, the DoD CMMC controls are completely invisible. No kiosk lockdown, no smart card prompt, no document restrictions. Controls activate only on DoD-flagged items.
Immediate & automatic
Cloned Card Response Time
 
If a worker's RFID device is copied or shared, the duplicate is detected and disabled without manual intervention. Every document accessed since the original copy is recorded in the audit log.

Your industry has a specific compliance lens. We know it.

Six regulated verticals, each with its own audit surface, flow-down requirements, and product fit.

CMMC Level 2 Alignment

10 Specific CMMC Level 2 Controls. Documented. Not Claimed.

The combined product addresses 48 CMMC and NIST SP 800-171 requirements. The 10 controls below are documented in detail in our Solution Mapping — specific control language, how the product addresses it, and what evidence is produced. This is the document your C3PAO assessor will want to see.

Control What it Requires How Doc-Trak / Shop-Trak DoD CMMC address it
AC.2.016 Account management Centralized via AWS IAM; temporary federated credentials via AWS STS; role-based access; flexible and auditable configuration
AC.2.017 Access enforcement / session termination RFID-based session control; lockout and blackout after inactivity; identity validation before resuming; single-session enforcement across workstations; Kiosk Mode enforcement
AC.2.018 Least privilege IAM role-specific access tied to task; time-bound credentials; real-time RFID authentication; endpoint lockdown via Kiosk Mode; cloned-device mitigation
AC.2.019 Session lock Inactivity detection and lock screen timeout; badge/fob authentication for re-entry; forced revalidation; cross-workstation session control
AC.2.020 CUI control / access limitation CUI segregation in S3 GovCloud; Doc-Trak as managed access gateway; Cloud Explorer + Document Viewer = zero data leakage paths; Kiosk Mode; two-step provisioning; audit logging and threat detection
IA.2.078 Identification and authentication / MFA Cryptographic authentication via smart card/fob; identity verification via IAM and session-specific credentials; no credential exposure to users; real-time threat detection
IA.2.079 MFA for privileged and network access System-managed federated identity with AWS IAM; temporary federated tokens via AWS STS; smart badge/fob + cryptographic authentication; controlled access to admin-level functions
SC.2.179 System and communications protection No file system or storage device access; blocked portable document endpoints; Document Viewer strict read-only; hidden document paths; credential-less access to S3 GovCloud; RFID enforcement; full audit logging
SC.2.180 System architecture / information security Complete elimination of portable storage use; access limited to secure cloud only; explicit disabling of endpoints that could leak to portable storage
AU.2.042 Audit and accountability Security Device Activity Logging; advanced filtering and analysis; controlled access to audit data; integration with document access and system control events; supports incident review and forensics

What defense and regulated manufacturers have done with this

48 CMMC and NIST 800-171 requirements addressed by the combined product
10 CMMC Level 2 controls documented in the Solution Mapping — control language, technical alignment, and audit evidence
810 Midwest SyteLine manufacturers in Lake's completed ITAR/FedRAMP risk scoring dataset
5x Consecutive years Infor named a Gartner Magic Quadrant Leader for Cloud ERP for Product-Centric Enterprises Gartner MQ, through 2025 · Infor Gold Partner, 40+ years

Each compliance challenge in your operation has a dedicated product built to close it.

What a Lake Companies compliance engagement looks like. No surprises.

Compliance engagements at Lake Companies follow a phased approach: scored assessment first, configuration and document control second, audit readiness validation third. Most manufacturers complete the full engagement — from initial assessment to audit-ready posture — in 60–120 days, depending on the number of open gaps identified in Phase 1.

1
 
How an engagement starts

A 30-minute working session — not a sales pitch. We walk through your current SyteLine version, your current Trak-Suite footprint, your CUI handling today, and what your prime or your audit cycle is asking of you. We tell you what Doc-Trak DoD CMMC + Shop-Trak DoD CMMC will and won't do for your situation. If we're a fit, we propose a defined engagement with a fixed scope and named milestones. If we're not, we tell you that too.

2
 
Setting up your Amazon S3 GovCloud environment

Standing up a dedicated S3 GovCloud instance for your CUI is handled by our preferred implementation partner — a specialist in this space — or your internal IT team, depending on your preference. The partner handles the AWS GovCloud account setup, the IAM policy structure, the encryption configuration, and the integration handoff to Doc-Trak DoD CMMC. Lake provides the requirements specification and integrates the Trak-Suite side.

3
 
What you need to have ready
  • Your current SyteLine version and deployment posture
  • Your current Trak-Suite footprint
  • An inventory of where CUI lives today (file servers, network drives, repositories)
  • The CMMC level your prime is requiring of you (Level 1, Level 2, Level 3)
  • A list of contracts subject to ITAR or EAR controls
  • Stakeholders for IT, operations, and shop-floor side approvals
4
 
Training and adoption
The DoD CMMC features are designed to be invisible during non-DoD work and seamless during DoD work — workers scan their card and the right document opens. There's no UI burden. Lake's On-Trak training program covers the configuration and rollout in the context of your existing workflows, with role-specific content for shop floor, supervisors, and admins.
Questions we hear the most

Real questions from defense and regulated manufacturers

Still have questions?

Talk to someone who's run these implementations.

Talk to an Expert →
Where exactly does our CUI live in this architecture?

Your CUI lives in a dedicated Amazon S3 GovCloud instance — DoD-certified, FedRAMP-authorized — that only your organization can access. It's not on Lake's servers. It's not in a shared repository. The instance is isolated from every other AWS tenant, including Amazon and the U.S. government, until you authorize access. Doc-Trak DoD CMMC manages the linking; the documents themselves never leave S3 GovCloud. requirements they hadn't yet mapped.

How does this satisfy CMMC's MFA requirements when our workers can't have phones on the shop floor?

RFID smart card / fob authentication with cryptographic verification. Each card is cryptographically tied to the user. A new security code is generated for each session and invalidated after use. The product maps this specifically to CMMC IA.2.078 and IA.2.079 in the Solution Mapping. Mobile-based MFA is explicitly not used: phones on the shop floor would be a CMMC violation — employees can photograph CUI with no endpoint control.

What happens if a worker's smart card is copied or shared? The system detects the cloned card immediately and disables it. The worker has to have the device reinitialized by a manager — and reinitialization invalidates every existing copy and creates an audit record of every document accessed since the original copy. The product is built around the assumption that physical devices will eventually be misused, and the response is automatic.
Can workers print, email, save, or download CUI documents? No. The Doc-Trak Document Viewer is read-only — it allows reading, zooming, and page navigation. It blocks Save As, print, email, file open, screen capture, and format conversion. Shop-Trak Kiosk Mode adds OS-level enforcement: no Windows Start Menu, no File Explorer, no hot keys, no external drives, no screen capture. Every common exfiltration path is closed at the workstation.
Does this require us to migrate SyteLine to Infor GovCloud?

No. SyteLine can stay where it is — on-prem, hosted, or in Infor GovCloud — because only the CUI documents move. The product is a cloud-based point solution that keeps SyteLine and all non-DoD documentation on your existing infrastructure. If you're also planning a SyteLine migration to Infor GovCloud, the two efforts are compatible and can be sequenced however makes sense.

Link to On-Premise to Cloud Migration →

We're not in defense — we have ITAR-controlled exports or other regulated compliance requirements. Does this still apply?

Yes, with appropriate framing. The same architecture supports ITAR-controlled work, AS9100 audit-evidence requirements, and other regulated-industry use cases that share the same underlying problem: controlled technical data on internal systems is a risk you can't afford. Your specific regulatory framework shapes which features matter most. Your industry page *(Zone 6)* picks up the vertical-specific story.

What about non-DoD work happening in the same shop?

The DoD CMMC controls are completely invisible during non-DoD work. Workers running commercial jobs see standard Shop-Trak / Doc-Trak — no kiosk lockdown, no smart card requirement, no document restrictions. The CMMC controls activate only when DoD-flagged items are involved. Most defense and regulated shops do mixed work; the product is designed for that reality.

Is Doc-Trak DoD CMMC itself FedRAMP-certified? Doc-Trak DoD CMMC runs on-premise — within your four walls — so it doesn't need to be FedRAMP-certified itself. The storage layer that holds your CUI (Amazon S3 GovCloud) is FedRAMP-authorized. That's the architecturally important piece. Don't get pitched "FedRAMP-certified Doc-Trak" from anyone, including us — that's not the right characterization. The right characterization is "CUI stored in FedRAMP-authorized S3 GovCloud, accessed through Doc-Trak DoD CMMC running on-prem."

Ready to understand your actual compliance posture?

Book a CMMC Gap Assessment

Ready to Talk
A structured, expert-led review of your SyteLine configuration, your CUI handling today, and what your prime or audit cycle is asking of you. We tell you what the product will and won't do for your situation. If we're a fit, we propose a defined engagement. If we're not, we tell you that too.
The Bigger Picture

Doc-Trak DoD CMMC Is One Part of the Trak-Suite

Each product solves a different pain. They work better together — but you don't have to start with all three.

Shop-Trak
Your compliance trail is only complete if the shop floor is in it too
  • Live job status and labor at every workstation — timestamped, connected to SyteLine job records
  • Scrap and rework captured at source — AS9100 quality traceability without manual data entry
  • Operator-level production record tied to the same job records Doc-Trak tracks for document control
Fact-Trak
Your quality and compliance data is in SyteLine. Nobody can see it.
  • Pre-built Quality dashboard: scrap by work center, shift, and operator — same-shift visibility
  • WBS-level cost rollup and program margin visibility — the numbers defense primes ask for on every contract review
  • Quality and audit outcome metrics tied to the same SyteLine job records as your Doc-Trak DoD CMMC audit trail
Doc-Trak DoD CMMC + Shop-Trak + Fact-Trak