Defense and Regulated Manufacturers: Your CUI Doesn't Belong on Your Internal File Servers.
Doc-Trak DoD CMMC and Shop-Trak DoD CMMC move your Controlled Unclassified Information off your internal systems and into Amazon S3 GovCloud — the DoD-certified, FedRAMP-authorized environment where it belongs. Your workers don't see credentials. They don't know where the documents live. They scan a smart card and the right document opens. Behind the scenes, the combined product addresses 48 CMMC and NIST 800-171 requirements, with documented technical alignment to 10 specific Level 2 controls. Whether you're an aerospace prime sub, an ITAR-controlled exporter, or a Tier 2/Tier 3 defense supplier facing flow-down requirements, the architecture is the same.
40+ Years on SyteLine | Infor Gold Partner | CUI Stored in Amazon S3 GovCloud (FedRAMP-Authorized) | 48 CMMC/NIST 800-171 Requirements Addressed
Compliance gaps in defense manufacturing don’t stay hidden.
Defense and regulated manufacturers typically discover their CUI exposure during an audit, a contract review, or a prime contractor's security questionnaire — at exactly the moment when there's no time to fix it.
Your CUI is on the wrong server
Federal Contract Information, Controlled Unclassified Information, and Controlled Technical Information stored on shop floor file servers, network drives, and shared folders is the most obvious target for cyber-theft. A breach doesn't just cost the active contract — it can disqualify you from future work and cascade into your commercial business.
MFA on the shop floor doesn't work
CMMC requires multi-factor authentication, but most MFA approaches use mobile phones — and mobile phones on the shop floor are typically prohibited because employees can photograph CUI with no endpoint control. The phone that satisfies the MFA requirement in your IT office creates a compliance violation the moment it enters the manufacturing floor.
Every file app is a leakage path
Microsoft Office, Adobe Acrobat, and every browser natively allow Save As, print, email, download, format conversion, and copy/paste. None of these actions are permitted under CMMC for CUI — but there's no native control in any of these applications that prevents them.
Audit evidence takes weeks to assemble
CMMC AU.2.042 requires audit logs of every CUI access — including failed attempts, session takeovers, and privilege changes — that can be produced on demand to support investigation and reporting. Most manufacturers reconstruct this evidence after the fact, under audit pressure, from disparate system logs that were never designed to work together.
Before: CUI on your internal servers, every file application a leakage path, audit evidence assembled by hand.
The architecture is the same for every defense and regulated manufacturer — CUI moves off your systems, access is RFID-controlled at source, and every document event is logged automatically. Nothing your auditor needs has to be reconstructed.
CUI moves from your servers to a dedicated S3 GovCloud instance
Documents containing FCI, CUI, or CTI are migrated from internal file servers to a dedicated Amazon S3 GovCloud instance — DoD-certified, FedRAMP-authorized, isolated from every other tenant including Amazon and the U.S. government. SyteLine stays where it is. Only the CUI documents move.
Document access working, zero credential exposure confirmed
Doc-Trak handles the linking between SyteLine records and documents in S3 GovCloud. When an authorized user needs a drawing or work instruction, Doc-Trak retrieves it through AWS IAM-issued temporary federated tokens (AWS STS, 15-minute expiration by default). Credentials are never exposed to the user, never stored on the workstation, and never reusable
Shop-Trak RFID controls who enters and locks down what they can do
On the shop floor, every CUI access requires a personal RFID smart card or fob scan — cryptographic authentication that works the way facility badges already work. Shop-Trak Kiosk Mode locks down the workstation simultaneously: no Windows Start Menu, no File Explorer, no hot keys, no external drives, no screen capture. If a card is copied or shared, the system detects it, disables the card immediately, and generates a full audit record of everything accessed since the compromise.
The Document Viewer closes every leakage path
Documents open in the Doc-Trak Document Viewer — read-only, no save, no print, no email, no download, no format conversion. Shop-Trak Kiosk Mode adds OS-level enforcement at the workstation: no Windows Start Menu, no File Explorer, no hot keys, no external drives, no screen capture. Every common exfiltration path is closed before a document is ever opened.
Every event is captured, continuously and automatically
Every access, every badge scan, every denial, and every policy change is captured in the Security Device Activity log with user ID, workstation, document, timestamp, and reason code. The log integrates with the S3 GovCloud audit log for cross-system traceability. Audit evidence exports on demand — individual access events, full compliance reports, or investigation exports. Nothing requires reconstruction before an assessor arrives; the evidence is always current.
What changes when CUI is out of your building and access is controlled at source
Your industry has a specific compliance lens. We know it.
Six regulated verticals, each with its own audit surface, flow-down requirements, and product fit.
10 Specific CMMC Level 2 Controls. Documented. Not Claimed.
The combined product addresses 48 CMMC and NIST SP 800-171 requirements. The 10 controls below are documented in detail in our Solution Mapping — specific control language, how the product addresses it, and what evidence is produced. This is the document your C3PAO assessor will want to see.
| Control | What it Requires | How Doc-Trak / Shop-Trak DoD CMMC address it |
|---|---|---|
| AC.2.016 | Account management | Centralized via AWS IAM; temporary federated credentials via AWS STS; role-based access; flexible and auditable configuration |
| AC.2.017 | Access enforcement / session termination | RFID-based session control; lockout and blackout after inactivity; identity validation before resuming; single-session enforcement across workstations; Kiosk Mode enforcement |
| AC.2.018 | Least privilege | IAM role-specific access tied to task; time-bound credentials; real-time RFID authentication; endpoint lockdown via Kiosk Mode; cloned-device mitigation |
| AC.2.019 | Session lock | Inactivity detection and lock screen timeout; badge/fob authentication for re-entry; forced revalidation; cross-workstation session control |
| AC.2.020 | CUI control / access limitation | CUI segregation in S3 GovCloud; Doc-Trak as managed access gateway; Cloud Explorer + Document Viewer = zero data leakage paths; Kiosk Mode; two-step provisioning; audit logging and threat detection |
| IA.2.078 | Identification and authentication / MFA | Cryptographic authentication via smart card/fob; identity verification via IAM and session-specific credentials; no credential exposure to users; real-time threat detection |
| IA.2.079 | MFA for privileged and network access | System-managed federated identity with AWS IAM; temporary federated tokens via AWS STS; smart badge/fob + cryptographic authentication; controlled access to admin-level functions |
| SC.2.179 | System and communications protection | No file system or storage device access; blocked portable document endpoints; Document Viewer strict read-only; hidden document paths; credential-less access to S3 GovCloud; RFID enforcement; full audit logging |
| SC.2.180 | System architecture / information security | Complete elimination of portable storage use; access limited to secure cloud only; explicit disabling of endpoints that could leak to portable storage |
| AU.2.042 | Audit and accountability | Security Device Activity Logging; advanced filtering and analysis; controlled access to audit data; integration with document access and system control events; supports incident review and forensics |
What defense and regulated manufacturers have done with this
Each compliance challenge in your operation has a dedicated product built to close it.
Moves CUI to S3 GovCloud; manages all links through Cloud Explorer + Document Viewer
RFID authentication; Kiosk Mode; cloned-card detection; Security Device Activity log
Links to documents in existing repository; compatible with Infor GovCloud
Tracks labor by job, work center, operator across both deployment paths
Schedules against real shop-floor constraints in either deployment path
What a Lake Companies compliance engagement looks like. No surprises.
Compliance engagements at Lake Companies follow a phased approach: scored assessment first, configuration and document control second, audit readiness validation third. Most manufacturers complete the full engagement — from initial assessment to audit-ready posture — in 60–120 days, depending on the number of open gaps identified in Phase 1.
A 30-minute working session — not a sales pitch. We walk through your current SyteLine version, your current Trak-Suite footprint, your CUI handling today, and what your prime or your audit cycle is asking of you. We tell you what Doc-Trak DoD CMMC + Shop-Trak DoD CMMC will and won't do for your situation. If we're a fit, we propose a defined engagement with a fixed scope and named milestones. If we're not, we tell you that too.
Standing up a dedicated S3 GovCloud instance for your CUI is handled by our preferred implementation partner — a specialist in this space — or your internal IT team, depending on your preference. The partner handles the AWS GovCloud account setup, the IAM policy structure, the encryption configuration, and the integration handoff to Doc-Trak DoD CMMC. Lake provides the requirements specification and integrates the Trak-Suite side.
- Your current SyteLine version and deployment posture
- Your current Trak-Suite footprint
- An inventory of where CUI lives today (file servers, network drives, repositories)
- The CMMC level your prime is requiring of you (Level 1, Level 2, Level 3)
- A list of contracts subject to ITAR or EAR controls
- Stakeholders for IT, operations, and shop-floor side approvals
Real questions from defense and regulated manufacturers
Your CUI lives in a dedicated Amazon S3 GovCloud instance — DoD-certified, FedRAMP-authorized — that only your organization can access. It's not on Lake's servers. It's not in a shared repository. The instance is isolated from every other AWS tenant, including Amazon and the U.S. government, until you authorize access. Doc-Trak DoD CMMC manages the linking; the documents themselves never leave S3 GovCloud. requirements they hadn't yet mapped.
RFID smart card / fob authentication with cryptographic verification. Each card is cryptographically tied to the user. A new security code is generated for each session and invalidated after use. The product maps this specifically to CMMC IA.2.078 and IA.2.079 in the Solution Mapping. Mobile-based MFA is explicitly not used: phones on the shop floor would be a CMMC violation — employees can photograph CUI with no endpoint control.
No. SyteLine can stay where it is — on-prem, hosted, or in Infor GovCloud — because only the CUI documents move. The product is a cloud-based point solution that keeps SyteLine and all non-DoD documentation on your existing infrastructure. If you're also planning a SyteLine migration to Infor GovCloud, the two efforts are compatible and can be sequenced however makes sense.
Link to On-Premise to Cloud Migration →
Yes, with appropriate framing. The same architecture supports ITAR-controlled work, AS9100 audit-evidence requirements, and other regulated-industry use cases that share the same underlying problem: controlled technical data on internal systems is a risk you can't afford. Your specific regulatory framework shapes which features matter most. Your industry page *(Zone 6)* picks up the vertical-specific story.
The DoD CMMC controls are completely invisible during non-DoD work. Workers running commercial jobs see standard Shop-Trak / Doc-Trak — no kiosk lockdown, no smart card requirement, no document restrictions. The CMMC controls activate only when DoD-flagged items are involved. Most defense and regulated shops do mixed work; the product is designed for that reality.
Ready to understand your actual compliance posture?
Book a CMMC Gap Assessment
Doc-Trak DoD CMMC Is One Part of the Trak-Suite
Each product solves a different pain. They work better together — but you don't have to start with all three.
- Live job status and labor at every workstation — timestamped, connected to SyteLine job records
- Scrap and rework captured at source — AS9100 quality traceability without manual data entry
- Operator-level production record tied to the same job records Doc-Trak tracks for document control
- Pre-built Quality dashboard: scrap by work center, shift, and operator — same-shift visibility
- WBS-level cost rollup and program margin visibility — the numbers defense primes ask for on every contract review
- Quality and audit outcome metrics tied to the same SyteLine job records as your Doc-Trak DoD CMMC audit trail