Manufacturing security compliance: the controls auditors actually check

Manufacturing security compliance comes down to six controls auditors actually check: NDAA 889-clean cameras, role-based access control with audit logs, CMMC-aligned physical-access policies for any DoD work, C-TPAT perimeter and container coverage for cross-border shipping, OSHA 300-log evidence of a real safety program, and ITAR-grade controlled-area segregation if you handle export-controlled tech. The expensive failures are paperwork failures, not hardware failures.

The six controls that show up in every audit

The regimes that touch a plant are intimidating on paper: NDAA 889, CMMC 2.0, C-TPAT, OSHA, ITAR, ISO 27001, state privacy law (BIPA in Illinois, CCPA in California), and customer MSAs that look at all of the above. They overlap heavily on the physical-security side. Six controls satisfy most of what each auditor wants to see, in the order we walk for a free consultation.

1. NDAA Section 889-clean cameras and a documented BOM

FAR 52.204-25 prohibits federal agencies and their contractors from using or procuring covered surveillance equipment from Hikvision, Dahua, Hytera, Huawei, ZTE, and their subsidiaries. The lookback applies to existing installs, not just new procurements, and the required evidence is a vendor self-certification on every component, attached to the bill of materials.

For private manufacturers without federal contracts today, this still bites at the first DoD subcontract bid or DoE grant pursuit. The defensible default is NDAA-compliant from day one: Verkada, Avigilon, Genetec, Axis, Hanwha, Milestone, Eagle Eye Networks for video; Brivo, Avigilon Alta, Kisi, HID for access. Our NDAA 889 explainer has the procurement detail.

2. Role-based access control with retrievable logs

Every facility has badge readers. Most can't pull a 90-day report grouped by person and area inside the audit window the customer gives them. CMMC 2.0 PE-3, C-TPAT 5 Step 6, ISO 27001 A.7.2, and OSHA 1910.119 all assume role-based access plus retrievable logs. The hardware (Brivo, Avigilon Alta, Genetec Synergis, HID) handles it; the gap is usually that role definitions and badge assignments haven't been cleaned up since the last reorg.

Auditors look for a written role list with documented physical-access privileges, badge events queryable by person and area for the contractual retention window, and visitor escort records that match the badge log. Three minutes to pull a report at audit time, not three days.

3. Continuous video coverage of CUI and controlled areas

CMMC 2.0 Level 2 (NIST SP 800-171 PE-6) requires monitoring of physical access including the rooms where Controlled Unclassified Information lives. ITAR (22 CFR 120-130) requires physical, continuous controlled-area segregation. OSHA's PSM rule requires continuous coverage of hazardous-process zones. The model is the same: 1080p or better, 15 fps minimum, retention sized to the longest applicable rule (typically 90 days for CUI, 24 months for visitor records).

Camera-agnostic analytics like Intenseye and Dragonfruit AI add detection for PPE compliance, forklift proximity, slip-and-fall, and unauthorized presence in controlled areas, running on the cameras you already own.

4. C-TPAT perimeter and container coverage for cross-border

CBP's Customs Trade Partnership Against Terrorism is voluntary, but importing manufacturers without it pay in inspection delays and freight insurance. The Minimum Security Criteria require a fenced perimeter, lighting at every dock, camera coverage of loading and unloading, a container inspection workflow, and procedural separation of incoming and outgoing freight, audited via CBP Supply Chain Security Specialist site visits.

What works: license-plate recognition at the gate, perimeter cameras with intrusion detection, dock cameras that capture the seven-point container inspection (front wall, left side, right side, floor, ceiling, inside doors, outside doors), and tamper-evident sealing logged at the same timestamp. The auditor wants the chain reconstructable from camera plus log.

5. OSHA-aligned safety program with security overlap

OSHA inspections under the General Duty Clause hit camera placement when workplace-violence prevention is part of the citation. The 2024 update to the OSHA Healthcare Workplace Violence Prevention guidance treats coverage of intake areas, parking lots, and after-hours entrances as expected. For manufacturers, that means coverage of HR offices, plant-manager offices, and any area where contentious meetings happen.

Camera-driven safety analytics (Intenseye for PPE, ergonomic risk, forklift proximity) double as workplace-violence and OSHA-300-log evidence. One install satisfies two audit goals.

6. Documented incident-response and retention policy

The hardware means nothing without the written policy on how it gets used. The minimum: a facility security plan, an incident-response workflow naming the call tree and central monitoring station, a retention schedule by camera zone, a visitor management procedure, and a documented periodic review (quarterly is defensible). All of it in a binder or shared folder the auditor can read in one sitting.

Tec-Tel has delivered multi-site security work for industrial customers including Bridgestone, ORBIS, TreeHouse Foods, and Menasha. The pattern is consistent: a procurement lead inherits a stack from three integrators and wants one accountable shop for the whole footprint, with documentation that holds up to ISN, C-TPAT, and customer MSA reviews. See manufacturing security for the broader pitch.

Frequent buyer questions

What's the most common compliance failure in manufacturing security audits?

Mismatched logs. The badge system says one person entered the controlled area, the camera shows two, and the visitor log shows none. Auditors don't expect perfection; they expect the three records to tell the same story. The fix is mundane: a single-source audit trail that ties every door event to a person, a timestamp, and a video clip, with retention sized to the strictest regime that touches the site (90 days minimum for PCI cardholder areas, 24 months for DEA Schedule II, two years for CMMC visitor records).

Does NDAA Section 889 apply to a private manufacturer with no federal contracts?

Strictly, no. Section 889 binds federal agencies, prime contractors, and grantees. But the moment you pursue a federal contract, sub-tier supplier work for a defense prime, or any DoE or DOT grant, the rule looks back at your installed base. Hikvision, Dahua, Hytera, Huawei, ZTE, and their subsidiaries become a procurement disqualifier. Most manufacturers pursuing growth into defense or federal supply chains discover this during the bid-prep phase. The cleaner path is to default to NDAA-compliant vendors from the start: Verkada, Avigilon, Genetec, Axis, Hanwha, Eagle Eye Networks. The cost difference at the camera level is small; the cost of rip-and-replace is not.

What does CMMC 2.0 add to the physical-security stack?

CMMC 2.0 Level 2 maps to the 110 controls in NIST SP 800-171. The physical ones (PE-1 through PE-6) require physical access authorization records, monitoring of physical access including ingress/egress logs, visitor records retained for the facility security plan's duration, and protection of media storing CUI. In practice: badge-with-PIN at controlled areas, camera coverage of every entry and the rooms where CUI lives, an escortable visitor workflow, and a written disposal process. The third-party C3PAO assessment is where most defense subcontractors find their existing install isn't documented, even when the hardware is fine.

What does a real manufacturing security install cost?

Public benchmarks for a mid-size plant (50,000 to 250,000 sq ft) land at $75K to $350K turnkey, midpoint near $175K (SDM Magazine 2025 Industry Forecast Study). Per-camera installed cost runs $1800 to $3500. Smaller plants under 50,000 sq ft start around $25K. Large multi-building campuses run $250K to $1.2M. Cabling complexity, production-zone ceiling height, and reusable infrastructure drive most of the variance.

Can we keep our existing cameras and still satisfy auditors?

Often, yes. Auditors care about what the system records and how retrievable it is, not the brand on the box. The exceptions: Hikvision and Dahua fail any federal-touching review under NDAA 889 regardless of what they record, and cameras below 1080p or under 15 fps usually fail readability tests during incident review. If your fleet is NDAA-compliant and the resolution holds, camera-agnostic analytics like Intenseye and Dragonfruit AI run on top without rip-and-replace.

Free quick manufacturing security audit.

Bring your site footprint, your existing vendor list, and any open audit findings or customer MSA requirements. We'll produce a written gap list mapped to NDAA 889, CMMC, C-TPAT, and OSHA.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Request an assessment 855-577-0400