Why CHIPS Act Manufacturers Can't Rely onCMMC Pen Testing Alone
Contributors
Semiconductor manufacturers pursuing CHIPS Act funding face a compliance environment that most cybersecurity frameworks were not designed to handle simultaneously. CMMC 2.0 governs their obligations as defense supply chain participants. CHIPS Act cybersecurity conditions govern their obligations as recipients of federal manufacturing investment. These are not the same requirements, and the overlap between them is not as clean as either framework document suggests.
How the Two Frameworks Create a Dual Obligation
CMMC 2.0 is a supply chain security framework. Its requirements flow from the DoD's need to protect controlled unclassified information across the defense industrial base. For a semiconductor manufacturer supplying components or designs to defense programs, CMMC Level 2 or Level 3 requirements apply to the systems that handle that CUI.
CHIPS Act cybersecurity conditions are tied to funding eligibility and ongoing compliance for facilities receiving grants or loans under the program. They focus on protecting the advanced manufacturing capabilities and intellectual property that the federal investment is funding. The threat model is different: less about protecting DoD information and more about protecting domestic semiconductor technology from foreign adversaries.
What Your Pen Test Must Cover for Each Framework
For CMMC purposes, the pen test scope centers on CUI systems: the networks, workstations, servers and applications that process, store or transmit controlled unclassified information. The methodology and evidence requirements follow the standard C3PAO framework: NIST 800-171 control mapping, SSP alignment and POA&M integration.
For CHIPS Act purposes, the scope expands to include systems that protect advanced manufacturing IP, process design files and fabrication technology. Fab OT systems, which may be largely excluded from a standard CMMC scope because they do not handle CUI directly, become relevant when the question is whether federal investment in those systems is adequately protected from nation-state actors. Supply chain interfaces with equipment vendors and technology partners are also in scope in ways that CMMC does not require.
Where the Evidence Requirements Diverge
CMMC evidence requirements are well-defined. C3PAO assessors know what they are looking for and how it maps to the 110 practices they evaluate. CHIPS Act federal program officers reviewing cybersecurity compliance are evaluating against a different standard, and the documentation they expect reflects a broader set of concerns about technology protection and supply chain security.
Running a single pen test engagement that produces two separate evidence packages, one structured for C3PAO review and one structured for CHIPS Act program officer review, is achievable but requires deliberate planning before the engagement starts. The scope must be broad enough to cover both sets of requirements. The reporting must be structured to address both audiences without requiring the pen test team to run two separate engagements.
Common Gaps in Semiconductor Pen Test Programs
The most common gap in semiconductor manufacturer pen test programs is fab OT exclusion. Engineering teams are understandably protective of cleanroom and process control systems, and standard OT scoping practices lead to those systems being excluded from scope entirely. That exclusion satisfies CMMC requirements, which do not mandate testing of non-CUI OT systems. It does not satisfy CHIPS Act expectations around protecting the manufacturing technology the federal investment is funding.
Supply chain interface testing is the second most common gap. Semiconductor manufacturers have complex vendor ecosystems involving equipment manufacturers, EDA tool providers and research partners. The access those relationships require is a significant attack surface that is rarely tested because it falls outside the boundaries of a standard enterprise pen test scope.
Building a Program That Satisfies Both
The most efficient path to dual compliance is a unified pen test program with a scope built from both frameworks simultaneously, not two separate programs run independently. That requires a security partner who understands both CMMC assessment requirements and the threat model that CHIPS Act cybersecurity conditions are designed to address.
Frequently Asked Questions
Because CMMC and the CHIPS Act impose two different obligations with two different threat models, and a pen test scoped for one does not satisfy the other. CMMC 2.0 governs a manufacturer's duties as a defense supply chain participant handling controlled unclassified information. CHIPS Act cybersecurity conditions govern its duties as a recipient of federal manufacturing investment. A standard CMMC-scoped test leaves the manufacturing technology that CHIPS funding protects largely untested.
CMMC 2.0 is a supply chain security framework whose requirements flow from the Department of Defense's need to protect controlled unclassified information across the defense industrial base. CHIPS Act cybersecurity conditions are tied to funding eligibility and focus on protecting the advanced manufacturing capabilities and intellectual property that the federal investment is funding. The threat models differ: CMMC is about protecting DoD information, while the CHIPS Act is about protecting domestic semiconductor technology from foreign adversaries.
For CMMC purposes, the pen test scope centers on CUI systems: the networks, workstations, servers, and applications that process, store, or transmit controlled unclassified information. The methodology and evidence follow the standard C3PAO framework, including NIST 800-171 control mapping, system security plan alignment, and POA&M integration across the 110 practices that assessors evaluate at Level 2.
For CHIPS Act purposes, the scope expands beyond CUI systems to include the systems that protect advanced manufacturing intellectual property, process design files, and fabrication technology. Fab OT systems become relevant even when they do not handle CUI directly, because the question is whether federal investment in those systems is adequately protected from nation-state actors. Supply chain interfaces with equipment vendors and technology partners are also in scope in ways CMMC does not require.
Fab OT systems get excluded because engineering teams are protective of cleanroom and process control systems, and standard OT scoping practices leave non-CUI systems out of scope. That exclusion satisfies CMMC, which does not mandate testing of non-CUI OT systems. It does not satisfy CHIPS Act expectations, because those systems hold the manufacturing technology the federal investment is funding, making their exclusion the most common gap in semiconductor pen test programs.
Because semiconductor manufacturers have complex vendor ecosystems, and the access those relationships require is a significant, rarely tested attack surface. The ecosystem includes equipment manufacturers, EDA tool providers, and research partners, each with connections into sensitive systems. This interface testing is the second most common gap in semiconductor pen test programs, because it falls outside the boundaries of a standard enterprise pen test scope.
Yes, but only with deliberate planning before the engagement begins. A single engagement can produce two separate evidence packages, one structured for C3PAO review and one structured for CHIPS Act program officer review, without running two independent tests. The scope has to be broad enough to cover both sets of requirements, and the reporting has to be structured to address both audiences from the start rather than being reworked afterward.
Because the two reviewers are evaluating against different standards. C3PAO assessors know exactly what they are looking for and how it maps to the 110 CMMC practices. CHIPS Act federal program officers evaluate against a broader set of concerns about technology protection and supply chain security, so the documentation they expect reflects those priorities. The same test can inform both, but the evidence has to be packaged differently for each audience.
The two most common gaps are fab OT exclusion and untested supply chain interfaces. Fab OT systems are left out because they do not handle CUI, which satisfies CMMC but not the CHIPS Act. Supply chain interfaces with equipment makers, EDA tool providers, and research partners are rarely tested because they sit outside a standard enterprise scope. Both gaps leave the manufacturing technology that federal investment funds exposed.
Build a single unified program with a scope drawn from both frameworks at the same time, rather than running two separate programs. This is the most efficient path to dual compliance, and it depends on a security partner who understands both CMMC assessment requirements and the nation-state threat model the CHIPS Act conditions are designed to address. Planning the combined scope before testing begins is what makes one engagement serve both obligations.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection