Datanomix FAQs

CMMC 2.0 (Cybersecurity Maturity Model Certification)  is a set of cybersecurity standards from the Department of Defense for companies that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). It’s divided into three levels based on the sensitivity of the data you handle.

Datanomix helps manufacturers align with CMMC 2.0 by providing:

• Secure data collection and transfer — All machine and file data is encrypted in transit and at rest. 
• Access control and traceability — Role-based permissions and audit logs ensure the right people have access, and every action is tracked. 
• Segregated architecture — Our edge devices and cloud infrastructure are built to isolate sensitive data and minimize network risk. 
• Support for NIST SP 800-171 and ITAR — We host in Microsoft Azure (including GovCloud for ITAR needs), with all employees U.S.-based.

Whether you’re preparing for a self-assessment or a third-party audit, or working with customers who require CMMC compliance, Datanomix gives you the tools and visibility to meet your reporting and security obligations.

Datanomix is designed for shops working under industry-critical standards:

• AS-9100: We support traceability and quality management by tracking all changes to digital files like G-code, setup sheets, and tooling documentation — including full version history and user activity logs.

• ITAR: Our G-Code Cloud + DNC runs on GovCloud-native infrastructure using encrypted, isolated storage and U.S.-only personnel for handling data, ensuring ITAR-sensitive G-code is never exposed outside the country or mishandled.

• CMMC: Datanomix aligns with the Cybersecurity Maturity Model Certification framework by implementing controls that match NIST SP 800-171 and FedRAMP Moderate baselines, offering secure cloud infrastructure, role-based access, encryption, and audit trails that help manufacturers working in the DoD supply chain stay compliant.

• NIST SP 800-171 & NIST SP 800-53: We’ve implemented and independently validated controls aligned to these NIST standards — covering access control, encryption, vulnerability management, and incident response. These controls are regularly audited by third-party cybersecurity experts.

• SOC 2: Datanomix has completed a SOC 2 Type I audit, validating the design of our controls for data security, access, and system integrity. This ensures we meet the expectations of manufacturers who require vendor accountability and transparency in data handling practices.

• FedRAMP Moderate-Equivalent: While Datanomix does not hold a formal FedRAMP Authorization to Operate (ATO), we have received third-party attestation that our security program is substantially equivalent to FedRAMP Moderate. This includes controls for encryption, access, monitoring, and incident response required for cloud software handling sensitive or regulated data.

• ISO 9001: Real-time data capture and automated reporting help you maintain quality documentation and process control across your operation, supporting the requirements of ISO 9001 for continuous improvement and traceability.

Datanomix gives you full control over your digital assets and production data:

• Version Control: Every change to G-code, setup sheets, tooling instructions, and 3D models is tracked with timestamps, authorship, and revision history. 
• Traceability: You can trace every file or machine event back through its history — critical for audits, investigations, and compliance. 
• Permissions: Role-based access control ensures that only authorized personnel can view or edit files and settings. 
• Audit Trails: All activity is logged and stored indefinitely, including system settings, user access, and changes — making audit prep fast and stress-free.

Our architecture is built for security and simplicity:

• Edge devices sit between your machines and the cloud — collecting and encrypting data locally before sending it out.

• Firewall protection: Only specific outbound ports are used, and no inbound access is required, minimizing your attack surface.

• VPN and encryption: All communication from the shop floor to the Datanomix Cloud is encrypted, and data is segmented by customer.

• Microsoft Azure hosting: Data is backed up in Azure, with support for ITAR-compliant GovCloud deployments.

We collect operational data like:

• Machine states (running, idle, down)

• Cycle times and part counts

• Utilization and performance metrics
  

We do not collect G-code or IP-sensitive files unless you’re using G-Code Cloud + DNC, and even then, you control what’s stored in the cloud. All data is encrypted in transit and at rest, and access is strictly limited to U.S.-based Datanomix personnel and your authorized users.

If there’s ever a breach, you’ll be notified in 24 hours with details on what happened and what’s being done.

Other protections include:

• Real-time monitoring for unusual access attempts 
• Automatic updates for security patches 
• Regular reviews of best practices and Microsoft Azure security advisories 
• No offshore contractors. All personnel are based in the U.S.

Datanomix maintains a FedRAMP Moderate–equivalent security posture.  FedRAMP Authorization applies only to cloud service providers selling directly to U.S. federal agencies. As a commercial software provider, Datanomix uses this FedRAMP-equivalent, independently validated control framework to support customers with stringent security and compliance requirements, including those operating under CMMC.

Our security controls are aligned with NIST SP 800-53 Rev. 5 and NIST SP 800-171, and this alignment has been independently validated by a third-party security assessor through a formal Letter of Attestation for FedRAMP Security Control Equivalence. This attestation confirms that Datanomix has implemented security controls substantially equivalent to the FedRAMP Moderate baseline.

Datanomix undergoes independent third-party assessments to validate the effectiveness of its security controls. These assessments evaluate areas such as: Access control and identity management, data protection and encryption, monitoring, logging, and incident response, vendor and infrastructure security, business continuity and disaster recovery.