Most IT providers treat a manufacturing plant like any other business. They're not the same. OT/IT network segmentation, ERP uptime, CMMC compliance, and production availability require an MSP that understands the difference.
Manufacturers run two separate technology environments. Most IT providers only understand one of them.
PLCs, SCADA systems, and CNC machines run on operational technology networks that can't tolerate standard IT patching cycles. One wrong update can halt a production line.
Your ERP connects purchasing, production scheduling, inventory, and shipping. If it goes down, everything stops. Your IT provider needs to understand its dependencies deeply.
If you're a DoD contractor or subcontractor handling CUI, CMMC Level 2 certification is now a contract requirement — not optional. Most general IT firms can't guide you through it.
A mid-size manufacturer losing $50K/hour during downtime needs a different IT strategy than a professional services firm. Redundancy, tested failover, and rapid response are non-negotiable.
Manufacturers are increasingly targeted through supplier portals, EDI connections, and vendor VPN access. Your IT provider needs a supplier access policy — not just a firewall.
Depending on your sector: ITAR (defense), FDA 21 CFR Part 11 (medical devices), NIST 800-171 (CUI), ISO 27001 (enterprise customers). Each has specific IT requirements your MSP needs to know.
The wrong MSP will treat your ERP like any other application. The right one will understand its dependencies before touching anything.
| ERP System | Typical Users | Infrastructure Requirements | Key IT Considerations |
|---|---|---|---|
| SAP S/4HANA | Mid-market to enterprise, 200+ employees | HANA in-memory DB, high-RAM servers or SAP-certified cloud | SAP Basis admin required; patching must align with SAP maintenance windows; RISE or GROW hosted options shift some IT burden to SAP |
| Epicor Kinetic | Discrete, jobshop, make-to-order (50–500 employees) | SQL Server, on-prem or Epicor cloud | Epicor upgrades break customizations; SQL maintenance plans critical; cloud migration path increasingly common |
| Infor CloudSuite Industrial | Industrial manufacturing, mixed-mode | Multi-tenant SaaS or on-prem | Integration with Infor ION middleware; API connections to shop floor; Mongoose framework customizations |
| SYSPRO | Smaller manufacturers, distribution (20–200 employees) | SQL Server, Windows Server | On-prem common; SYSPRO Cloud ERP available; SQL backups and version compatibility require attention |
| JobBOSS² | Job shops, fabricators (10–100 employees) | SQL Server (cloud or on-prem) | Simple infrastructure; key risk is SQL backup failure; often integrated with CAD/CAM and nesting software |
| Microsoft Dynamics 365 | Growing manufacturers needing ERP + CRM | Azure SaaS — minimal on-prem infrastructure | Microsoft 365 integration makes IT management simpler; Power Platform customizations can create shadow IT risk |
| Oracle NetSuite | Multi-location, fast-growing manufacturers | Cloud SaaS — no on-prem servers | IT focus shifts to integrations (EDI, 3PL, WMS), SSO, and user access management rather than infrastructure |
Your shop floor network should be physically or logically separated from your business network. Here's the architecture your MSP should know.
Email, ERP, file servers, Microsoft 365, HR systems. Standard IT patching and security policies apply here.
MES (Manufacturing Execution System), production scheduling, batch management. Bridges IT and shop floor.
SCADA, HMI systems, historian servers. Long change cycles — software may be years old and can't be patched like business systems.
PLCs, DCS controllers, motion controllers. These run the actual machines. Changes require engineering involvement, not just IT approval.
Sensors, actuators, drives, robots, CNC machines. Physical layer — IT has no direct role but network connectivity affects safety.
What to ask your IT provider: "Can you describe how you'd segment our OT and IT networks? What firewall platform would you use between the DMZ and Level 3? How do you handle engineering workstations that need access to both networks?" If they say they treat it like a regular office network, find another provider.
If your company touches the defense supply chain and handles CUI, your IT provider is part of your compliance posture — whether they know it or not.
| CMMC Level | Who Needs It | Control Requirements | IT Provider Role |
|---|---|---|---|
| Level 1 — Foundational | All DoD contractors handling FCI (Federal Contract Information) | 17 practices from FAR 52.204-21 — basic cyber hygiene | Annual self-assessment; MSP helps implement and document basic controls |
| Level 2 — Advanced | Contractors handling CUI — most primes and subcontractors | 110 practices aligned to NIST SP 800-171 | Third-party C3PAO assessment required every 3 years; MSP must understand System Security Plan (SSP) and Plan of Action & Milestones (POA&M) |
| Level 3 — Expert | Critical programs, highest CUI sensitivity | 110+ practices from NIST SP 800-172 | DIBCAC (government) assessment; very small subset of contractors; MSP needs deep federal compliance experience |
The CUI Scoping Problem
The hardest part of CMMC isn't implementing controls — it's correctly scoping which systems touch CUI. Your MSP needs to help you identify your CUI boundary: which endpoints, servers, cloud services, and communication channels handle controlled data. Everything in scope must meet the control requirements. Everything out of scope must be demonstrably isolated. Most manufacturers underestimate their CUI footprint.
Use these to separate providers who've done this from providers who think they can figure it out on your dime.
On OT/IT Security
On ERP Support
On CMMC / Compliance
Watch for these in any proposal or discovery call with an IT provider.
Tell us about your operation. We'll match you with MSPs who have documented manufacturing experience — not generalists who'll learn on your production line.
"Ransomware hit our ERP on a Thursday night. By Friday morning our production scheduler had no visibility into active orders. Because we had OT/IT network segmentation in place, the attack stayed on the corporate side — our production floor kept running. The IT provider who built that separation probably saved us $2M in missed deliveries."
"Our previous IT company treated our factory floor like an office network. They patched PLCs the same way they patched laptops — which caused two production stoppages in a year. A manufacturing-specialized MSP immediately recognized the difference between OT and IT patching cycles. No production disruptions in 18 months since the switch."
"We were implementing a new ERP across three plants and our previous IT vendor estimated 14 months. A manufacturing IT specialist who knew our ERP platform delivered a fully operational system in 6 months. The difference was understanding the production scheduling integration — our previous vendor was learning it as they went."