CMMC compliance for aerospace suppliers. Done in 60 to 75 days, not six months.
A complete CMMC v2.0 documentation package built for AS9100D-certified shops feeding Lockheed Martin, Boeing, Northrop Grumman, RTX, and L3Harris. Aligned to ITAR, AS9100D, and CMMC at the same time, by a Cyber AB Registered Provider Organization with four CMMC RPs on staff.
Tier 1 / Tier 2 / Tier 3 aerospace suppliers feeding the major primes.
If your shop machines, fabricates, treats, assembles, or engineers components for federally funded aerospace or defense aviation programs, the prime has flow-down language pointing CMMC straight at you.
This page is built for the U.S. aerospace and defense aviation supply chain. It covers Tier 1 suppliers shipping major assemblies to the primes (Lockheed Martin, Boeing Defense, Northrop Grumman, RTX / Raytheon and Pratt & Whitney, L3Harris, GE Aerospace, Spirit AeroSystems), Tier 2 and Tier 3 component shops (CNC machining, sheet metal, composites, surface treatment, heat treatment, NDT, welding, additive manufacturing), and engineering services firms producing CAD, FEA, CFD, materials test data, and certification artifacts.
It also covers the broader aerospace ecosystem: aerostructures suppliers, propulsion-component manufacturers (blades, vanes, casings, fuel system components), avionics integrators, mission systems and sensor primes, MRO providers serving DoD aviation customers, and the rapidly growing space-side supply chain (launch component shops, satellite bus integrators, ground-system providers). If you receive engineering drawings stamped with an export control marking, an ITAR notice, or a NOFORN distribution statement, you are in CMMC scope.
Common buyer signals we see in this space:
- A prime contractor (Lockheed Martin, Boeing, Northrop Grumman, RTX, L3Harris, GE Aerospace) has updated your master subcontract with the new CMMC clause and DFARS 252.204-7012, plus DFARS 252.204-7019 / 7020 / 7021.
- You hold drawings or build packages for F-35, B-21, KC-46, F-15EX, F/A-18, V-22, CH-53K, Sentinel ICBM, GEM-63, RS-25, or any space-launch or satellite program.
- You are AS9100D registered and your customer is now demanding NIST 800-171 self-assessment, an SPRS score, or a CMMC level posted in the supplier database.
- You are an ITAR-registered firm under DDTC, and the customer is asking for proof of cyber posture alongside ITAR controls.
- You ship additive-manufactured parts where the build files, scan paths, and process parameters are themselves the controlled IP.
ITAR plus AS9100D plus CMMC is the same evidence three ways.
Most aerospace suppliers already run a quality system and most run an ITAR program. CMMC adds a cyber spine across both. Build the evidence once, use it three times.
ITAR overlap on aircraft and spacecraft
Most aerospace technical data lands in USML Category VIII (aircraft and related articles), Category IV (launch vehicles, missiles, and related), or Category XV (spacecraft systems). ITAR-controlled technical data and CMMC CUI are usually the same files. We map the overlap so you do not document twice.
AS9100D alignment
AS9100D Section 7.1.6, 7.5, 8.4, and 8.5 already require document control, configuration management, supplier control, and change control. CMMC adds the cyber layer on the same artifacts. Your existing AS9100D records are your CMMC evidence base.
Prime contractor flow-down
Lockheed Exostar, Boeing PartsBase / 4DOnline, Northrop Grumman OASIS, RTX EBP, L3Harris portals: each prime has its own controlled-data exchange. CMMC has to document how data lands from each portal, where it sits, who touches it, and when it is destroyed.
Engineering drawings as CUI
Drawings, stress reports, materials data, MRP build packages, and special process specifications (NADCAP-controlled processes especially) are routinely Controlled Technical Information when tied to a defense end-use. They live in PLM, CAD, ERP, and engineering shared drives.
Additive manufacturing IP
Build files, scan paths, support strategies, and qualification data for additive parts (DMLS, EBM, LPBF, FDM-titanium) are themselves the controlled technical data. If the prime gave you a process card and a build file, those are CUI, and the printer NIC has to live inside your boundary.
Export control plus cyber
If your shop already has an Empowered Official, a DDTC registration, a Technology Control Plan, and a Foreign Persons Visit log, half of the CMMC personnel-vetting and access controls already exist on paper. We pick up that evidence and write it into your SSP rather than re-creating it.
The CMMC package, scoped for an aerospace shop.
Branded, editable, yours forever. Formatted to DIBCAC and C3PAO expectations. The aerospace-specific items (ITAR crosswalk, AS9100D mapping, prime portal handling, additive build-file controls) are baked into the SSP and CUI boundary documents.
System Security Plan (SSP)
110 NIST 800-171 control narratives with aerospace asset inventory: engineering workstations, CAD/PLM, CNC controllers, CMM machines, NDT laptops, ERP, MRP, and additive printers.
CUI boundary for prime portals
Network diagrams that draw the boundary around prime portals (Exostar, OASIS, EBP, PartsBase / 4DOnline), plus the local repositories where downloaded drawings live.
SPRS score
Calculated SPRS score with a control-by-control breakdown. The number primes look at before they release a follow-on PO or new program award.
POA&M with aerospace gaps
Plan of Action & Milestones with the gaps aerospace shops actually have: shared CNC PLCs, supplier portal logins on multiple machines, FAI inspection laptops, paper drawings on the shop floor.
14 security policies
One policy per NIST 800-171 family (3.1 through 3.14), branded to your firm. Reuse for ITAR audits, NADCAP audits, AS9100D surveillance, and DCSA inspections.
14 operational procedures
Step-by-step procedures: how a draftsman receives a controlled drawing from a prime portal, how a NADCAP-controlled special process records evidence, how additive build files are stored.
ITAR / CMMC crosswalk
A side-by-side mapping between your existing ITAR program (Empowered Official, DDTC registration, Technology Control Plan, Foreign Persons Visit log) and the CMMC family controls.
AS9100D / CMMC mapping
A control-by-control mapping between the AS9100D clauses your registrar already audits (7.5 information, 8.4 supplier control, 8.5 production) and the matching CMMC families.
Assessment readiness checklist
The day-of punch list: which engineering manager attends the interview, which shop floor cell gets toured, which FAI binder gets opened.
Output formats: PDF, editable Word, HTML, CSV, ZIP. Branded with your logo. No platform lock-in.
From scoping to assessor handoff in 60 to 75 days.
A predictable, productized engagement built around a six-step scoping wizard, with deliverables and sign-offs at each gate.
Scoping & CUI boundary
60-minute working session. We map your prime contracts in flight, the flow-downs you have signed, your ITAR and AS9100D programs, and the CUI boundary across engineering, machining, treatment, and inspection.
Asset and data inventory
Engineering workstations, CAD / PLM, CNC controllers, CMM machines, NDT laptops, ERP / MRP, additive printers, and shop-floor terminals. Prime portals, large-file transfer infrastructure, and email.
Gap analysis & SPRS
All 110 controls scored against your shop. SPRS calculated. POA&M drafted with aerospace-specific gaps and a remediation timeline.
Documentation build
SSP, 14 policies, 14 procedures, AS9100D / CMMC crosswalk, ITAR / CMMC crosswalk, prime-portal handling procedure, all branded and reviewed by our four CMMC RPs.
Mock walkthrough
Tabletop assessment with our CMMC RPs, including the questions a C3PAO will ask your engineering manager, your QA director, and your IT lead.
Assessor handoff
Evidence repository organized, interview prep done, assessment readiness checklist signed. We hand the package to your C3PAO.
Pick your level. Get a fixed price, fixed timeline.
Three productized packages. Fixed prices, fixed timelines, third-party assessment fees disclosed up front so the total budget is transparent before you sign.
Foundational (FCI)
- 17 control narratives + SSP
- Policies and procedures package
- SPRS attestation prep
- 21-day delivery
Advanced (CUI)
- SSP + POA&M + SPRS score
- 14 policies + 14 procedures
- 110 control narratives
- AS9100D + ITAR crosswalks
- 60 to 75 day delivery
Expert
- L2 baseline + 24 NIST 800-172 controls
- DIBCAC-led assessment readiness
- Architecture and threat modeling
- Custom timeline
What counts as CUI in an aerospace shop.
Use this as a starting point during the scoping call. We will refine each row against your prime flow-downs, your ITAR DDL, and any DD Form 254 on file.
| Artifact | Likely CUI category | Where it lives |
|---|---|---|
| Engineering drawings (airframe, propulsion, avionics) | Controlled Technical Information (CTI), almost always ITAR Cat VIII | NX / SolidWorks / CATIA / Creo, PLM, Exostar / OASIS portals |
| Stress, fatigue, and damage-tolerance reports | CTI, ITAR | Engineering shared drives, customer drop folders |
| Materials and process specifications (NADCAP) | CTI | Quality shared drives, ERP, on-shop printed work instructions |
| FAI (First Article Inspection) packages | CTI | QA shared drives, supplier portals, paper binders |
| Additive manufacturing build files and scan paths | CTI | Printer controllers, build prep workstations, vendor cloud platforms |
| Avionics firmware and configuration | CTI, sometimes export-controlled | Build servers, version control, customer-loaded media |
| Sub-tier supplier flow-down packages | CTI, Procurement-CUI | Procurement systems, supplier portals |
| Foreign Persons Visit logs and EO records (ITAR) | CUI Privacy, Export Control | HR and security shared drives, paper visit logs |
If your C3PAO finds a doc gap, we fix it free.
Every ComplianceArmor CMMC engagement carries the Petronella Technology Group Audit-Ready Promise. If a C3PAO assessor identifies a gap in any artifact we produced, we fix it at no charge within 30 days. If a CMMC Level 2 assessment fails because of our documentation work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Important disclosure. Petronella Technology Group, Inc. is a Cyber AB Registered Provider Organization (RPO). The independent CMMC Level 2 assessment required for certification is performed by a Cyber AB Authorized C3PAO under a separate engagement, priced separately from this package. Only the Cyber AB and the U.S. Department of Defense issue CMMC certificates. Petronella Technology Group does not perform certified assessments and does not promise assessment outcomes.
CMMC questions aerospace suppliers ask first.
How does ITAR overlap with CMMC for aerospace technical data?
Almost completely. Most aerospace technical data lands on the United States Munitions List in USML Category VIII (aircraft and related articles), Category IV (launch vehicles, missiles, and related), or Category XV (spacecraft systems). Your ITAR program (DDTC registration, Empowered Official, Technology Control Plan, Foreign Persons Visit log) already controls who can see the data. CMMC adds a documented cyber spine on top: encryption, access logging, change management, incident response. Our deliverable includes an ITAR / CMMC crosswalk so one set of policies and procedures supports both regimes.
How does AS9100D align with CMMC?
Your existing AS9100D quality management system already requires document control (Section 7.5), control of externally provided processes / products / services (8.4), and production and service provision (8.5). Those clauses produce most of the artifacts CMMC asks for: configuration records, training records, supplier-control records, change-control evidence. We map the AS9100D clauses your registrar already audits onto the matching NIST 800-171 control families so an assessor can pull the same record for both audits. You stop maintaining two parallel record sets.
What does prime contractor flow-down look like in aerospace?
The major primes (Lockheed Martin, Boeing Defense, Northrop Grumman, RTX, L3Harris, GE Aerospace, Spirit) each maintain a controlled-data exchange portal (Lockheed Exostar, Boeing PartsBase / 4DOnline, Northrop Grumman OASIS, RTX EBP, L3Harris portals). Each portal has its own auth, its own retention rules, and its own controlled-data markings. Your CMMC SSP has to document how data lands from each portal, where it sits inside your environment, who touches it, and how it is destroyed. The prime audit team will pull a sample and trace it through your shop. We pre-build that traceability map.
How are engineering drawings and CAD treated as CUI?
Drawings, models, and assemblies tied to a defense end-use are routinely Controlled Technical Information, a CUI category. They live in PLM (Teamcenter, Windchill, Aras), CAD (NX, CATIA, Creo, SolidWorks), and on engineering shared drives. CMMC asks: is the access role-based, is the export logged, is the file encrypted at rest, is the export to a personal device blocked, and can you produce the audit log on demand. Your existing PLM almost always supports those controls; we write the SSP narrative around the way you already operate.
What about additive manufacturing IP?
For metal additive shops feeding the primes (DMLS, EBM, LPBF) and for advanced polymer shops (Stratasys F900, Markforged FX20, large-format SLS), the build file, scan strategy, and process parameter card are the controlled IP. Many primes ship build files via Exostar or a customer-private SFTP. The printer controller has to live inside your CMMC boundary. We document the printer NIC, the build-prep workstation, the scan-path repository, and the disposal of post-build inspection scans, all inside the SSP.
We are AS9100D plus ITAR plus NADCAP. Do we still have to do all 110 CMMC controls?
Yes, but most of the evidence already exists. AS9100D produces document and configuration control. ITAR produces personnel-vetting, foreign-persons access controls, and a Technology Control Plan. NADCAP produces tightly controlled special-process records. CMMC asks for a few categories that your existing programs may not cover head-on: incident response, system audit logging at the technical layer, vulnerability management on shop-floor systems, and continuous monitoring. We identify the gap (it is usually only a small set of controls) and document the rest from your existing records.
What does a prime portal handling procedure look like?
It is a written procedure that walks each step: how a buyer or engineer logs into a prime portal, which device they use, how the file is downloaded, where it lands, how it is logged, how it moves into your engineering or build environment, who is allowed to forward it, and how it is destroyed when the program ends. We build one procedure that handles Exostar, OASIS, EBP, and PartsBase / 4DOnline together so your team has a single workflow no matter which prime sent the data.
How long does this take, and what does it cost?
CMMC Level 1 from $6,997 flat, 21-day delivery, no third-party assessor required.
CMMC Level 2 documentation package from $24,997 flat, 60 to 75 day delivery. The required C3PAO assessment fee runs $30K to $50K and is engaged separately. We disclose that on every pricing card so the total budget is transparent up front.
CMMC Level 3 is custom-scoped after a discovery call. DIBCAC-led assessment is government-administered.
Stop authoring the SSP. Start the CMMC assessment.
Schedule a 30-minute scoping call. We will walk through your prime contracts, your ITAR program, your AS9100D evidence, and quote your engagement on the call.
Related: ComplianceArmor CMMC software · ComplianceArmor hub · CMMC gap analysis · CMMC compliance guide · CMMC consultant · Contact us