CMMC compliance for drone manufacturers. Done in 60 to 75 days, not six months.
A complete CMMC v2.0 documentation package scoped for UAS and UAV programs, Blue UAS qualification, NDAA Section 889 sourcing, and ITAR-overlapped drone component data. Built by a Cyber AB Registered Provider Organization with four CMMC RPs on staff.
DoD UAS and UAV manufacturers, primes, and subcontractors.
If your shop ships drone airframes, autopilots, ground control stations, payloads, or component subassemblies into a federal program, CMMC is now flowing down through your contracts. Here is who is on the hook.
This page is built for drone makers in the Defense Industrial Base (DIB). It covers prime contractors who hold direct DoD contracts for unmanned aerial systems, subcontractors at any tier shipping airframes, propulsion, autopilots, ground control software, communications links, ISR payloads, or training systems, and component manufacturers producing motors, ESCs, gimbals, batteries, antennas, or printed circuit assemblies that end up in a federally fielded UAS.
It also covers the new wave of small American drone OEMs that have stood up since the federal restrictions on Chinese-manufactured platforms, including teams pursuing the Defense Innovation Unit (DIU) Blue UAS qualification, AUVSI Green UAS providers, and the growing list of small-business builders pulled into the supply chain through prime flow-down. If you handle controlled drone tech specs, classified flight envelopes, ITAR-controlled motor or autopilot designs, or federal customer flight logs, you are in scope.
Common buyer signals we see in this space:
- A prime contractor (Lockheed Martin Sikorsky, Northrop Grumman, AeroVironment, Anduril, Skydio for Defense, Shield AI) has flow-down language in your purchase order pointing at DFARS 252.204-7012 and the new CMMC rule.
- You are bidding on Blue UAS, Replicator, or DIU contracts and the RFP requires a current SPRS score posted in the supplier database.
- You ship to a federal customer (DoD, DHS, DOI, DOJ) and the contract calls out NDAA Section 889 sourcing or the FAR 52.204-25 telecommunications prohibition.
- You hold engineering data, flight test telemetry, or component drawings that meet the definition of Controlled Unclassified Information (CUI), most commonly under the CUI category Controlled Technical Information (CTI).
- An ITAR-registered customer is asking for proof of cyber posture, alongside your existing DDTC registration.
Drone CUI is everywhere in your shop. Most teams undercount it.
The 110 NIST 800-171 controls in CMMC Level 2 do not pick a vertical. The places drone makers actually keep CUI are the ones that get missed during scoping.
Flight test logs and telemetry
Mission planning files, flight logs, GPS traces, and SDR captures from federal test ranges or government customer evaluations are routinely Controlled Technical Information. They live in your test team laptops, autopilot ground stations, and shared drives. They count.
Engineering drawings and CAD
Airframe CAD, autopilot schematics, RF link designs, gimbal mechanicals, and battery management firmware in SolidWorks, Altium, KiCad, Git, or PLM repositories. Anything tied to a defense end use is CUI/CTI when shared with the customer.
NDAA Section 889 sourcing
You cannot use covered Chinese telecom or video gear, including DJI flight controllers, Autel, Yuneec, Hikvision cameras, or Dahua components, in federally funded systems. Your CMMC SSP has to document the supply chain decisions that prove it.
Blue UAS and supply chain due diligence
The DIU Blue UAS list and the Pentagon Replicator initiative scrutinize component-level provenance: PCBs, motors, batteries, IMUs, GPS chipsets, RF modems. CMMC asks you to keep the documentation proving each of those decisions.
ITAR overlap on flight controls
If your autopilot or guidance code falls under USML Category VIII (aircraft) or Category XII (sensors), DDTC registration plus ITAR controls live alongside CMMC. The same engineering data shows up in both regimes. We map the overlap so you do not document twice.
DCSA facility clearance overlap
Many DoD drone programs, especially classified ISR or counter-UAS, also require a DCSA facility clearance. The NISPOM controls and CMMC L2 controls share most of the perimeter, change-management, media-handling, and personnel-vetting expectations. Build them once.
The CMMC package, scoped for a UAS shop.
Branded, editable, yours forever. Formatted to DIBCAC and C3PAO expectations and reviewed by the four CMMC Registered Practitioners on the Petronella team. The drone-specific items are baked into the SSP and CUI boundary documents, not bolted on.
System Security Plan (SSP)
110 NIST 800-171 control narratives with UAS asset inventory: airframes, GCS laptops, autopilots, ground RF radios, test range gear, and engineering workstations.
CUI Boundary for UAS data
Network diagrams that draw the boundary around flight logs, CAD repositories, telemetry stores, and ground control stations. Off-network test range workflows documented.
SPRS Score
Calculated SPRS score with a control-by-control breakdown. The number primes look at before they release a Blue UAS or Replicator subcontract.
POA&M with UAS-specific gaps
Plan of Action & Milestones with the gaps drone shops actually have: shared MFG laptops, contractor flight test crews, off-the-shelf radios on the build floor.
14 Security Policies
One policy per NIST 800-171 family (3.1 through 3.14), branded to your organization. Reuse for ITAR, AS9100, and DCSA inspections.
14 Operational Procedures
Step-by-step procedures, including how the shop floor logs onto autopilot test rigs, handles flight-test removable media, and ships a build to the customer.
Section 889 attestation
A documented sourcing attestation showing your bill of materials does not contain covered telecom or video equipment from the prohibited entities list.
ITAR / CMMC crosswalk
A side-by-side mapping between your ITAR program (DDTC registration, USML categorization, technical data controls) and the CMMC family controls so one set of evidence supports both.
Assessment Readiness Checklist
The day-of punch list for your C3PAO walkthrough: which staff attend each interview, which hangar or test bay gets toured, which evidence binder gets opened.
Output formats: PDF, editable Word, HTML, CSV, ZIP. Branded with your logo. No platform lock-in.
From scoping to assessor handoff in 60 to 75 days.
A predictable, productized engagement built around a six-step scoping wizard, with deliverables and sign-offs at each gate.
Scoping & CUI boundary
60-minute working session. We map your UAS programs, contracts in flight, ITAR overlap, NDAA 889 exposure, and the CUI boundary across engineering, build, and test.
Asset and data inventory
Aircraft, ground stations, test range hardware, engineering workstations, CAD repositories, autopilot build pipelines, and removable media inventories.
Gap analysis & SPRS
All 110 controls scored against your shop. SPRS calculated. POA&M drafted with UAS-specific gaps and remediation timeline.
Documentation build
SSP, 14 policies, 14 procedures, control narratives, evidence checklist, Section 889 attestation, ITAR crosswalk, all branded and reviewed.
Mock walkthrough
Tabletop assessment with our CMMC RPs, including the questions a C3PAO will ask your test pilot, your build lead, and your IT lead.
Assessor handoff
Evidence repository organized, interview prep done, assessment readiness checklist signed. We hand the package to your C3PAO.
Pick your level. Get a fixed price, fixed timeline.
Three productized packages. Fixed prices, fixed timelines, third-party assessment fees disclosed up front so the total budget is transparent before you sign.
Foundational (FCI)
- 17 control narratives + SSP
- Policies and procedures package
- SPRS attestation prep
- 21-day delivery
Advanced (CUI)
- SSP + POA&M + SPRS score
- 14 policies + 14 procedures
- 110 control narratives
- Section 889 attestation
- 60 to 75 day delivery
Expert
- L2 baseline + 24 NIST 800-172 controls
- DIBCAC-led assessment readiness
- Architecture and threat modeling
- Custom timeline
What counts as CUI in a UAS shop.
Use this as a starting point during the scoping call. We will refine each row against your contracts, your DD Form 254 (if any), and your CDI markings during the engagement.
| Artifact | Likely CUI category | Where it lives |
|---|---|---|
| Mission planning files, flight cards | Controlled Technical Information (CTI), OPSEC | GCS laptops, mission planning workstations, Pix4D / WebTAK / ATAK |
| Autopilot firmware source code | CTI, sometimes export-controlled (EAR / ITAR) | Git, SVN, build servers, developer workstations |
| Engineering drawings (airframe, ESC, GCS) | CTI | SolidWorks, Altium, PLM, shared drives |
| Flight logs and telemetry from federal tests | CTI, Defense (DCNI-O), OPSEC | Ground control station archives, telemetry servers |
| RF link designs, frequency plans | CTI, Defense (FOUO legacy) | RF engineering workstations, vendor test reports |
| ISR payload performance reports | CTI, Defense, sometimes classified | Engineering reports, customer deliverables |
| Section 889 sourcing attestations and BOMs | CUI (Procurement), CTI | ERP, PLM, supply chain shared drive |
| Customer correspondence on classified programs | Defense (DCNI-O), Personally Identifiable Info | Email, ticket systems, contract repositories |
If your C3PAO finds a doc gap, we fix it free.
Every ComplianceArmor CMMC engagement carries the Petronella Technology Group Audit-Ready Promise. If a C3PAO assessor identifies a gap in any artifact we produced, we fix it at no charge within 30 days. If a CMMC Level 2 assessment fails because of our documentation work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Important disclosure. Petronella Technology Group, Inc. is a Cyber AB Registered Provider Organization (RPO). The independent CMMC Level 2 assessment required for certification is performed by a Cyber AB Authorized C3PAO under a separate engagement, priced separately from this package. Only the Cyber AB and the U.S. Department of Defense issue CMMC certificates. Petronella Technology Group does not perform certified assessments and does not promise assessment outcomes.
CMMC questions drone makers ask first.
Are drone telemetry logs and flight test data CUI?
If the data was collected during a federal test, captured against a federal customer requirement, or directly tied to a controlled aircraft platform, the answer is almost always yes. Most flight logs from DoD evaluations, federal test ranges, and federally funded ISR demonstrations meet the definition of Controlled Technical Information (CTI), a CUI category. The data has to be handled inside your CMMC Level 2 boundary: encrypted at rest, encrypted in transit, access logged, exfiltration controls in place. We document each flow during the scoping call.
What is the Blue UAS program and how does it relate to CMMC?
Blue UAS is the Defense Innovation Unit's qualified-vendor list of small UAS that meet DoD operational, security, and supply-chain requirements, including NDAA Section 848 and FY 2020 Section 1260H sourcing rules. Blue UAS qualification and CMMC are separate but reinforcing. CMMC governs how you protect the engineering data and customer information. Blue UAS governs whether the platform itself is allowed to fly on federal missions. Most Blue UAS-listed vendors will need CMMC Level 2 to keep their direct DoD subcontracts. We help with the documentation side.
We use DJI for commercial work. Can we still pursue CMMC?
Yes, but the CMMC SSP has to clearly draw the line. Federal contracts that fall under NDAA Section 889 and FAR 52.204-25, plus the American Security Drone Act of 2023, prohibit covered Chinese telecommunications and video gear, including DJI flight controllers and certain Autel and Yuneec models, from federally funded systems. If you do mixed commercial and federal work, your CMMC documentation needs an explicit partition: which aircraft, which pilots, which data flows are inside the federal boundary, and which sit outside. We document that partition during the scoping wizard.
How does ITAR overlap with CMMC for autopilot and guidance code?
If your autopilot, guidance, navigation, or ISR payload technology lands on the United States Munitions List (USML), your firm needs DDTC registration and ITAR-compliant technical data controls in addition to CMMC. The good news: the same evidence usually satisfies both. ITAR's "technical data" controls map cleanly onto NIST 800-171 families 3.1 (Access Control), 3.8 (Media Protection), 3.13 (System and Communications Protection), and 3.14 (System and Information Integrity). Our deliverable includes an ITAR / CMMC crosswalk so one set of policies and procedures supports both regimes.
What about NDAA Section 889 and FAR 52.204-25?
NDAA Section 889 (codified at FAR 52.204-25) prohibits federal agencies and federal contractors from using covered telecommunications equipment or services from a list of named entities, including Huawei, ZTE, Hytera, Hikvision, Dahua, and any subsidiaries or affiliates. For drone makers, the practical impact is on radios, cameras, and video transmission components. Your CMMC SSP needs a documented sourcing process and an attestation that your bill of materials is clean. We include the attestation template and the SSP narrative in the package.
What does a DCSA facility clearance overlap with CMMC look like?
If your shop holds a Facility Clearance (FCL) issued by the Defense Counterintelligence and Security Agency, you already follow the National Industrial Security Program Operating Manual (NISPOM) for classified handling. CMMC Level 2 covers the unclassified-but-controlled side: CUI in the engineering, build, and test environments. The two share most perimeter controls, change management, media handling, and personnel-vetting requirements. We map the shared evidence so you do not document the same control twice for two different inspectors.
What if our autopilot firmware lives on GitHub or a public registry?
Open-source autopilot frameworks (PX4, ArduPilot) are not CUI. Your derivative source, your branded firmware, your customer-specific configuration, and any mission-tuned parameters that are tied to a federal program are. Move that derivative work into a private repo inside your CMMC boundary, gate access with a federated identity provider, log every clone and pull, and document the build pipeline. We include a software supply chain section in the SSP that handles this case directly.
How long does this take, and what does it cost?
CMMC Level 1 from $6,997 flat, 21-day delivery, no third-party assessor required.
CMMC Level 2 documentation package from $24,997 flat, 60 to 75 day delivery. The required C3PAO assessment fee runs $30K to $50K and is engaged separately. We disclose that on every pricing card so the total budget is transparent up front.
CMMC Level 3 is custom-scoped after a discovery call. DIBCAC-led assessment is government-administered.
Stop authoring the SSP. Start the CMMC assessment.
Schedule a 30-minute scoping call. We will walk through your UAS programs, your CUI footprint, your Section 889 sourcing, and quote your engagement on the call.
Related: ComplianceArmor CMMC software · ComplianceArmor hub · CMMC gap analysis · CMMC compliance guide · CMMC consultant · Contact us