CMMC Compliance for MCAS Cherry Point and FRCE Suppliers

Marine Corps Air Station Cherry Point sits in Havelock, North Carolina and has been the Marine Corps' largest East Coast air station since 1941. The installation is built around Fleet Readiness Center East (FRCE), a Naval Air Systems Command depot that began operations during World War II as the Overhaul and Repair Department at MCAS Cherry Point and was redesignated under the 2005 Base Realignment and Closure process in October 2006.

FRCE is North Carolina's largest maintenance, repair, and overhaul (MRO) and technical services provider, with more than 3,600 military, civilian, and contract workers. The main depot includes 119 structures covering 2.1 million square feet, of which roughly 1.7 million square feet is production space. FRCE has been the lead site for depot-level maintenance on the F-35B Lightning II since 2013, has inducted 158 F-35 aircraft, and has delivered 145 back into operational service.

For your business, that mix produces a distinctive contractor profile. Cherry Point suppliers skew heavily toward aviation MRO, depot-level maintenance, avionics, ground support equipment, calibration, technical data management, and supply chain support for legacy and fifth-generation airframes. The most consistent pattern we see is a small or mid-size firm that already runs a mature AS9100 Rev D quality system and is now being asked to stack a CMMC Level 2 posture on top of it within an option-year window.

Petronella Technology Group works with Cherry Point area suppliers from a Raleigh headquarters that is roughly two hours by car from the Cherry Point main gate. The firm is a Cyber AB Registered Provider Organization (RPO #1449) and every consultant holds the CMMC Registered Practitioner credential. We do not provide AS9100 certification audits, but we work fluently alongside your AS9100 registrar so the two posture documents reinforce each other rather than collide.

F-35B sustainment, modification, and vertical lift fan test suppliers

FRCE began F-35B depot work in 2013 and the F-35B sustainment workload is the single largest growth pillar at Cherry Point. Tier 2 and Tier 3 subs supplying parts, ground support equipment, testing services, and technical data management for the F-35B carry CMMC Level 2 flowdowns almost universally.

Legacy airframe MRO suppliers

FRCE has historically performed phased depot maintenance, planned maintenance intervals, integrated maintenance concepts, modernizations, conversions, overhaul, and in-service repair on a wide aircraft mix. Legacy airframe subs face an evolving CMMC posture as DoD program offices push the standard down to their supplier tiers.

Avionics, calibration, and instrument repair shops

Avionics test equipment, automatic test stations, and the supplier base for calibration services around Havelock and New Bern carry CMMC flowdowns because the technical data and calibration records often meet the CUI definition.

Engineering services, technical writing, and technical publications

FRCE has approximately 1,000 engineers and a deep technical publications function. Subs providing engineering services, technical writing, technical data package conversion, and illustrated parts breakdown work routinely handle CUI.

Ground support equipment and tooling manufacturers

Specialized aviation ground support equipment for legacy airframes and for the F-35 fleet runs through a regional supplier base. Engineering drawings and supply schedules are routinely controlled.

Base operations support, facilities, and MILCON

NAVFAC Mid-Atlantic drives a continuous MILCON and facility sustainment stream at Cherry Point. Architecture-engineering firms handle as-built drawings, security system diagrams, and base utility maps that meet the CUI definition.

All three CMMC levels phase in under the 32 CFR 170 Final Rule. The cost, evidence burden, and assessment cadence are different at each tier. For an aviation supplier with an existing AS9100 quality system, the practical question is which CMMC level reuses the AS9100 evidence library most efficiently. Read our CMMC 2.0 complete guide for the full level-selection framework.

Cherry Point suppliers have two posture documents that need to coexist. AS9100 Rev D is the aerospace and defense quality management standard layered on top of ISO 9001:2015. CMMC Level 2 is a security framework built on NIST SP 800-171 Rev 2. They do not overlap, but they do interact at predictable points.

Document control

AS9100 already drives a controlled document management process. CMMC adds a CUI marking, handling, storage, and destruction overlay. Most aviation subs we engage can layer the CUI overlay on top of an existing AS9100 document control function with modest disruption.

Risk management

AS9100 risk management focuses on product, process, and supply chain risk. CMMC risk management (the RA control family in NIST 800-171) focuses on information system risk. The two risk registers should be linked but not merged.

Configuration management

AS9100 configuration management governs product configuration. CMMC configuration management (the CM control family) governs system configuration. The disciplines transfer well in either direction.

Internal audit

AS9100 internal audits are mature in nearly every Cherry Point sub we work with. The same audit cadence can absorb CMMC evidence verification without doubling the staffing burden.

Supplier and subcontractor flowdown

AS9100 already requires flowdown of quality requirements to suppliers. CMMC adds the requirement to flow DFARS 252.204-7012 and CMMC posture requirements as well. A combined flowdown clause library is the cleanest answer.

1. Commercial Microsoft 365 holding F-35B or FRCE technical data

Standard commercial cloud tenants do not satisfy DFARS 252.204-7012 data residency. Migration to Microsoft 365 GCC High is the most common high-impact remediation. We have shipped GCC High migrations for Craven County aviation subs in 60 to 90 days.

2. SSP that documents the AS9100 quality boundary but not the CMMC information boundary

Two posture documents need to exist. The AS9100 quality manual and the CMMC System Security Plan are not interchangeable. Read our CMMC Final Rule implementation guide for the phased calendar driving this.

3. SPRS score with no calculation trail

The number landed in SPRS years ago when the prime asked for it. No one can show how it was derived. DoD now expects an evidence trail.

4. No 72-hour DFARS incident reporting plan

DFARS 252.204-7012 requires reporting to DoD Cyber Crime Center (DC3) within 72 hours. We almost never see a documented and tested reporting workflow.

5. Technical data package (TDP) handling that does not reflect CUI marking

Engineering drawings, technical data packages, illustrated parts breakdowns, and depot work orders that clearly meet the CUI definition are stored unmarked. Without a CUI inventory the assessment cannot be scoped properly.

6. Test equipment and calibration data outside the CUI boundary

Automatic test station data, calibration records, and instrument repair documentation often meet the CUI definition but live on a separate quality system network that was never inside the CMMC boundary.

7. Backup and disaster recovery outside the CUI boundary

Backups on a commercial cloud tier extend the CUI boundary to the backup target. We rebuild backup posture inside the CMMC enclave during every Level 2 engagement.

State-sponsored collection against F-35 sustainment

FBI and Cybersecurity and Infrastructure Security Agency joint advisories have repeatedly documented sustained intrusion campaigns against the U.S. fifth-generation aviation supply chain. F-35B sustainment cycles, parts schedules, and technical data are explicit collection requirements.

Ransomware crews targeting aviation MRO firms

Aviation MRO subs face higher ransom demands than commercial firms of equivalent size because depot cycle delays cascade into aircraft availability shortfalls. Encrypted backups outside the CMMC boundary do not help if the backup credentials were exfiltrated.

Insider risk from cleared-workforce churn between FRCE and the local supplier base

The Havelock and New Bern cleared-workforce market is small and tightly connected. Without a tested off-boarding process, departing engineers leave with VPN credentials, persistent OneDrive sync, or personal-device residue.

Phishing themed around F-35 program milestones and FRCE sustainment cycles

Targeted phishing kits exist that mirror F-35 program announcements, FRCE facility openings, and depot induction cycles. A back-office accountant at an 8 person sub clicks one F-35-themed payment update and the firm has a confirmed CUI incident inside 24 hours.

Petronella Technology Group does not publish a fixed CMMC price because scope drives cost. A 10 person back-office calibration shop is fundamentally different from a 60 person F-35B sustainment Tier 2 supplier with three program offices and two physical facilities.

Stage 1 - Free scoping consultation

A 45 minute call. We map your prime contracts, flowdown clauses, current SPRS posture, AS9100 status, and any other quality system overlay. You leave with a written scope summary and a typical engagement length estimate. No charge, no obligation.

Stage 2 - Boundary and CUI inventory workshop

Two to four weeks. We document where CUI lives, including technical data packages and calibration records, who touches it, and which systems are in scope.

Stage 3 - Gap analysis against all 110 NIST 800-171 controls, mapped to AS9100 evidence

Three to six weeks. Each control is scored and where appropriate cross-referenced to existing AS9100 evidence so you do not duplicate effort.

Stage 4 - Remediation, GCC High migration, and SSP build

30 to 90 days for most subs. The System Security Plan, Plan of Action and Milestones, and supporting policies are all built or refreshed.

Stage 5 - Pre-assessment dress rehearsal and C3PAO selection

Mock C3PAO assessment. Findings drive a final remediation sprint. We help you select and contract a C3PAO from the Cyber AB Marketplace.

Stage 6 - Continuous monitoring and SPRS maintenance

Annual self-affirmation requires defensible evidence. We keep your SPRS posture continuously current with managed detection, vulnerability scanning, and a quarterly evidence review aligned with your AS9100 internal audit cycle.

1. North Carolina firm with a Raleigh headquarters and a Cherry Point service radius

Petronella Technology Group is headquartered at 5540 Centerview Drive, Suite 200, Raleigh, NC 27606 and has been in continuous operation since 2002. The firm holds a BBB A+ rating dating to its founding.

2. Entire team CMMC Registered Practitioner

The firm is listed in the Cyber AB Marketplace as Registered Provider Organization (RPO) #1449. Every consultant on staff carries the CMMC-RP credential, including the founder, Craig Petronella, who also holds CCNA, CWNE, Digital Forensic Examiner #604180, and MIT-Certified credentials in Artificial Intelligence and Blockchain. See our team and credentials.

3. Private AI cluster purpose-built for CUI workloads

For Cherry Point Tier 2 suppliers that want to use modern AI tools to analyze technical data packages, calibration records, or maintenance histories without sending CUI to a public model API, Petronella Technology Group operates a private NVIDIA-based AI cluster sourced through the NVIDIA Elite Partner Channel. Local inference inside a CMMC boundary lets engineers and analysts use modern AI productivity tools without breaching the data handling requirements that govern your contracts.

4. 24/7 hybrid AI and human threat analysis aligned to DFARS reporting

Detection alone is not the obligation. The DFARS 252.204-7012 obligation is to report a cyber incident to the DoD Cyber Crime Center inside 72 hours, and the practical question is whether the team answering the 2:00 AM alert knows how to triage, contain, preserve forensic evidence, and submit a DC3 report inside the clock. Petronella Technology Group runs a continuous AI-assisted plus human-analyst SOC built for the DIB reporting cadence, and Craig Petronella holds Digital Forensic Examiner credential number 604180 in support of the forensic preservation work that follows.

5. Aviation MRO fluency, not retrofitted from commercial MSP work

A meaningful share of MSPs in eastern North Carolina extend their commercial managed services book into the DIB market without rebuilding their stack around CUI handling, technical data package controls, or the AS9100 quality posture that Tier 2 aviation suppliers already operate. Petronella Technology Group built the CMMC practice from a DIB-first baseline, and the firm's stack, documentation library, and consultant credential mix reflect that.

Most of our Cherry Point area engagements originate from the following municipalities or surrounding counties. Petronella Technology Group does not operate a satellite office in Havelock or New Bern, and we have found the lower overhead of a Raleigh-based delivery model is consistently better for our clients than a posted-rate local office model.

Craven County: Havelock, New Bern, Bridgeton, James City, Vanceboro. Havelock is the dominant origin city for Cherry Point and FRCE intake calls.

Carteret County: Morehead City, Beaufort, Newport, Cape Carteret, Emerald Isle. Carteret County subs frequently serve both Cherry Point and Camp Lejeune in alternating program years.

Pamlico County: Bayboro, Oriental, Arapahoe, Grantsboro. Small precision-manufacturing and electronics shops in the Pamlico corridor feed both the aviation MRO supply chain and the broader DoD market.

Onslow County: Jacksonville and surrounding cities, where the Camp Lejeune supplier base overlaps with the Cherry Point base on the southern flank.

Pitt County: Greenville, where the East Carolina University engineering pipeline feeds both regional employers and the FRCE workforce.

Onsite visits are typically same-week from Raleigh. Remote remediation, managed detection, and SPRS-evidence maintenance are delivered continuously, with no travel-rate surcharge inside North Carolina.

CMMC 2.0 Complete Guide 2026 covers the three levels, certification cost ranges, and the full implementation timeline.

CMMC Final Rule Implementation walks the 32 CFR 170 effective date and contract flowdown windows.

CMMC 2.0 Final Rule Released covers what defense contractors must do in the first 90, 180, and 365 days after their first CMMC contract flows down.

For program-level structure, see our flagship CMMC compliance program and the solutions by industry hub.