CMMC Compliance for Seymour Johnson Air Force Contractors

Seymour Johnson Air Force Base sits inside the city limits of Goldsboro, in Wayne County, North Carolina. It is an Air Combat Command installation and one of the most important fighter and aerial-refueling hubs on the East Coast. The host unit is the 4th Fighter Wing, which operates roughly 95 F-15E Strike Eagle aircraft and serves as the United States Air Force's formal F-15E training wing through its 333rd, 334th, 335th, and 336th Fighter Squadrons. The wing accounts for approximately 6,400 military members and 600 civilians.

Co-located at Seymour Johnson is the 916th Air Refueling Wing, an Air Force Reserve Command unit that operates the KC-46 Pegasus tanker. The 916th's tanker mission means the base is not a single-airframe installation - it sustains both a deep-strike fighter fleet and a strategic aerial-refueling fleet from the same flight line, which produces a broader and more layered local supplier base than a fighter-only base would.

The base is the largest single employer in Wayne County. Public economic-impact reporting puts the annual payroll at roughly $282 million and the total annual economic impact on the surrounding region at approximately $460 million. That spend supports a steady, mid-volume defense industrial base of aviation sustainment, base operations support, and information-technology vendors across Goldsboro and the surrounding counties.

For your business, the Air Force mix produces a contractor blend distinct from the Marine installations to the south or the Army footprint to the west. Seymour Johnson subs skew toward aircraft maintenance, repair, and overhaul (MRO), avionics and component repair, munitions handling, ground support equipment, base operations support, and IT and cyber services. It is a precision-aviation market in which AS9100 quality posture and NIST SP 800-171 security controls increasingly have to coexist on the same supplier.

Petronella Technology Group works with Wayne County and eastern North Carolina subs from a Raleigh headquarters that is roughly 70 miles west of the Seymour Johnson main gate, a little over an hour by car. On-site visits, secure-workspace coordination, and unclassified-network remediation can all run from Raleigh. The firm is a Cyber AB Registered Provider Organization (RPO #1449) and every consultant holds the CMMC Registered Practitioner credential.

The Seymour Johnson supply chain divides into six recurring contractor profiles, almost all of them shaped by the Air Force aviation mission.

F-15E and KC-46 aircraft maintenance, repair, and overhaul vendors

The 4th Fighter Wing flies one of the busiest F-15E fleets in the Air Force, and the 916th operates a growing KC-46 fleet. Both drive a deep MRO supplier base across eastern North Carolina. Airframe maintenance, depot-level overhaul, structural repair, and scheduled-inspection support all carry CMMC flowdown clauses on most option-year RFPs, and the technical data shared with the wings is routinely Controlled Unclassified Information.

Avionics, component repair, and calibration shops

Avionics testing, line-replaceable-unit repair, electronic warfare component work, and precision calibration intersect NIST SP 800-171 controls with AS9100 quality posture in nearly every Tier 2 supplier we engage. Test data, repair work orders, and engineering drawings frequently meet the CUI definition.

Munitions handling and weapons support contractors

As an F-15E deep-strike wing, Seymour Johnson sustains a munitions and weapons-support mission. Subcontractors providing munitions storage support, handling equipment, and weapons-systems sustainment carry mixed Federal Contract Information and CUI footprints that require careful boundary scoping.

Ground support equipment and aviation logistics firms

Flight-line tempo at a dual-mission base produces a constant logistics and ground-support requirement. Vendors providing ground support equipment, aviation fuels support, parts logistics, and supply-chain sustainment routinely handle program timelines and parts forecasts that are CUI.

Base operations support and facilities firms

Civil engineering, MILCON, sustainment, and base operations support contracts flow continuously through Seymour Johnson. Architecture-engineering and design firms routinely handle as-built drawings, security system diagrams, and base utility maps that meet the CUI definition.

IT, cyber, and information-services vendors

Information technology, network support, software, and cyber-services vendors supporting the base or its prime contractors sit at the center of the CMMC mandate. These firms are frequently pushed toward Level 2 because their own service delivery touches CUI directly rather than incidentally.

The Department of Defense will phase in all three CMMC levels under the 32 CFR 170 Final Rule, and the contract clauses DFARS 252.204-7012, 7019, 7020, and 7021 govern how the requirement flows down to you. The cost, evidence burden, and assessment cadence are different at each tier. Seymour Johnson aviation subs systematically overshoot Level 2 - we estimate roughly one in three of our intake calls is from a sub being pushed toward Level 2 when a well-scoped Level 1 boundary would have satisfied the prime. Read our CMMC 2.0 complete guide for the full level-selection framework.

The Seymour Johnson intake calls produce a consistent pattern - the same seven issues account for the majority of a sub-110 SPRS score.

1. Commercial Microsoft 365 or commercial Google Workspace holding CUI

Standard commercial cloud tenants do not satisfy DFARS 252.204-7012 data residency. Migration to Microsoft 365 GCC High is the most common high-impact remediation. We have shipped GCC High migrations for Wayne County subs in 60 to 90 days.

2. No System Security Plan, or a stale SSP that no longer matches the network

Either condition fails a Level 2 assessment. The fix is a refreshed SSP built from the current boundary diagram. Read our CMMC Final Rule implementation guide for the phased calendar driving this requirement.

3. SPRS score with no calculation trail

The number landed in the Supplier Performance Risk System when the prime asked for it years ago, and no one can show how it was derived. Under DFARS 252.204-7019 and 7020 the DoD now expects a defensible evidence trail behind every SPRS posting.

4. No 72-hour DFARS incident reporting plan

DFARS 252.204-7012 requires reporting to the DoD Cyber Crime Center (DC3) within 72 hours. We almost never see a documented and tested reporting workflow on intake.

5. AS9100 quality system disconnected from the security boundary

Aviation MRO and avionics subs frequently have a mature AS9100 quality posture but a CMMC boundary discussion that has never happened. The two posture documents need to be reconciled - the CUI flowing through AS9100 work orders is governed by both.

6. No CUI inventory and no CUI marking discipline

Drawings, work orders, contract attachments, and program briefings that clearly meet the CUI definition are stored unmarked. Without a CUI inventory the assessment cannot be scoped, and without marking the workforce has no way to handle the data correctly.

7. Backup and disaster recovery outside the CUI boundary

Backups on a commercial cloud tier or a network-attached storage device in a closet extend the CUI boundary to the backup target without anyone realizing it. We rebuild backup posture inside the CMMC enclave during every Level 2 engagement.

The threat picture for a Wayne County Air Force DIB sub is shaped by the aviation missions Seymour Johnson supports - fighter sustainment, aerial refueling, and the precision-component supply chain behind both.

People's Republic of China collection against fighter and tanker sustainment data

FBI and Cybersecurity and Infrastructure Security Agency joint advisories have documented persistent intrusion campaigns against U.S. defense industrial base companies in the military-aviation sustainment market. F-15E maintenance data, KC-46 sustainment timelines, avionics test results, and parts-supply forecasts are explicit collection targets.

Russian and DPRK ransomware against aviation MRO and logistics

Defense subcontractors face higher ransom demands than commercial firms of equivalent size because contract delay carries liquidated damages. Aviation MRO and ground-support logistics subs are an especially attractive target because an idled flight line is a high-leverage extortion point.

Insider risk from cleared-workforce churn

The Goldsboro and broader eastern North Carolina aviation corridor has an active cleared-workforce job market. Without a tested off-boarding process, departing engineers and technicians leave with VPN credentials, persistent OneDrive sync, or personal-device residue.

Phishing themed around base operations and aviation program cycles

Targeted phishing kits exist that mirror base reorganizations, deployment workup events, and contractor payment cycles. A back-office accountant at an 8 person sub clicks one program-themed payment update and the firm has a confirmed CUI incident inside 24 hours.

Petronella Technology Group does not publish a fixed CMMC price because scope drives cost. A 10 person back-office sub with one CUI workflow is fundamentally different from a 60 person aviation MRO firm with three program offices. Every engagement starts with scope and ends with a SPRS score we can defend. We frame engagement timelines by typical length rather than dollars.

Stage 1 - Free scoping consultation

A 45 minute call. We map your prime contracts, flowdown clauses, current SPRS posture, and existing AS9100 or ISO 27001 footprint. You leave with a written scope summary and a typical engagement length estimate. No charge, no obligation.

Stage 2 - Boundary and CUI inventory workshop

Two to four weeks. We document where CUI lives, who touches it, and which systems are in scope. The deliverable is a defensible boundary diagram and a CUI inventory.

Stage 3 - Gap analysis against all 110 NIST 800-171 controls

Three to six weeks. Each control is scored. Evidence is collected. A prioritized remediation plan with realistic dates is produced.

Stage 4 - Remediation, GCC High migration, and SSP build

30 to 90 days for most subs. The System Security Plan, Plan of Action and Milestones, and supporting policies are all built or refreshed during this stage.

Stage 5 - Pre-assessment dress rehearsal and C3PAO selection

Mock C3PAO assessment using the same methodology a third-party assessor will use. Findings drive a final remediation sprint. We help you select and contract a C3PAO from the Cyber AB Marketplace.

Stage 6 - Continuous monitoring and SPRS maintenance

Annual self-affirmation requires defensible evidence. We keep your SPRS posture continuously current with managed detection, vulnerability scanning, and a quarterly evidence review. A short, single-CUI-workflow Level 1 path can be a 30 day effort; a focused Level 2 remediation typically runs 60 to 90 days; a full multi-program Level 2 program with GCC High migration and a C3PAO dress rehearsal commonly runs 6 to 9 months.

1. North Carolina firm with a Raleigh headquarters and a Seymour Johnson service radius

Petronella Technology Group is headquartered at 5540 Centerview Drive, Suite 200, Raleigh, NC 27606 and has been in continuous operation since 2002. The firm holds a BBB A+ rating dating to its founding in 2002. Seymour Johnson engagements typically run from Raleigh - roughly 70 miles away - with periodic on-site visits in Goldsboro.

2. Entire team CMMC Registered Practitioner

The firm is listed in the Cyber AB Marketplace as Registered Provider Organization (RPO) #1449. Every consultant on staff carries the CMMC-RP credential, including the founder, Craig Petronella, who also holds CCNA, CWNE, Digital Forensic Examiner #604180, and MIT-Certified credentials in Artificial Intelligence and Blockchain. See our team and credentials.

3. A 39+ layer security stack built on patented solutions

Petronella Technology Group delivers a 39+ layer security stack built on patented solutions, where each layer leverages patented technologies covering People, Process, and Technology. For Seymour Johnson aviation and weapons-support subs that need defense-in-depth without assembling a dozen point products themselves, this layered architecture maps cleanly onto the NIST SP 800-171 control families a C3PAO will assess.

4. Private AI cluster purpose-built for CUI workloads

For aviation sustainment and weapons-system contractors that want to use modern AI tools without sending CUI to a public model API, Petronella Technology Group operates a private NVIDIA-based AI cluster sourced through the NVIDIA Elite Partner Channel. Local inference inside a CMMC boundary lets engineers and analysts use modern AI productivity tools without breaching the data handling requirements that govern your contracts.

5. 24/7 hybrid AI and human threat analysis aligned to DFARS reporting

Detection alone is not the obligation. The DFARS 252.204-7012 obligation is to report a cyber incident to the DoD Cyber Crime Center inside 72 hours, and the practical question is whether the people who answer the 2:00 AM alert know how to triage it, contain it, preserve forensic evidence, and write a DC3 submission inside the clock. Petronella Technology Group runs a continuous AI-assisted plus human-analyst SOC purpose-built for the DIB reporting cadence, and Craig Petronella holds Digital Forensic Examiner credential number 604180 in support of the forensic preservation work that follows.

6. Built for the DoD subcontractor market, not retrofitted from commercial MSP work

A meaningful share of MSPs in eastern North Carolina extend their commercial managed services book into the DIB market without rebuilding their stack around CUI handling. The result is recurring SPRS deductions and a fragile audit posture. Petronella Technology Group built the CMMC practice from a DIB-first baseline, and the firm's stack, documentation library, and consultant credential mix reflect that.

Most of our Seymour Johnson area engagements originate from the following municipalities or surrounding counties. Petronella Technology Group does not operate a satellite office in Goldsboro, and we have found the lower overhead of a Raleigh-based delivery model is consistently better for our clients than a posted-rate local office model.

Wayne County: Goldsboro, Pikeville, Mount Olive, Fremont, Walnut Creek, Seven Springs. Goldsboro is the dominant origin city for Seymour Johnson intake calls and the single largest concentration of Air Force DIB subs in this part of eastern North Carolina.

Johnston County: Smithfield, Selma, Clayton, Princeton. The Johnston corridor sits on the Interstate 95 and US 70 axis between Raleigh and Goldsboro and hosts a growing set of precision-manufacturing shops feeding the aviation supply chain.

Wilson County: Wilson, Elm City. Wilson-based engineering and manufacturing firms regularly support Seymour Johnson programs on a remote-first basis.

Lenoir County: Kinston, La Grange. Kinston shares an aviation-manufacturing identity with the global TransPark, and several Lenoir County firms serve both commercial and defense aviation customers.

Craven County: New Bern, which serves as a shared origin city for Seymour Johnson and MCAS Cherry Point engagements on alternating program years.

Onsite visits are typically same-week from Raleigh. Remote remediation, managed detection, and SPRS-evidence maintenance are delivered continuously, with no travel-rate surcharge inside North Carolina.

CMMC 2.0 Complete Guide 2026 covers the three levels, certification scope, and the full implementation timeline.

CMMC Final Rule Implementation walks the 32 CFR 170 effective date and contract flowdown windows.

CMMC 2.0 Final Rule Released covers what defense contractors must do in the first 90, 180, and 365 days after their first CMMC contract flows down.

For program-level structure, see our flagship CMMC compliance program and the solutions by industry hub.