Why Aerospace Is Different
Aerospace defense manufacturing sits at the intersection of three overlapping compliance regimes: CMMC, ITAR, and quality standards like AS9100. You're not just dealing with cybersecurity — you're managing controlled technical data that has legal export restrictions, complex supply chain relationships, and multi-tier certification requirements.
The average generic CMMC consultant doesn't know what a Technical Data Package is. They don't understand that your test data is CUI, that your qualification reports reference controlled drawings, or that your material certs can carry controlled information. You need someone who's worked in aerospace — or a guide written for it.
This is that guide.
How CUI Flows Through an Aerospace Operation
Controlled Unclassified Information in aerospace shows up in more places than most industries. Here's how it flows from your prime to your shop floor and back:
Drawings, 3D models, process specifications, material callouts, surface requirements, GD&T. Every document in a TDP is CUI. It arrives via email, FTP, or a secure supplier portal — and the moment it hits your system, your CUI boundary includes that system.
Your engineers analyze the TDP, generate manufacturing plans, create tooling layouts, and develop work instructions. All of this analysis references controlled data — and most of it is ITAR-controlled on top of being CUI. The workstations where this happens are in scope for both frameworks.
NC programs, tooling databases, fixture designs, heat treatment parameters. If these reference the controlled drawings, they're CUI. Your CAM system, your process engineering database, your ERP work orders — all potentially in scope.
First article inspection reports, non-destructive testing results, material test reports, qualification data packages. If you're doing FAIR (First Article Inspection Reports) against controlled drawings, those reports are CUI. Your CMM output files referencing controlled dimensions are CUI.
Certificates of conformance, material certifications, shipping data packages. These reference the controlled part numbers, drawing revisions, and specs. How you transmit them and how long you retain them are both in scope for CMMC.
Most aerospace subs are surprised by how far the CUI boundary extends. It's not just the drawings on the screen. It's the test data, the process records, the FAIRs, the material certs — anything that references or derives from controlled technical data.
Our assessment asks about your actual data flows — how you receive TDPs, how your engineering data moves, how you handle test records. You get a real picture of your scope, not a generic checklist.
Take the Free Readiness Check →ITAR + CMMC: The Double Compliance Burden
If your company is registered with the Directorate of Defense Trade Controls (DDTC) and authorized to handle ITAR-controlled technical data, you already have some security controls in place. ITAR requires you to restrict access to controlled data to U.S. persons, maintain records, and implement access controls. That foundation matters.
But here's what most aerospace subs discover: ITAR compliance and CMMC compliance are almost entirely separate checklists. ITAR tells you who can see the data. CMMC tells you how you must protect it technically, how you document your controls, and how you get third-party verification. They overlap heavily in terms of the data they cover, but they don't substitute for each other.
The practical implication: your ITAR program gives you a head start on access controls and data classification. It does not give you a head start on multi-factor authentication, audit logging, incident response documentation, configuration management, or any of the other 90+ CMMC controls that ITAR doesn't address.
What Aerospace Primes Are Demanding Now
Lockheed Martin, Boeing, Raytheon, Northrop Grumman, and General Dynamics are not waiting for Phase 2. Their supply chain compliance teams are actively auditing Tier 2 and Tier 3 suppliers right now. Here's what they're asking for:
- Active SPRS scores: Most major primes already require that you have an SPRS score on file with the DoD. If you haven't done your NIST 800-171 self-assessment and submitted it to the Supplier Performance Risk System, you're already behind on some contracts.
- CMMC compliance plans: Some primes are requesting a documented compliance roadmap — evidence that you have a plan and are working toward certification. This isn't just checkbox compliance; they want to see dates and milestones.
- Supply chain flow-down verification: Your prime is responsible for certifying that its supply chain is compliant. They'll ask you for documentation, and in some cases they'll conduct their own supplier audits.
- Cyber incident notification: DFARS 252.204-7012 already requires you to report cyber incidents within 72 hours. Primes are increasingly asking for your incident response procedures as part of supplier qualification.
The F-35 program in particular has been aggressive about CMMC supply chain enforcement. If you supply into that program, compliance is not optional and the timeline pressure is real.
Scoping for Aerospace Is More Complex
Here's where aerospace differs most significantly from a machine shop or general manufacturing company. Your CUI boundary is typically larger and more complex, for several reasons.
First, ITAR-controlled data is usually spread across more systems. Your engineers are accessing TDPs from workstations that may also be used for ITAR-controlled design work, which means the engineering team's entire environment may need to be in scope.
Second, your test data flows are more complex. If you're doing structural testing, non-destructive evaluation, or qualification testing, that data moves through lab systems, data acquisition equipment, and analysis software — all potentially in scope.
Third, your supplier-facing systems matter. If you receive TDPs via a supplier portal and that portal is on the same network as your general IT infrastructure, scoping questions get complicated fast.
The aerospace shop that builds the best CUI enclave wins. That means understanding exactly where controlled data lives, segmenting those systems from everything else, and documenting it so precisely that your C3PAO assessor can follow the data flow without explanation.
Our Assessment-Ready Package is built for manufacturers with complex data flows — TDPs, test data, multi-system environments. Built from your actual environment and verified by practitioners who already know aerospace.
Take the Free Readiness Check →Cost Estimates for Aerospace Subcontractors
A 40–100 person aerospace sub faces different cost dynamics than a small machine shop. The complexity of your data environment and the ITAR overlay typically add scope and cost to CMMC implementation. Here's what the numbers look like:
| Company Size | Gap Assessment | Documentation | Remediation | C3PAO Assessment | Total Range |
|---|---|---|---|---|---|
| 20–40 employees | $8K–$20K | $15K–$40K | $20K–$60K | $30K–$50K | $73K–$170K |
| 40–75 employees | $15K–$30K | $25K–$60K | $35K–$100K | $40K–$65K | $115K–$255K |
| 75–150 employees | $20K–$40K | $40K–$80K | $60K–$150K | $50K–$80K | $170K–$350K |
The biggest variable is remediation — what it costs to close your security gaps depends entirely on where you start. A company with a clean, segmented network and basic MFA already in place can cut these estimates dramatically. The documentation line is where MyCMMC makes the biggest difference — see the full cost breakdown for how AI-assisted documentation compares to consultant rates.
Certification as Competitive Advantage
Here's the part nobody talks about enough. After Phase 2, the aerospace defense supply chain is going to split into two groups: certified suppliers and everyone else. Primes will be required to use certified subs for CUI work. That means certified companies get first pick of contracts, and uncertified companies get cut from bidding lists.
If you're a 50-person aerospace shop in Wichita, Dayton, or Tucson, being CMMC Level 2 certified in 2026 is going to be one of the most important business development moves you can make. You'll be competing against shops that haven't started yet — and winning work by default because you have the certification they don't.
The shops that view CMMC as only a cost see it wrong. It's also a credential that differentiates you in the most competitive defense supply chain in the world.
Frequently Asked Questions
Yes. If you receive technical data packages — drawings, specifications, material requirements, test data — that data is CUI regardless of whether the end product is a physical part or software. Aerospace manufacturers who fabricate components using controlled technical drawings need CMMC Level 2. The physical-vs-software distinction doesn't matter.
ITAR and CMMC are separate compliance frameworks. ITAR controls who can see the data and governs export. CMMC controls how you technically protect it and requires third-party assessment. Most ITAR-controlled data is also CUI, so the scope overlaps — but satisfying ITAR doesn't satisfy CMMC, and vice versa. If you've implemented ITAR controls, you have a foundation. CMMC adds 110 specific technical controls on top of that.
A Technical Data Package is the complete documentation defining a part or assembly — drawings, models, specifications, process requirements, material callouts. In defense aerospace work, TDPs are almost always CUI. They contain the information needed to replicate the part, which is exactly what the DoD wants protected. If your prime sends you a TDP, assume it's CUI until explicitly told otherwise.
Flow-down requirements are contractual obligations that prime contractors pass to subcontractors. When a prime has CMMC requirements from the DoD, they pass those requirements to any sub that handles CUI. Your subcontract will have CMMC clauses requiring a valid Level 2 certification and an active SPRS score. Primes are actively auditing their supply chains now — ahead of the formal Phase 2 deadline.
AS9100 is a quality management standard focused on product quality and process control. CMMC is focused on cybersecurity and data protection. They don't overlap directly in specific controls, but AS9100 creates a cultural foundation — documented processes, internal audits, management commitment — that makes CMMC implementation easier. Your documentation discipline transfers. The actual security controls don't.
Yes, with the right approach. Keep your CUI boundary tight to systems that actually handle controlled technical data. A 40-person aerospace shop with a well-defined CUI enclave can complete Level 2 certification for $40K–$80K total, versus $150K–$250K if the entire network is in scope. Build the enclave first, then certify what's inside it.
Get Your C3PAO-Ready Documentation — Built for Aerospace
Our free readiness check maps your aerospace data flows, TDPs, and ITAR overlay to build you a complete compliance package — verified by practitioners who already understand aerospace CUI environments, not a generic IT consultant who'll charge you to learn your business.
Take the Free Readiness Check →Takes 2 minutes · Free · No obligation