Why MRO Shops Are High-Priority CMMC Targets
An adversary doesn't just want to know how a weapon system is designed. They want to know its weaknesses — where it fails, what conditions cause failures, which components are life-limited, what inspection intervals exist. That information lives in your technical orders and maintenance records.
MRO contractors servicing military aircraft, ground vehicles, ships, and weapons systems are custodians of some of the most operationally sensitive data in the defense supply chain. A foreign intelligence service that gains access to maintenance manuals for an F-35 component or an Abrams system doesn't just get proprietary manufacturing data — they get a roadmap for degrading readiness.
The DoD has known this for years. DFARS 252.204-7012 has been in MRO contracts since 2016. CMMC adds the enforcement mechanism that DFARS alone couldn't provide.
MRO shops hold three types of extremely sensitive CUI simultaneously: technical data (how it's built), maintenance data (how it fails), and readiness data (the current condition of specific equipment). That combination is more valuable to an adversary than any single category alone.
What CUI Looks Like in MRO Operations
If you're a mechanic or maintenance coordinator reading this, you already know what I'm describing. The question is whether you've thought about all of it as CUI that needs formal protection.
Technical Orders (TOs)
TOs are the bible of military MRO work. They cover everything from inspection procedures to assembly torque specs to tool requirements. They're official government documents, they're ITAR-controlled, and they're explicitly CUI. Every TO in your shop needs to be treated as CUI — stored in your compliant environment, access controlled, not emailed from personal accounts.
Maintenance Manuals and Job Guides
Commercial technical manuals provided by OEMs (like those from Boeing, Pratt & Whitney, or FLIR) for defense equipment are often ITAR-controlled even if they don't come with a government CUI marking. If the manual covers a defense system component and was provided in connection with a defense contract, treat it as CUI. When in doubt, ask your prime or the contracting officer.
Work Orders and Maintenance Records
Here's where MRO shops often miss scope. A work order for an aircraft tail number describing what maintenance was performed, what parts were replaced, and what defects were found is a readiness record. Aggregated across a fleet, it tells an adversary exactly which systems are degraded, which are at maintenance limits, and which are combat-ready. That's intelligence data, and it's CUI.
Inspection Criteria and Defect Limits
Go/no-go criteria, defect limits, wear tolerances — documents that tell you when a component passes or fails inspection tell an adversary exactly where the thresholds are. If they know a component fails at X wear level, they know what it takes to push that component to failure. These documents are CUI.
Parts Data and Traceability Records
Parts traceability data for military equipment — serial numbers, lot numbers, part numbers, sources — can be CUI when it connects to controlled systems. A list of approved vendors for a specific military system component is controlled information. Your inventory management system, if it tracks defense parts, is likely in scope.
The work order sitting on your technician's desk describes the current maintenance status of specific military equipment by tail number. That's readiness data. That document needs to be in your CUI environment, not on a shared clipboard in the break room.
Depot vs. Field Level: How It Affects Your CMMC Scope
Military maintenance is organized in three levels, and where you operate affects the sensitivity of your CUI.
Organizational (Field) Level Maintenance
Field-level maintenance is done by the unit that operates the equipment — basic inspections, oil changes, tire rotations, filter replacements. The TOs for field-level work are simpler and cover basic tasks. If your MRO contract covers field-level work, your CUI load is lighter — you still have CUI, but it's less sensitive.
Intermediate Level Maintenance
Intermediate maintenance involves more complex repairs — component removal and replacement, bench testing, limited fabrication. The TOs are more detailed. Work orders describe component histories. You're now handling CUI that describes failure analysis and repair procedures in more depth.
Depot Level Maintenance
Depot maintenance is full overhaul — teardown, inspection to base metal, repair or replacement of every component, rebuild and testing. This is the deepest level of technical data. Your TOs and engineering orders cover structural details, manufacturing specs, and performance limits. This is the most sensitive CUI you can hold as an MRO contractor, and your CMMC environment needs to reflect that.
Our assessment walks through your actual documentation environment and helps identify exactly what's in scope. Takes 2 minutes.
Take the Free Readiness Check →The Mixed Environment Problem
Most MRO shops do both commercial and military work on the same shop floor. A general aviation repair station that also does military overhaul work has to figure out how to handle the two in a compliant way.
CMMC doesn't require you to build a separate physical facility for defense work. It does require you to separate your CUI environment from your non-CUI environment. That separation can be logical (network segmentation, separate systems, access controls) rather than physical — but it needs to be real and documented.
Building a CUI Enclave for MRO
The enclave approach works like this:
- Identify all systems that touch military CUI — Your TO library, your military work order management system, the email accounts that receive controlled documents from your prime or the government. These are in the enclave.
- Put access controls on the enclave — Only personnel who work on military programs get access to the enclave systems. Your commercial avionics techs don't need access to military TOs.
- Document the boundary clearly — Your System Security Plan (SSP) needs to show exactly where the enclave starts and stops. Assessors will test this boundary.
- Keep commercial systems out of scope — Your commercial maintenance tracking system, your commercial customer billing system, your commercial parts inventory — if they never touch military CUI, they stay out of scope and you don't have to secure them to CMMC Level 2 standards.
Cost Estimates for MRO Operations
MRO shops in the 20–75 person range typically see costs in these ranges:
| Cost Component | Typical Range | Notes |
|---|---|---|
| Gap assessment | $8,000–$18,000 | MRO environments vary widely in complexity |
| Enclave design and network segmentation | $10,000–$25,000 | If you don't already have network separation |
| TO library migration to compliant platform | $5,000–$15,000 | Moving TOs from local drives to FedRAMP-authorized storage |
| Work order system evaluation/migration | $8,000–$20,000 | Aviation maintenance software varies in CMMC readiness |
| Policy documentation and SSP | $8,000–$18,000 | 14 required policies + maintenance-specific procedures |
| Security tools (EDR, MFA, SIEM) | $6,000–$14,000/year | Annual ongoing cost |
| C3PAO assessment | $20,000–$50,000 | Varies with size and complexity |
| Total first-year estimate | $65,000–$160,000 | Enclave approach reduces ongoing costs significantly |
The enclave approach, done right, dramatically reduces your ongoing compliance costs. A 50-person MRO shop with 15 people in the CUI enclave has a much smaller compliance footprint than one where all 50 are in scope.
The Readiness Data Problem
Here's a CMMC issue specific to MRO that most consultants miss: readiness data. Your completed work orders, your open squawk lists, your deferred maintenance items — when these documents describe the current condition of active military equipment by tail number or serial number, they're not just maintenance records. They're intelligence data.
An adversary who knows which aircraft are in depot, which are at their overhaul interval, and which have open maintenance discrepancies knows exactly what the operational capacity of a unit is. Protecting that information isn't just a compliance requirement — it's a genuine national security interest. Your CUI environment needs to treat completed work orders with the same care as TOs.
Frequently Asked Questions
Yes. Technical orders are controlled documents under ITAR and are explicitly listed as CUI under the Technical Data category. Your TOs describe exactly how military equipment is maintained, what its failure modes are, and what components are life-limited. That information is extremely valuable to adversaries. Treat every TO in your possession as CUI, store them in your compliant environment, and don't email them from personal accounts.
This is the classic mixed-environment problem. Your options are: (1) build a CUI enclave — a logically and/or physically separated environment for military work — so that your commercial work stays out of scope; or (2) bring your entire operation into compliance, which is expensive and usually unnecessary. The enclave approach is almost always the right answer. It requires carefully controlling which systems, devices, and people are in the enclave, but it can cut your compliance footprint dramatically.
Depot-level MRO typically involves deeper teardown and overhaul, which means more detailed technical documentation and more sensitive CUI. Field-level maintenance uses simpler TOs and may involve less sensitive data. But both can involve CUI — the distinction affects the sensitivity of the CUI you handle, not whether you have CUI. Assess your specific TO set to understand your CUI scope.
If mechanics use those tablets to access TOs, maintenance manuals, work orders, or inspection criteria that are CUI, then yes — those tablets are in scope. They need to be company-managed (enrolled in MDM), encrypted, and configured to your baseline. Company-issued tablets enrolled in Intune or JAMF and only allowed to access your compliant document system are the typical solution.
Budget 9–15 months from kickoff to certified. The fast track: get a gap assessment done immediately, identify your 5–10 biggest remediation items, tackle them in parallel, and book a C3PAO while you're remediating. The slow path — waiting until contracts start requiring it — means you'll be scrambling for an assessor when every other shop is scrambling too. There are only about 90 authorized C3PAOs for thousands of contractors.
Find out where your MRO operation stands.
Our free readiness check identifies your CUI environment and gives you a prioritized action list — no NIST expertise required.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →