San Antonio: The Air Force's Cyber Capital
San Antonio's defense identity has evolved dramatically over the past decade. Once known primarily as a military medical and training hub — Fort Sam Houston hosts the Army's Medical Center of Excellence, and Lackland handles Basic Military Training for every Air Force recruit — the city has become one of the most important locations for American cybersecurity and digital warfare operations.
The key driver: 16th Air Force (Air Forces Cyber) at Lackland AFB. This command manages the Air Force's cyber and information warfare missions, including offensive cyber operations, electronic warfare, intelligence, surveillance, and reconnaissance. The 24th Air Force (Air Forces Cyber's numbered air force predecessor) consolidated cyber missions here starting in 2009. Today, Lackland is home to more cyber warriors than almost anywhere else in the world — and the contractor community supporting them handles some of the most sensitive cybersecurity operational data in American defense.
NSA Texas, also at Lackland, brings a major signals intelligence mission. Port San Antonio — the redeveloped former Kelly Air Force Base — hosts over 80 defense technology companies on a 1,900-acre campus that has become one of the most significant defense tech clusters in Texas.
"San Antonio's cyber contractors may already have strong technical security postures. But CMMC requires documented compliance — and that's a different skill set than running a good security operations center."
San Antonio's Defense Landscape
16th Air Force (Air Forces Cyber) and 24th Air Force headquarters drive the largest concentration of defense cyber contractors in Texas. These companies handle operational cybersecurity data, cyber threat intelligence, and information warfare program information — all high-sensitivity CUI environments.
The Army's Medical Center of Excellence at Fort Sam Houston and Air Education and Training Command at Randolph support extensive contractor ecosystems. Medical and training program data constitutes CUI, and the contractors here need CMMC just as much as the cyber firms at Lackland.
A 1,900-acre campus hosting over 80 defense companies including aerospace maintenance, cybersecurity firms, logistics operations, and defense tech startups. Almost all of the defense work here involves CUI, making CMMC compliance essentially universal for Port SA defense tenants.
NSA Texas brings a major signals intelligence mission to San Antonio. Contractors supporting NSA programs face some of the most complex CMMC scoping challenges — the line between classified and unclassified work is critical to get right.
Major Defense Employers in San Antonio
- Booz Allen Hamilton: Major presence supporting 16th Air Force and NSA Texas cyber programs. Supply chain includes numerous smaller IT and cyber firms.
- Leidos: Defense IT, health IT (Tricare program management), and cyber operations support throughout JBSA.
- SAIC: Systems integration, IT services, and cybersecurity for Air Force and Army programs at JBSA.
- CGI Federal: IT modernization and program management support. Significant San Antonio presence driven by JBSA's large IT footprint.
- Accenture Federal Services: Digital transformation and cybersecurity programs. Growing San Antonio presence tied to cyber mission growth.
- DXC Technology / ManTech: IT services and cyber support across JBSA installations.
- Boeing Defense (Port SA): Aerospace maintenance and modifications at Port San Antonio. Technical maintenance data is CUI.
Many San Antonio cyber firms have the technical controls but lack the documentation CMMC requires. We'll build you a complete compliance package from your actual environment — so you're not starting from scratch, and nothing gets missed.
Take the Free Readiness Check →Types of Defense Work in San Antonio
- Cyber operations support: Supporting 16th Air Force cyber missions — threat intelligence, defensive cyberspace operations, cyberspace capability development. Dense CUI, sometimes adjacent to classified work.
- IT services and cloud: Network management, cloud migration, and IT modernization for JBSA's large installed base. All CUI — Level 2 required.
- Military medical: Contractor support for the Military Health System and Tricare programs at Fort Sam Houston. Health data is specifically designated CUI under DoD frameworks.
- Aerospace maintenance: Aircraft maintenance, modification, and sustainment at Port San Antonio. Technical manuals and maintenance procedures for military aircraft constitute CUI.
- Training and simulation: Contractor support for pilot training, cyber warrior training, and military occupational specialty training at Randolph and Lackland. Training system data can be CUI depending on content.
Local Resources for San Antonio Defense Contractors
Free procurement assistance for San Antonio defense businesses. CMMC compliance guidance, DFARS clause review, and vetted consultant referrals. The APEX team in San Antonio has familiarity with JBSA contracting requirements across all three installations. Start here before engaging private consultants.
The UTSA NSCC is a research and collaboration hub focused on cybersecurity and national security. The NSCC has programs supporting small defense-focused companies with cybersecurity guidance including CMMC compliance support. Particularly valuable for defense cyber startups that may lack compliance program expertise despite strong technical security postures.
Port SA provides business development support and resources to its tenant defense companies, including connections to defense compliance resources and contracting opportunities. If you're a Port SA tenant, their business development team is a valuable first point of contact for navigating CMMC alongside your other JBSA contracting requirements.
What San Antonio Contractors Should Do Right Now
San Antonio's unique position as a cyber hub creates both advantages and specific challenges for CMMC compliance:
- Don't confuse strong cybersecurity with CMMC readiness. Many SA cyber firms have excellent technical controls but lack the documentation CMMC requires. Your System Security Plan (SSP) and Plan of Action and Milestones (POA&M) need to exist and be accurate before assessment. Documentation is often the gap.
- Scope cyber operations work carefully. Work supporting 16th Air Force and NSA Texas can sit at the boundary between classified and unclassified environments. Get expert help scoping your CMMC boundary before starting an assessment — the cost of getting this wrong is significant.
- Contact the APEX Accelerator or UTSA NSCC first. Both provide free or subsidized CMMC guidance. Get your baseline before committing to private consulting at full rates.
- Submit your SPRS score. Booz Allen, Leidos, SAIC, and CGI Federal are all actively reviewing supplier SPRS scores. A missing score is a red flag in competitive procurement evaluations.
- Position for the market growth. San Antonio's defense tech corridor is growing. Contractors who establish CMMC credentials now are positioning for the wave of new contract opportunities that comes with 16th Air Force's expanding mission.
Frequently Asked Questions
16th Air Force (Air Forces Cyber) at Lackland AFB is the Air Force's cyber and information warfare command. Contractors supporting 16th Air Force programs handle some of the most sensitive cybersecurity operational data in the military. CMMC Level 2 is essentially universal for these companies. Some programs may require Level 3 — your contracting officer should clarify, but assume Level 2 at minimum.
It helps significantly, but it's not the same thing. CMMC Level 2 requires implementing all 110 NIST SP 800-171 controls AND documenting that implementation in a System Security Plan (SSP), Plan of Action and Milestones (POA&M), and other required artifacts. Many San Antonio cybersecurity firms have strong technical controls but lack the documentation discipline CMMC requires. Assessment-ready means documented, not just technically sound.
Port San Antonio is the redeveloped former Kelly Air Force Base, now a 1,900-acre aerospace, cybersecurity, and defense technology campus hosting over 80 companies. Most of the defense work at Port SA involves CUI — from aerospace maintenance technical data to cyber program work — making CMMC compliance essentially universal for Port SA defense tenants.
The UTSA National Security Collaboration Center (NSCC) is a cybersecurity and national security research hub. The NSCC has programs supporting small defense-focused companies with cybersecurity guidance including CMMC compliance support. Particularly valuable for defense cyber startups that may lack compliance program expertise despite strong technical security postures.
Significantly. The Air Force's consolidation of cyber and information operations at Lackland has made San Antonio one of the most important Air Force installations for digital warfare. NSA Texas brings a major intelligence mission. Port San Antonio continues attracting new defense tenants. Contractors who establish strong CMMC credentials now are positioning for substantial contract growth over the next decade.
Get your CMMC documentation — built by practitioners who understand San Antonio's cyber defense ecosystem
Take our free readiness check and get your C3PAO-ready documentation package — built from your actual environment, verified by practitioners who understand 16th Air Force supply chains and know the difference between technical security and documented CMMC compliance.
Take the Free Readiness Check →Takes 5 minutes. No sales call required.
Or see pricing & packages →