The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path
No CUI, ITAR data, drawings, or contract attachments
Start →
Phase 1 (Nov. 10, 2025 – Nov. 9, 2026): primarily Level 1 and Level 2 self-assessments; DoD may include Level 2 C3PAO requirements at its discretion. Phase 2 (begins Nov. 10, 2026): adds Level 2 C3PAO certification for applicable contracts. What the phases mean for your contracts →

CMMC Compliance for Aerospace Suppliers: Levels, Scope, ITAR/CUI, and the Right Path in 2026

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

Published: · Last verified:

Editorial research — not legal, contractual, or compliance advice, and not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before you act.


CMMC compliance for aerospace suppliers starts with the one question almost everyone gets backwards: what does your contract actually require — not what does “aerospace” require. There’s no rule that says “aerospace shop, therefore Level 2.” There’s a clause in a solicitation, a data type flowing into your systems, and a status the government wants to see in a database before you can win the award. Get those three straight and the fog clears fast.

Here’s the bottom line. If a Department of Defense (DoD) contract or subcontract requires a CMMC status, and your systems process, store, or transmit Controlled Unclassified Information (CUI)— and in aerospace, the technical data a prime hands you is often CUI once it’s marked or identified under the contract, frequently export-controlled on top of that — your planning baseline is CMMC Level 2, measured against NIST SP 800-171 Revision 2 and its 110 security requirements. Whether your Level 2 requires a self-assessment or a third-party C3PAO certification is set by the solicitation, not your revenue, employee count, or how long you’ve been making aerospace parts.

The rest of this page is the part that saves you money: the expensive failures in aerospace CMMC are almost never exotic security controls. They’re scoping mistakes — calling everything CUI, calling nothing CUI, treating ITAR compliance as if it covers cybersecurity, or writing off a 1998 CNC controller as “out of scope” without proving it. We read the rules, cross-checked the clauses against the Federal Register and the eCFR, and built the tables below so you don’t have to start from scratch.

Last reviewed June 2026

In short: for aerospace suppliers, the contract clause — not the word “aerospace” — sets your CMMC level. If your systems process, store, or transmit Controlled Unclassified Information, your baseline is CMMC Level 2 against NIST SP 800-171 Revision 2 and its 110 security requirements; the solicitation decides whether that Level 2 is self-assessed or a C3PAO certification.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This page is informational, not legal or contractual advice.

Which CMMC path applies to your aerospace shop?

Use this to place yourself before you read further. It’s a starting hypothesis, not a determination — your contract and your data flows decide the real answer.

If this is your situationLikely CMMC pathFirst moveProvider category to consider first
You handle only FCI, never CUILevel 1 (Self) if the contract requires CMMCConfirm your data really is FCI-only; do the annual self-assessmentInternal IT / light readiness support
You receive CUI and the solicitation says Level 2 (Self)Level 2 self-assessmentBuild the SSP, score it, file the SPRS affirmationRPO / readiness, MSP, GRC tooling
You receive CUI and the solicitation says Level 2 (C3PAO)Level 2 third-party certificationGet fully ready before you schedule an assessorReadiness first, then a C3PAO
You support a critical/high-sensitivity program flagged for Level 3Level 3 (DIBCAC) after Final Level 2 C3PAOTreat it as a high-assurance program, not “Level 2 plus”Specialized readiness + DCMA DIBCAC prep
You don’t yet know what your contract or data saysDon’t guessMap your clauses and your FCI/CUI flow firstNeutral provider-category matching

Find your CMMC path

Answer a few questions about your contract type, data classification, and environment — no CUI, drawings, or ITAR data— and we’ll point you to the provider categories and source-checked provider options that fit your level, scope, and timeline.

Find My CMMC Path →

Does CMMC compliance actually apply to your aerospace shop?

CMMC applies because of a contract requirement and the data you handle, not because your company makes aerospace parts. If a DoD solicitation or subcontract requires a CMMC status, and the systems you’ll use to perform that work process, store, or transmit FCI or CUI, you need the required CMMC status for those systems. The narrow carve-out is for contracts and orders solelyfor commercially available off-the-shelf (COTS) items — not a blanket exemption just because your company catalog includes standard parts.

The trigger is the clause, not the industry label. Since the acquisition rule took effect on November 10, 2025, the requirement shows up in the solicitation through the DFARS clauses, and through November 9, 2028 a program office or requiring activity decides case-by-case whether to apply CMMC to a given procurement. Here’s how to read what landed in your contract.

Clause you seeWhat it isWhat it checks or requiresYour next move
DFARS 252.204-7012Safeguarding covered defense information + 72-hour cyber-incident reportingNIST SP 800-171 protections; a cloud holding CUI must meet FedRAMP Moderate (or DoD-recognized equivalency)Confirm your 800-171 implementation and your cloud posture
DFARS 252.204-7019Notice of the NIST SP 800-171 DoD assessment requirementA current self-assessment score (within 3 years) posted in SPRSPost or refresh your SPRS score
DFARS 252.204-7020NIST SP 800-171 DoD assessment requirementsDoD access for higher-level assessments; flow-down to subsBe ready to support a DoD assessment
DFARS 252.204-7021Contractor compliance with the required CMMC levelThe CMMC status your contract requires, maintained through performanceAchieve and maintain the required status
DFARS 252.204-7025Notice of CMMC level requirements (the solicitation provision)The required status — L1 Self, L2 Self, L2 C3PAO, or L3 DIBCAC — plus CMMC UID(s) and a current affirmation in SPRS before awardRead which status is required; that’s your target

Most aerospace suppliers don’t go looking for this. It finds them. A prime flows down a clause in a new purchase order. A customer’s supplier portal asks for your Supplier Performance Risk System (SPRS)score — SPRS being the DoD database where your CMMC status and affirmations are recorded for award eligibility. A drawing package arrives marked CUI. Or a single line in a solicitation says “Level 2 (C3PAO)” and the clock starts.


Which CMMC level do aerospace suppliers usually need?

If you handle only FCI, Level 1 may be the required path. If you handle CUI, Level 2is the normal planning baseline — but the solicitation determines whether that Level 2 is a self-assessment or a C3PAO certification. Level 3is reserved for the most sensitive programs and requires Final Level 2 C3PAO status first, followed by a government assessment. None of these is decided by your headcount or revenue; they’re decided by your data and your contract.

“Aerospace means Level 2” is usually directionally right but frequently imprecise. The CMMC Final Rule (32 CFR Part 170) defines four distinct statuses, and DFARS 252.204-7025 will name exactly one in your solicitation.

StatusWhat it protectsRequirementsWho assesses itRenewal & affirmation
Level 1 (Self)FCI15 requirements (FAR 52.204-21); no POA&M allowedYou (self-assessment)Annual self-assessment + annual affirmation in SPRS
Level 2 (Self)CUI110 requirements (NIST SP 800-171 Rev. 2)You (self-assessment)Self-assessment every 3 years + annual affirmation
Level 2 (C3PAO)CUI110 requirements (NIST SP 800-171 Rev. 2)An authorized C3PAO (Certified Third-Party Assessment Organization)Certification every 3 years + annual affirmation
Level 3 (DIBCAC)The most sensitive CUILevel 2 plus 24 selected requirements from NIST SP 800-172The government — DCMA DIBCAC (Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center)After Final Level 2 C3PAO; annual Level 2 and Level 3 affirmations
The 110 Level 2 requirements break into 14 control families and 320 assessment objectives— the granular pass/fail items an assessor actually scores, defined in NIST SP 800-171A. You’re not demonstrating 110 line items; you’re proving against 320 objectives. And don’t assume “self” is the default: DoD’s own analysis anticipates roughly 35% of the Defense Industrial Base will need a Level 2 C3PAO assessment versus only about 2% able to rely on self-assessment. Unless your solicitation says “Self,” don’t plan for it.

How does CMMC flow down — to you, and to your subcontractors?

Aerospace suppliers usually sit in the middle of a chain: you receive CUI from a prime, and you may pass CUI to your own lower-tier shops. The required CMMC status follows the information — not the company. For a prime contract, the DoD solicitation sets the level. For a subcontract, the prime flows down the correct level based on the FCI or CUI your systems will process, store, or transmit (32 CFR §170.23).

In practice that means three things. First, if you’re a subcontractor, your required level can differ from your prime’s — you can be Level 1 if you only receive FCI, even when the prime holds Level 2. Second, the flow-down stops where the data stops: a sub that never receives FCI or CUI isn’t pulled into CMMC at all. Third, the responsibility runs both directions — you’ll need to identify which of your own suppliers receive controlled data, flow the right clause to them, and track their CMMC status just as your prime is tracking yours.


Are your drawings actually CUI — and are they export-controlled?

In aerospace, drawings, models, specifications, and process data from a defense prime are the data types most likely to be CUI in your environment — specifically controlled technical information (CTI)— and they frequently carry an export-controlled marking because the underlying technology is regulated under ITAR(the International Traffic in Arms Regulations, 22 CFR Parts 120–130) or the EAR(Export Administration Regulations). But the controlling question is never “is this aerospace data?” It’s whether the specific artifact is marked, identified, or handled in a way that brings it into CUI scope under your contract.

DFARS 252.204-7012 defines “controlled technical information” and lists examples: engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and computer software executable code and source code. If a prime hands you a technical data package containing those items and they’re marked CUI, they’re in scope. But not everydocument in your building is automatically CUI — a generic material cert or an internal quote may not be.

Aerospace artifactLikely CUI/CTI?Could it be export-controlled (ITAR/EAR)?What actually decides itYour first move
Prime’s technical data package (drawings, models, specs)Often, as CTIFrequentlyContract markings + the CUI Registry category + DFARS 7012 treatmentCheck the markings; ask the prime if it’s unmarked
NC programs / toolpaths derived from CUI modelsOften (derivative of CUI)If the source data isWhether they’re generated from CUI and how they’re handledTreat as CUI unless you can show they’re not
First-article / inspection results tied to CUI drawingsSometimesIf tied to export-controlled dataWhether the results reveal CUIMap where those results are stored
Generic material certs / catalog data (no controlled detail)Often notUsually notWhether they contain controlled technical detailDon’t over-scope; document why it’s out
Your internal quotes / commercial RFQs (no government CUI attached)Usually notUsually notWhether a prime’s CUI rides alongKeep CUI attachments out of commercial tools

When something is unmarked or ambiguous: read your contract markings, confirm the category against the National Archives CUI Registry, and ask your prime. And one ITAR concept you can’t skip — the deemed export: releasing ITAR-controlled technical data to a foreign person, even a foreign-person employee in your U.S. facility or a cloud administrator located abroad, can be a regulated export. That single fact drives your biggest infrastructure decision, two sections down.

The one admission we owe you.

There is no shortcut here, and the two most common pieces of advice floating around aerospace are both traps. “All aerospace data is CUI, so just do full Level 2 and buy GCC High” oversells some shops into six figures they don’t need. “We’re ITAR compliant, so CMMC is handled” undersells the work and leaves real gaps. The unglamorous truth is that scoping correctly comes first— and it’s also the single biggest lever on your final bill. If you genuinely handle only FCI, stop here and use our Level 1 path — a vendor pushing you toward full Level 2 and GCC High when your data doesn’t support it is selling, not assessing.

Check your scope before you spend

Not sure whether your data lands in CMMC scope, or whether ITAR changes the picture? Describe your contract stage and environment at a high level — no CUI, drawings, or export-controlled content — and we’ll help you find the provider category that can pin down your scope before you commit a budget.

Check your CMMC scope path →

What’s actually in scope on an aerospace shop floor?

CMMC Level 2 scope is defined by where CUI lives, and 32 CFR §170.19 sorts every asset into one of five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. For aerospace shops, the genuinely hard part is the shop floor and the engineering bench, because a single CUI drawing spawns derivative data — toolpaths, setup sheets, inspection results — that lands on machines people forget to inventory. Misclassifying those is the most expensive scoping mistake aerospace suppliers make.

This is our editorial application of §170.19 — not a determination. Classification is fact-specific; confirm each call in your System Security Plan (SSP) and with your assessor.

Aerospace asset or data typeWhat it usually is§170.19 asset categoryHow it’s treated in a Level 2 assessmentCommon aerospace mistake
Technical data package from a prime (drawings, models, specs)CUI, often export-controlled CTICUI AssetAssessed against all 110 requirementsReceiving or storing it in commercial email or file shares
PLM/PDM system holding drawings & specsCUI Asset (if CUI lives there)CUI AssetAssessed against all 110 requirementsTrusting a vendor “secure” claim without checking responsibilities
CAM / NC-programming workstation (generates toolpaths from CUI models)Processes CUICUI AssetAssessed against all 110 requirementsTreating the programmer’s PC as out of scope
DNC server / network share distributing NC programsCUI Asset if the programs are CUI; otherwise specializedCUI Asset or Specialized AssetFull assessment, or (if specialized) documented and SSP reviewedAssuming all shop-floor servers are automatically out of scope
CNC machine controllerOperational tech that can’t be fully securedSpecialized Asset (OT)Documented in inventory, SSP & network diagram; SSP reviewed; not assessed against the other requirementsLeaving OT out of the asset inventory entirely
CMM / inspection / first-article stationOT; a CUI Asset if it stores CUI-linked resultsSpecialized Asset (or CUI Asset)If specialized: documented and SSP reviewed, not assessed against other requirementsNot segmenting inspection systems from the CUI environment
ERP/MRP (routings/travelers referencing CUI)Can, but isn’t intended to, hold CUIContractor Risk Managed Asset (or CUI Asset)SSP reviewed; not assessed unless documentation raises questions, then a limited checkDesignating it “risk-managed” with no rationale in the SSP
Firewalls, EDR, SIEM, identity provider, VPN (and your MSP’s tools)Provide security functions to in-scope assetsSecurity Protection AssetAssessed against the requirements relevant to the functions they provideForgetting your MSP’s tooling is in scope as a service provider
Guest Wi-Fi, public marketing site, commercial-only quoting tools (no CUI)No CUI, no security roleOut-of-ScopeNot assessed — but you must justify the separationCalling it “separate” with no physical or logical separation to prove it

Specialized Assets— your legacy CNC controllers, PLCs, IIoT sensors, and test equipment — are documented and managed under your risk-based policy, and the assessor reviews your SSP for them, but at Level 2 they are not assessed against the other security requirements. “It’s old” isn’t the argument; “it’s documented and managed, here’s the SSP and the network diagram” is.

The limited checkbelongs to Contractor Risk Managed Assets — if your documentation raises questions, the assessor can perform a limited check, and §170.19 says that check can’t materially increase your assessment’s cost or duration.


GCC High, AWS GovCloud, or an encrypted enclave?

CMMC does not require any specific cloud. The real drivers are DFARS 252.204-7012, which requires that a cloud service handling CUI meet the FedRAMP Moderate baseline (or DoD-recognized equivalency), and ITAR, which requires that export-controlled technical data not be exposed to foreign persons. For aerospace suppliers handling export-controlled CUI, that practically leaves three paths: a U.S.-sovereign cloud such as Microsoft 365 GCC High or AWS GovCloud; a FIPS-validated end-to-end encryption enclave; or staying on commercial Microsoft 365 / Google Workspace, which only works if you truly handle FCI and no CUI.

PathWhat it isSatisfies DFARS 7012 for CUI?Handles ITAR/EAR data?Best-fit aerospace scenarioScope & cost implication
Commercial M365 / Google WorkspaceStandard commercial cloudNot the CUI path — not FedRAMP-authorized for CUINo — data can sit abroad; foreign-person admins are an export riskOnly FCI-only shops with zero CUILowest cost, highest risk if any CUI appears
U.S.-sovereign cloud (M365 GCC High / AWS GovCloud)Government-community cloud, U.S. data residency, U.S.-person supportYes — when the specific offering is FedRAMP Moderate-or-higher (or equivalent) and you implement your half of the responsibilitiesYes — U.S. data residency + U.S.-person access support ITAR/EARA shop handling export-controlled data that wants the prime-aligned defaultMigration cost + per-seat premium; tends to widen scope across the tenant
FIPS-validated end-to-end encryption enclaveA managed CUI enclave where data is encrypted before it leaves your boundary and keys are never held by foreign personsYes for the cloud side — but only if the specific service offering meets FedRAMP Moderate or equivalencyYes — via the 22 CFR §120.54 carve-out: properly encrypted data isn’t a deemed export even if cloud staff are foreign personsA shop that wants to confine CUI to an enclave and avoid a full sovereign-cloud migrationCan sharply reduce assessment scope and cost; CUI stays inside the enclave

The enclave route and 22 CFR §120.54:

The State Department’s encryption carve-out at 22 CFR §120.54 says that storing or transmitting unclassified ITAR technical data is not an export when: the data is secured with end-to-end encryption using FIPS 140-2 (or later) validated cryptographic modules; it’s encrypted before it leaves the sender’s boundary and stays encrypted until the intended recipient; the means of decryption is not given to any third party and no foreign personholds the keys; and it isn’t intentionally sent to or stored in a proscribed country. But treat encryption as an enabler, not a finish line: it addresses the export-release question, not DFARS 7012 or CMMC by itself.

Before you commit to a cloud or service provider, gather the evidence §170.19 actually expects:

  • The specific offering’s FedRAMP status (Authorized at Moderate or higher) or DoD-recognized equivalency evidence — with the date.
  • The Customer Responsibility Matrix (CRM) — exactly which controls the provider covers and which are yours.
  • The provider’s service description, and how the relationship is documented in your SSP.
  • Whether the provider processes, stores, or transmits CUI or Security Protection Data — that determines how it’s scoped as an External Service Provider (ESP).
  • Key custody and support-personnel access — the ITAR foreign-person question, answered in writing.

Compare provider categories

Building an environment that satisfies DFARS 7012 andITAR without over-buying is implementation work — and the right category depends on your path. Compare them side by side before you sign anything.

Compare CMMC provider categories →

What does CMMC compliance cost an aerospace supplier?

Cost depends far more on your CUI footprint, your starting maturity, your cloud path, and your assessment type than on your employee count. There is no public C3PAO rate card. The most authoritative numbers come from DoD’s own Regulatory Impact Analysis in the CMMC Final Rule (32 CFR Part 170): for a small entity, DoD modeled a Level 2 self-assessment at roughly $34,277 initially and $37,196 over three years, and a Level 2 C3PAO certification at about $101,752 initially and $104,670 over three years — including a modeled $31,234 C3PAO assessment engagement. Other-than-small entities run higher.

The caveat that makes those numbers honest:

DoD’s figures assume you have already implemented NIST SP 800-171 Rev. 2. They cover getting assessed and affirming — not becoming compliant. The money that actually hurts is everything before the assessor walks in.

Cost componentWhat it coversWhere the dollars go
DoD-estimated assessment + affirmationThe C3PAO engagement and SPRS affirmations (or self-assessment effort)~$37,196 (L2 Self, 3-yr) to ~$104,670 (L2 C3PAO, 3-yr) per the 32 CFR Part 170 analysis
Gap remediationImplementing the controls you don’t yet meetUsually the largest line item; scales with how far you are from done
SSP & POA&M documentationWriting and maintaining the security plan and the gap-tracking planA heavy lift if you’re starting from scratch
Cloud moveSovereign-cloud migration vs. an encrypted enclaveA six-figure swing depending on path and tenant size
OT / shop-floor remediationSegmenting and documenting CNC/PLC/CMM systemsAn aerospace-specific cost most generic estimates ignore
Ongoing maintenanceOperating the controls, monitoring, recertifyingRecurring; budget for it from day one

The aerospace-specific drivers that move the number: export-controlled data forcing a sovereign-cloud decision, shop-floor OT pulling more assets into scope, and multiple facilities or CAGE codes (the Commercial and Government Entity codes identifying each of your locations to DoD). The cheapest path to a defensible scope is usually a tight boundary plus an enclave, not a company-wide rebuild.

See scoped quotes, not sticker prices

A useful number starts with scope, not a generic “CMMC package.” Share your level, environment, and timeline — no CUI— and we’ll route you to matched provider categories so you can request scoped quotes you can actually compare.

Request scoped provider-category options →

Level 2 self-assessment vs. Level 2 C3PAO: how do you know which applies?

The security requirements are identical — 110 NIST SP 800-171 Rev. 2 requirements either way. What changes is who verifies them. A Level 2 self-assessment is performed by your organization and submitted to SPRS; a Level 2 C3PAO assessment is performed by an authorized third party, whose results flow through the CMMC instance of eMASS(the government’s assessment system of record) and are then transmitted to SPRS. The solicitation’s DFARS 252.204-7025 entry tells you which one your contract demands.

POA&M and Conditional status — the limited bridge:

A Plan of Action and Milestones (POA&M) can earn you a Conditionalstatus for eligible items — but you must close them out and confirm it through a closeout assessment within 180 days of the Conditional CMMC Status Date, or, per 32 CFR §170.21, the Conditional status expires. Not everything is POA&M-eligible — Level 1 allows none — and the highest-weighted requirements generally can’t be deferred.

What CMMC UID and SPRS evidence should you have before award?

Before award, DFARS 252.204-7025 requires you to have your current CMMC status and a current affirmation in SPRS for each in-scope system — and to provide the CMMC unique identifier (CMMC UID) for each. A CMMC UID is 10 alphanumeric characters assigned to each CMMC assessment and reflected in SPRS for each contractor information system; SPRS issues it once your assessment results are entered. Missing any of those for an in-scope system can make you ineligible for the award.


When does Level 3 actually apply — and which NIST version controls?

Level 3 matters when a contract requires enhanced protection for the most sensitive CUI on critical programs — not simply because a company works in aerospace. Under the current rule, Level 3 requires Final Level 2 (C3PAO) status first, then a government assessment by DCMA DIBCAC against 24 selected requirementsdrawn from NIST SP 800-172. Your Level 3 scope must sit inside your Level 2 scope, and any Level 2 POA&M items must be closed before the Level 3 assessment begins.

A precision point worth stating: The assessing agency is DCMA DIBCAC— the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center — not DCSA. The eCFR itself names DCMA DIBCAC.

NIST SP 800-171 Revision 3 is not the controlling version for CMMC. The CMMC Final Rule still incorporates NIST SP 800-171 Revision 2 for Level 2 and selected NIST SP 800-172 (February 2021)requirements for Level 3, and that remains true unless and until DoD amends the rule. If a vendor is building your program around Rev. 3 today, that’s a red flag.


Does AS9100 or NADCAP cover any of this?

No. AS9100 (the aerospace quality management standard) and NADCAP(the National Aerospace and Defense Contractors Accreditation Program for special processes) govern how you make and inspect parts — not how you protect Controlled Unclassified Information. A disciplined AS9100 program is a genuine head start on the habitsCMMC rewards: configuration control, document management, audit readiness, evidence trails. But AS9100 or NADCAP certification doesn’t satisfy any of the 110 NIST SP 800-171 requirements by itself — any overlap has to be mapped and evidenced requirement by requirement.

Treat CMMC as a distinct cybersecurity obligation that runs alongside your quality system, owned by people who understand your IT and OT — not folded into a quality manual.


Your first 30, 60, and 90 days

The first move is not buying software or scheduling a C3PAO. It’s triage: collect the contract clauses, map where FCI and CUI flow, define a preliminary scope, confirm your SPRS and assessment status, and only then choose the provider category that fits the gap.

Days 0–30 — Contract and data triage

Pull the solicitation, subcontract, purchase order, and statement of work — plus a DD Form 254 and any security classification guidance if a program provides one. Identify the clauses: DFARS 252.204-7012, -7019, -7020, -7021, and -7025. Determine which data categories are actually present — FCI, CUI, controlled technical information, export-controlled CUI, ITAR/EAR. Find where the data enters: email, portal, secure file transfer, PLM/PDM, ERP, file share. Do not upload CUI, ITAR data, or drawings into any intake form, including ours.

Days 31–60 — Scope and SSP baseline

Build a preliminary asset inventory and a CUI data-flow diagram. Classify each asset into the five §170.19 categories. Draft or update your SSP. Identify your current SPRS score and your last assessment date if you have one. List your gaps as a working POA&M so you know the size of the climb.

Days 61–90 — Provider category and evidence plan

Decide what you actually need — readiness/RPO, MSP/MSSP, an enclave or cloud implementation, GRC/evidence tooling, export-control counsel, or a C3PAO. Stand up an evidence repository. Confirm the Customer Responsibility Matrix for any cloud or service provider. Build a flow-down tracking process for the subcontractors you pass CUI to. Schedule a C3PAO assessment only when your scope and evidence are mature.

Take the checklist with you

Want this as a working document? Download our CMMC Readiness Checklist— mapped to the control families and the 30/60/90 sequence above — and use it to run your own gap review before you spend a dollar on tools or assessors.

Download the CMMC Readiness Checklist →

Which provider category should you talk to first?

Most aerospace suppliers should notstart with a C3PAO unless they are genuinely assessment-ready. If your scope, SSP, evidence, cloud responsibilities, OT treatment, subcontractor flow-down, or SPRS status is unclear, start with readiness or managed-compliance help first. There’s a conflict-of-interest line behind this, set by the Cyber AB’s assessment rules: an organization that prepared you generally cannot also be the C3PAO that certifies you where that creates an unresolved conflict — and during a certification assessment, the assessor cannot give you implementation advice or promise an outcome.

Provider categoryUse them whenDon’t use them whenWhat to verifyThe conflict to watch
RPO / readiness / vCISOScope is unclear; you need an SSP, policies, POA&M, and a readiness planYou’re already assessment-readyCMMC track record; that their own tooling is documented as a service provider in your scopeDon’t expect your assessor to also be your fixer
MSP / MSSP / managed complianceYou need ongoing control implementation — identity, endpoints, logging, monitoringYou only need a one-time gap assessmentA Customer Responsibility Matrix and clear admin-access documentationTheir access makes them in-scope; pin down responsibilities early
Sovereign-cloud / enclave providerYou need to confine CUI, fix tenant decisions, or stand up secure collaborationYou handle only FCI and no CUICurrent FedRAMP status (or equivalency) and key custody“The tool” is never the whole CMMC solution
GRC / evidence softwareYou need control mapping, evidence workflows, continuous-compliance operationsYou expect software alone to make you compliantThat it maps to NIST SP 800-171 Rev. 2 specificallySoftware supports compliance; it doesn’t equal it
C3PAO / assessorYour scope and evidence are mature and a contract requires C3PAO statusRemediation isn’t finishedCurrent authorization on the Cyber AB MarketplaceCan’t also be your readiness consultant where it creates an unresolved conflict
Export-control counselITAR/EAR classification, deemed-export and foreign-person-access questionsYour data has no export dimensionRelevant ITAR/EAR experienceKeep export advice distinct from cybersecurity work

A useful authority signal as you shop: the CMMC Assessment Process is explicit that neither the Cyber AB, the CMMC training body, nor DoD personnel provide recommendations or facilitate introductions to C3PAOs — and a C3PAO can’t guarantee or promise a certification result. Understanding the categories yourself matters before you engage anyone.

Get matched with source-checked provider options

When you’re ready, skip the cold-Googling. Tell us your level, scope, and timeline — no CUI required— and we’ll match you with the provider category that fits your current stage, from readiness to managed compliance to assessment.

Get matched with source-checked provider options →

The aerospace-specific mistakes that cause failed readiness

The biggest aerospace CMMC failures aren’t obscure technical controls. They’re scope decisions made on assumptions. Here are the seven we see most, with the fix for each.

  1. “We’re ITAR compliant, so CMMC is covered.” They’re different programs. Separate your export-control obligations from your cybersecurity status and address both.
  2. “All our aerospace data is CUI.” Maybe — but prove it per document, using contract markings, the CUI Registry category, and the DFARS 7012 definition, not a blanket assumption that inflates your scope and your bill.
  3. “Only the original marked drawing matters.” The derivatives matter too: NC programs, setup sheets, printouts, inspection results, and the subcontractor packages you build from CUI.
  4. “Our CNC machines are old, so they’re out of scope.” Document specialized assets and prove segmentation. Age isn’t an exemption; demonstrated management and separation are.
  5. “The C3PAO will tell us what to fix.” A readiness review can validate scope, but the certification assessor is not your remediation consultant and cannot guarantee an outcome.
  6. “Our MSP handles everything.”Require a Customer Responsibility Matrix, service descriptions, and admin-access mapping. Your provider’s access and evidence obligations are part of your assessment.
  7. “Subcontractors are the prime’s problem.” If you flow CUI down, you carry flow-down obligations of your own under the rule. CMMC isn’t only an internal IT project.

Every one of these is a place to lose months. Every one is avoidable with scoping done first.


Which aerospace suppliers have publicly reached Level 2?

Aerospace and space manufacturers across sizes have publicly announced Level 2 — drawn from each company’s own announcement. These outcomes are company-stated and not a promise of your result. Confirm any provider’s current standing on the Cyber AB Marketplace before relying on it.

CompanyAerospace / space categoryAnnounced status (company-stated)C3PAO namedAnnounced
Capella SpaceSpace tech / satellite dataCMMC Level 2KratosMay 2025
Qarbon AerospaceComposite components & assembliesCMMC Level 2RedspinAug 2025
Ascent AeroSystemsSmall unmanned aircraft (UAS)CMMC Level 2 (reported perfect 110/110)Not stated in releaseOct 2025
Machina LabsAdvanced manufacturing / roboticsCMMC Level 2Not stated in releaseJan 2026
Stell EngineeringAerospace & defense softwareCMMC Level 2 (using a managed CUI enclave)Not stated in releaseMar 2026

As of the Cyber AB’s March 2026 town hall, there were 103 authorized C3PAOs and 759 certified assessors, and roughly 1,000 organizationshad reached Level 2 — about 1% of the 80,000-pluscompanies DoD estimates will ultimately need it. The Aerospace Industries Association (cited by Reuters, Feb. 2026) put the aerospace small-business share at around 88%. The real bottleneck isn’t assessor availability — it’s readiness. Counting back from Phase 2 (November 10, 2026), the urgent move isn’t to panic-schedule an assessor — it’s to start getting ready now, because readiness is the long pole.


What we verified for this page

Verified — Last verified :

  • The CMMC Program rule (32 CFR Part 170) became effective December 16, 2024, and the acquisition rule (48 CFR / DFARS) became effective November 10, 2025— confirmed on the Federal Register, the eCFR, and the DoD CIO CMMC site.
  • The four solicitation statuses — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), Level 3 (DIBCAC) — confirmed verbatim in DFARS 252.204-7025.
  • The five Level 2 asset categories and their treatment — including that Specialized Assets are documented and SSP-reviewed but not assessed against the other Level 2 requirements, and that the limited checkapplies to Contractor Risk Managed Assets — confirmed in 32 CFR §170.19.
  • The CSP/ESP rule and the requirement to document the Customer Responsibility Matrix— confirmed in §170.19 (Table 4) and DFARS 252.204-7012.
  • The 180-dayConditional POA&M closeout — confirmed in 32 CFR §170.21.
  • DoD’s small-entity cost estimates (~$34,277 / $37,196 for Level 2 Self; ~$101,752 / $104,670 for Level 2 C3PAO, including a ~$31,234 assessment line) — from the 32 CFR Part 170 Regulatory Impact Analysis. These cover assessment and affirmation only and assume NIST SP 800-171 Rev. 2 is already implemented.
  • Level 2 maps to NIST SP 800-171 Revision 2 and Level 3 adds 24 selected NIST SP 800-172requirements; Rev. 3 is not the controlling CMMC version — confirmed in the eCFR text.
  • The ITAR end-to-end-encryption carve-out conditions at 22 CFR §120.54 — confirmed in the regulation.
  • Marketplace figures (103 authorized C3PAOs, 759 assessors, ~1,000 Level 2 certifications) reflect the Cyber AB’s March 2026 town hall and update monthly.

For how we research and correct our work, see our Methodology, Editorial Standards, and Corrections pages.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page does not contain named provider rankings, endorsements, or “best provider” awards; provider-matching forms may generate referral or lead-routing compensation, disclosed under our Editorial & Advertising Policy.


Frequently asked questions: CMMC compliance for aerospace suppliers

Do aerospace suppliers need CMMC certification?

It depends on your data and your contract. If you handle CUI and the solicitation requires Level 2 (C3PAO) or Level 3, yes — you need a certification assessment by an authorized C3PAO or by DCMA DIBCAC. If you handle only FCI, or CUI under a Level 2 (Self) requirement, you need a CMMC status achieved by self-assessment, not a third-party certification. Either way, the requirement flows down to subcontractors, and contracts solely for COTS items are excepted.

What CMMC level do aerospace suppliers usually need?

Level 1 if you handle only FCI; Level 2 if you handle CUI. Whether your Level 2 is a self-assessment or a C3PAO certification is set by the solicitation, not by your industry or your size. Level 3 is a narrow, high-sensitivity path assessed by DCMA DIBCAC.

Is CMMC Level 2 always a C3PAO assessment?

No. Level 2 comes in two forms — self-assessment and C3PAO certification — and the contracting officer specifies which in the DFARS 252.204-7025 provision. Both require the same 110 requirements and an annual affirmation in SPRS, but DoD expects far more contractors to need the C3PAO path than the self path.

Is ITAR data the same as CUI?

They can overlap but they are different programs. ITAR-controlled technical data is commonly treated as CUI for cybersecurity purposes, so your CMMC controls apply — but ITAR’s export and foreign-person-release obligations are separate, and ITAR compliance does not make you CMMC ready.

Are engineering drawings CUI?

Often, but not automatically. DFARS 252.204-7012 lists engineering drawings, specifications, process sheets, technical reports, data sets, and source code as examples of controlled technical information; they become CMMC-scope CUI when they’re marked or identified under the contract or handled in performance of it. Confirm against the contract, the markings, the CUI Registry category, and your prime.

Are CAD files and CNC programs in CMMC scope?

If they contain or are derived from CUI, yes. A CAM workstation that generates toolpaths from a CUI model is typically a CUI Asset assessed against all 110 requirements; a CNC controller is often a Specialized Asset that is documented and SSP-reviewed but not assessed against the other requirements. Both must be inventoried and shown on your network diagram.

Does buying GCC High make an aerospace supplier CMMC compliant?

No. A U.S.-sovereign cloud like GCC High or AWS GovCloud can be the correct environment for export-controlled CUI under DFARS 252.204-7012 and ITAR, but it addresses infrastructure only. You still have to implement and prove the 110 requirements.

Do subcontractors need CMMC if we send them CUI?

Yes — flow-down depends on whether they process, store, or transmit FCI or CUI. If you pass CUI to a lower-tier supplier, you carry flow-down obligations under the rule, and the required level depends on the data they receive.

What is SPRS and why is my prime asking for it?

SPRS — the Supplier Performance Risk System — is the DoD database where CMMC status and affirmations are recorded. Primes and contracting officers check it to confirm your status before award, which is why a portal request for your SPRS score is often the first sign CMMC has reached you.

What is a CMMC UID?

A CMMC unique identifier is 10 alphanumeric characters assigned to each CMMC assessment and reflected in SPRS for each contractor information system. DFARS 252.204-7025 requires you to provide your CMMC UID(s) in your proposal for each system that will handle FCI or CUI during performance.

Can a C3PAO help us remediate before the assessment?

Generally no. Under the Cyber AB’s rules, an organization that prepared you can’t also certify you where that creates an unresolved conflict of interest, and during a certification assessment the assessor can’t provide implementation advice or guarantee an outcome. Use a readiness firm or RPO to get ready, then engage a separate C3PAO.

What happens if we get a Conditional Level 2 status?

A Conditional status lets you proceed with a Plan of Action and Milestones for eligible gaps, but you must close them out and confirm it within 180 days of the Conditional CMMC Status Date under 32 CFR §170.21, or the Conditional status expires. The highest-weighted requirements generally can’t be deferred.

How much does CMMC cost for aerospace suppliers?

DoD’s Regulatory Impact Analysis estimates a small entity’s Level 2 self-assessment at about $37,196 over three years and a Level 2 C3PAO certification at about $104,670 over three years — but those figures assume NIST SP 800-171 Rev. 2 is already implemented. Real all-in cost is driven by remediation, your cloud path, and OT scope, and varies widely.

Does NIST SP 800-171 Revision 3 apply to CMMC Level 2 yet?

No. CMMC Level 2 still maps to NIST SP 800-171 Revision 2 under 32 CFR Part 170, and Level 3 uses selected NIST SP 800-172 (February 2021) requirements, unless and until DoD amends the rule. NIST publishing Rev. 3 did not change the controlling CMMC version.

What should we do first if our prime just flowed down CMMC?

Don’t buy tools or call an assessor yet. Pull the contract clauses, map where FCI and CUI flow, define a preliminary scope, and check your SPRS status — then choose the provider category that fits the gap. Scoping first is the biggest lever on both your timeline and your cost.


Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

No CUI, ITAR data, drawings, or contract attachments — this intake is for buyer-need routing only.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Independent publication — not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Educational content only — not legal, contractual, or compliance advice. Consult a CMMC Registered Practitioner or qualified attorney before making compliance decisions. Read our editorial review process.

Which provider category fits your situation

Related guides

Primary sources

Editorial disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. Not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Read our editorial review process. Last verified: .

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →