Back
Home
Insights
Is your aerospace and manufacturing firm CMMC ready?

01/27/2025

CMMC compliance: Industry insights for aerospace and manufacturing

Make sure your aerospace and manufacturing firm is CMMC ready by preparing for accelerated compliance timelines, achieving Level 2 certification, including Operational Technology (OT) in your security plans, understanding shared responsibilities with ESPs/CSPs, and anticipating expanding federal cybersecurity regulations.

Government Contracting

Cybersecurity

Privacy

Risk

Technology/Enterprise Risk

Manufacturing & Distribution

The aerospace and manufacturing industry faces unique challenges. With CMMC requirements already being included in DoD solicitations, prime contractors already pushing requirements downstream and federal agencies ramping up enforcement, the pressure is mounting. Here’s what those in the aerospace and manufacturing industries need to know about why readiness is no longer optional.

The reality of accelerated compliance timelines

The official phased rollout of CMMC provides a timeline extending over several years. However, compliance pressure will likely accelerate for aerospace and manufacturing firms.

Prime contractor dynamics: Prime contractors are already flowing down CMMC requirements to their subcontractors, often well ahead of official deadlines
Contracting officer discretion: DoD contracting officers are already including CMMC requirements in the contracts. Companies already face compliance requirements, regardless of the phased timeline.

For firms handling a high volume of contracts or pursuing renewals, the chances of encountering CMMC requirements sooner are significantly higher. Once a single contract includes CMMC language, compliance must become an enterprise-wide initiative to avoid inefficiencies.

Key insight: Don’t wait for official deadlines. Prepare for CMMC requirements now to avoid delays and ensure eligibility for future contracts.

Why most aerospace and manufacturing firms will require Level 2 certification

While the DoD initially estimated that only a limited percentage of companies would require CMMC Level 2 certification, real-world pressures are driving more organizations to this level. Industry trends suggest that the majority of aerospace and manufacturing firms will ultimately need Level 2 certification.

Prime-driven expectations: Primes are pushing for Level 2 certification across their supply chains to streamline compliance and reduce risks.
Operational necessity: Level 2 certification ensures subcontractors are ready to handle Controlled Unclassified Information (CUI), a critical requirement for many defense contracts.

For subcontractors, achieving Level 2 certification early eliminates the risk of being sidelined due to resource bottlenecks or delayed readiness.

The role of operational technology in compliance

One of the challenges for aerospace and manufacturing firms lies in their reliance on Operational Technology (OT) on factory floors. These systems often fall within the scope of CMMC compliance but are frequently overlooked.

Main systems:
- SCADA Systems: Used to monitor and control industrial processes.
- Numerical Control Machines: Automate manufacturing tasks and often interact with CUI.
- Intelligent Testing Equipment: This may handle sensitive data in physical or digital formats.

These specialized assets must be inventoried in the System Security Plan (SSP). For example, if a piece of equipment processes physical representations of CUI – such as prototypes or blueprints – it must be inventoried in the SSP under Specialized Assets.
Key insight: Include all OT systems in your security planning, and make sure they are documented, inventoried, and protected according to CMMC standards.

The shared responsibility model: ESPs are not a magic solution

Many aerospace and manufacturing firms rely on External Service Providers (ESPs) and Cloud Service Providers (CSPs) to manage their cybersecurity infrastructure. While these providers play an important role, it’s important to understand that compliance cannot be entirely outsourced.

What ESPs can do:
- Manage technical infrastructure, such as active directory or enclaves.
- Provide evidence for certain controls during assessments.
What ESPs can’t do:
- Authorize user access to CUI. The responsibility for identifying and approving users rests solely with the organization.
- Approve changes to the environment.

A shared responsibility matrix is essential for clarifying these roles. To satisfy CMMC requirements, companies must actively document and maintain evidence for tasks like user authorization and physical security.

Key insight: Leverage ESPs/CSPs strategically but understand that compliance still requires active participation from your organization.

Beyond defense: The expanding federal landscape

CMMC is part of a broader trend in federal cybersecurity regulations, with implications extending beyond the DoD.

FAR rule on CUI: The FAR rule is expected to establish government-wide standards for handling CUI and align closely with CMMC Level 2 requirements.
Other agencies following suit:
- The Department of Education has already published rules requiring compliance with NIST 800-171 v2 for student data.
- The Departments of Homeland Security (DHS) and Energy (DOE) are preparing similar mandates, expanding cybersecurity requirements across civilian agencies.

Key insight: Aerospace and manufacturing firms should prepare for expanding cybersecurity requirements across both defense and civilian sectors.

Action items for aerospace and manufacturing firms

Inventory specialized assets: Include OT systems and physical CUI in your SSP, treating them as critical components of your cybersecurity infrastructure.
Engage early: Work with Registered Practitioner Organizations (RPOs) to conduct mock assessments and identify gaps before formal evaluations.
Secure assessment slots: With only 58 Certified Third-Party Assessment Organizations (C3PAOs) available, early scheduling is essential to avoid delays.
Collaborate across the supply chain: Align with prime contractors and support subcontractor readiness to help ensure compliance at every tier.
Treat compliance as a business imperative: View CMMC as an opportunity to strengthen cybersecurity, streamline operations, and build trust with partners.

Conclusion: Positioning for success

The unique dynamics of the aerospace and manufacturing industry – ranging from OT systems to complex supply chains – demand a proactive approach.

By preparing for accelerated timelines, firms can meet regulatory requirements and secure their positioning. But the time to act is now, as readiness is key to success in the defense and federal markets of tomorrow.

OUR PEOPLE

Subject matter expertise

View All Specialists

Daryouche Behboudi

Director - Cybersecurity, Technology Risk, and Privacy

View Full Bio

Contact Daryouche

Stephen Gilmer

C|CISO, Director, Cybersecurity, Technology Risk, and Privacy

View Full Bio

Contact Stephen

Adonye Chamberlain

Manager, Cybersecurity, Technology Risk, and Privacy

Contact Adonye

Looking for the full list of our dedicated professionals here at CohnReznick?

View All Specialists

Close

Contact

Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

First Name

Last Name

Job Function

Job Level

Enter Job Level

Email address

Country

State

Company name

Industry

Enter Industry

Topic

Comment

Yes, opt me into Marketing from CohnReznick.

By completing the form, I will be subscribed to receive CohnReznick emails with insights and information on upcoming events. I understand that I will always have the option to unsubscribe from communications.

By your submission of information in this form, you are consenting to our collection, use, processing and storage of your information in accordance with the CohnReznick Privacy Policy.

Related services

Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.

_{This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.}

All Industries

Consumer & Industrial

Financial Sponsors & Services

Healthcare

Life Sciences

Private Clients

Public Sector

Real Estate

Renewable Energy

Technology & Media

All Services

Accounting & Assurance

Accounting Advisory

Business Performance

Digital

Risk

Sustainability Advisory

Tax

Transactions

All Insights

Topics

Events

Subscribe

About CohnReznick

About us

Corporate Responsibility

News

Offices

People

Careers at CohnReznick

Career Opportunities

Experienced Career Opportunities