• English (UK)
  • English (US)
Contact Us
Home Resources Four Standards for Defense Contractors

Four Standards for Defense Contractors

Four Standards for Defense Contractors

If you are a manufacturer in the aerospace and defense sectors, there are several different standards you can consider pursuing. Understanding the standards and certifications that need to be met and then complying with them can certainly feel overwhelming. Among the standards to consider are CMMC, ISO 27001, ISO 9001, and AS9100. What are all of these standards and certifications and how do they relate to each other?

CMMC

Unlike the other standards mentioned, CMMC is not a traditional standard and has nothing to do with ISO. NIST 800-171 sets controls that must be complied with in regard to Controlled Unclassified Information, or CUI. A C3PAO CMMC assessment confirms whether the company complies with these controls, and then the C3PAO can issue a certificate. If you have contracts as per DFARS 304.252-7012, you should have become compliant with NIST 800-171 effective January 2019. If you have not crossed that off your to-do list, you are not alone. Many contractors have gambled over the last few years and have not become NIST-compliant.

CMMC 2.0 is a compliance control for NIST 800-171. Manufacturers have to prove they are NIST-compliant in order to get the CMMC certification, and the CMMC certification will be required for all companies that handle and/or store CUI.

Now that Phase 1 of the CMMC rollout is in effect, CMMC self-assessments are mandated at a minimum. This mandatory aspect differentiates CMMC from other optional standards. If you do not become CMMC certified, you will lose contracts and opportunities in the aerospace and defense sectors.

ISO 27001

It can be easy to confuse ISO 27001 with CMMC in that ISO 27001 is a cybersecurity standard and deals with information security. However, ISO 27001 does not have anything to do with CUI. Its focus is your information security management system, or ISMS. This standard is not mandated, but as is the case with any certification, it can assist in building your brand’s credibility. Your customers and partners will understand their information is safe with you, and these days that is a valuable asset. ISO 27001 is particularly beneficial for manufacturers with international customers.

AS9100

AS9100 dates back to 1999. Its primary focuses are on the quality, safety, and technological processes used by manufacturers in the aerospace and defense industries.

ISO 9001

ISO 9001 is focused on quality management systems or QMS. ISO 9001 was published back in 1987 and has been periodically updated and revised since then. It is one of the more common ISO standards and extends to any type of company, not just manufacturers in the aerospace and defense sectors. Companies with an ISO 9001 certification are recognized as dedicated to quality processes and technology in order to best serve customers.

ISO 9001 is the Building Block, but CMMC Comes First

With all of these possible standards and certifications to pursue, what should come first for manufacturers serving in the aerospace or defense industries?

If you are not yet compliant with CMMC, the reality is you are already behind your competitors who have achieved compliance. 

Beyond the required standards, what should be pursued next? 

If you are not yet ISO 9001 certified, that is the next best thing for your company to tackle. Not only is this standard prestigious in and of itself, but it also aligns closely with AS9100 and ISO 27001, which means those other two certifications will not be as hard to earn. 

If you have any questions about any of these standards and processes, contact us today. We can talk about your company's specific needs, your current status, and where to go from here. While there are many C3PAOs listed in the Cyber AB marketplace, Smithers is one of the most respected in the industry. With 30 years of auditing experience and 100 years in business, we know how to approach your assessment in an effective and efficient manner.

Common questions for C3PAOs


What is ISO 27001?

ISO 27001 is an information security management system standard. It complements CMMC well. Learn more about about ISO 27001. Learn more about ISO 27001. 

How difficult is CMMC compliance?

CMMC compliance, which requires meeting all 110 controls of NIST SP 800-171r2, represents as substantial effort for manufacturers. Learn more about CMMC compliance. 

About Smithers

Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the CyberAB Marketplace.

Robert McVay Senior Consultant, Information Security Services
Robert
McVay

Senior Consultant, Information Security Services

United States

Contact Robert

Have a question regarding NIST/CMMC? Maybe it's in our FAQs.

CMMC-for-Manufacturers-FAQs
PDF / 2.41 MB

Learn more. Explore our webinars.

View past webinars and register for upcoming webinars here.

Follow us on LinkedIn

View all resources

Latest Resources

See all resources
Future Trends in ISO 13485 for Medical Device Suppliers
Advanced Adhesive Validation for Sustainable Packaging and Recycling
Q&A Printing Inks and Food Contact Compliance
Webinar On Demand: Overcoming Extractables and Leachables Challenges
The Engineering Behind EV Performance: Why Every Component Matters