CMMC Level 1 for Aerospace & aircraft parts manufacturers

Overview

If you manufacture, finish, or repair aircraft parts and assemblies for primes like Lockheed, Northrop, RTX, GE Aerospace, Boeing, or their tier 2 suppliers, your day to day paperwork is Federal Contract Information. POs, build to print drawings, delivery schedules, first article and quality records, and acceptance documents all count, and that triggers FAR 52.204-21 and a Level 1 self-assessment.

Aerospace is where the CUI line gets tested most often, because so much aircraft technical data is export controlled. Export control alone is not the same as CUI under DFARS 252.204-7012, but most primes will mark export controlled technical data as CUI and flow down -7012. When that happens and you actually receive marked data, that contract is Level 2.

The winning pattern for a small aerospace shop is to keep the bulk of the business at Level 1 and, if a single program sends marked CUI, carve a small controlled enclave for that program rather than dragging the whole shop up to Level 2.

Typical contracts you'll see

Tier 2 and tier 3 subcontracts to aerospace and defense primes
DLA Aviation spares and consumables buys
Depot level repair and MRO contracts for the Air Force and Navy
Build to print machining and finishing for aircraft components
SBIR and STTR Phase I prototype work for aerospace topics

What FCI actually looks like for you

Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.

Purchase orders and statements of work from an aerospace prime or DLA

Build to print drawings and models that are not marked CTI or export controlled CUI

Delivery schedules, packing slips, and DD-250 acceptance documents

First article inspection reports and quality clause requirements

Corrective action requests and supplier performance scorecards

Common pitfalls in this industry

Treating every aerospace drawing as CUI. CUI must be explicitly marked. Many build to print drawings are FCI.
Treating export control markings as automatically out of scope. If a -7012 flow-down is in the subcontract and marked data arrives, that work is Level 2.
Emailing drawings and POs through personal Gmail or a shared shop inbox, which fails FAR 52.204-21 (b)(1)(i) and (iii).
Running the shop floor terminal as a shared local admin with no per person login, which fails (b)(1)(i) and (ii).
Leaving the company website or quote portal on the same system that holds program FCI, which fails (b)(1)(iv) and (b)(1)(v).
Letting the annual SPRS affirmation lapse, which DoD treats as False Claims Act exposure.

Your Level 1 action plan

01Confirm in writing with each prime whether any -7012 flow-down applies and whether marked CUI or CTI has been or will be sent. Most build to print work has none.
02Inventory every system that touches program FCI: shop laptops, office PCs, the file server, the ERP and quality systems, email, and backups.
03Move program email and file sharing onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced on every account.
04Lock down shop floor and inspection terminals with named logins, screen lock, and antivirus, and separate them from public web browsing.
05If one program sends marked CUI, build a small separate enclave for that program and keep the rest of the shop at Level 1.
06Write a one to two page boundary description of where FCI lives and how it is separated from public facing systems.
07Run the 15 practice self-assessment, capture evidence, then have a senior official post and affirm the score in SPRS and calendar the annual re-affirmation.

Most common NAICS codes

Use these when searching SAM.gov, filing for set-asides, or checking size standards.

336413Other Aircraft Parts & Auxiliary Equipment Manufacturing
336412Aircraft Engine & Engine Parts Manufacturing
336411Aircraft Manufacturing
332710Machine Shops
332721Precision Turned Product Manufacturing
488190Other Support Activities for Air Transportation

Frequently asked questions

Q.I machine parts for a fighter program. Does that make me Level 2?

Not by itself. Being on a high profile program does not put you at Level 2. What puts you at Level 2 is receiving CUI explicitly marked under DFARS 252.204-7012, such as drawings stamped Controlled Technical Information or Export Controlled with a CUI banner. If your prime has only sent unmarked POs and build to print drawings, you are a Level 1 shop even on a fighter program.

Q.My drawings are export controlled (ITAR or EAR). Am I still Level 1?

Export control on its own is not the same as CUI under -7012, but most primes treat export controlled technical data as CUI for safeguarding and flow down -7012. If a -7012 clause is in your subcontract and you have received marked technical data, that contract is Level 2. You can still run Level 1 for your non CUI work by carving out a small enclave for the marked program.

Q.Do I need an SSP for my aerospace shop at Level 1?

No. Level 1 does not require a System Security Plan under 32 CFR Part 170. You need evidence that each of the 15 practices is met for the systems that handle FCI, plus a short boundary description and a list of authorized users.

Q.The prime is asking for my SPRS score. What do they need to see?

For Level 1 they need to see a current MET result on all 15 FAR 52.204-21 requirements, affirmed in SPRS by your senior official within the last 12 months. There is no numerical score at Level 1 and no third party assessment. A current affirmation is what lets the prime keep you on the program.

Related clauses

FAR 52.204-21

Basic Safeguarding of Covered Contractor Information Systems

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7020

NIST SP 800-171 DoD Assessment Requirements