AS9120

If your organization is focused on the procurement of materials, parts, and assemblies within the Aerospace industry, the AS9120 is a valuable certification for you. Chronologically, the best time to pursue this certification is after you have the ISO 9001 and the AS9100 under your belt. Just as the AS9100 builds on ISO 9001, the AS9120 builds on both standards with specificities for material procurement. When comparing AS9100 with AS9120, you will notice some key deletions and additions in the 9120 standard. The most significant deletions are from AS9100 section 8 and include operational risk, product safety, testing for design verification/validation, special processes, and production process validation. Definitions added to AS9120 include Certificate of Conformity, Distributor, Splitting, Test Report, and Unapproved Part.

AS9110

If your company is involved in product maintenance or repair in the Aerospace industry, the AS9120 is not the correct certification to pursue. In this case you need to be certified to the AS9110 standard. Smithers can assist you with this certification as well, so if the AS9110 certification is on your radar, we can incorporate that into your plan.

Certifications Tied to Cybersecurity

ISO 9000 and AS9100 are quality management certifications that cater specifically to the Aerospace and Defense industry. There is one key facet they do not touch which companies in this industry have to be mindful of, and that is CUI. Although CUI is mostly thought of in parallel with cybersecurity, proper CUI protection also involves proper physical storage, access, and security. There are a few different standards tied to this niche area of focus.

ISO 27001

Just as AS9100 builds directly on ISO 9001, ISO 27001does the same. Indeed, ISO 9000 and ISO 27001 are the same except for the Annex A controls in ISO 27001. These controls specify standards relating to cybersecurity principles, but they do not cover the topic of Controlled Unclassified Information, or CUI. Annex A contains fourteen different control families. They cover a wide range of topics including Operations, Communications, and Information Security as well as information accessibility, information management, and more. If you have international customers, ISO 27001 may be mandated because of the GDPR. Even if your customers are not asking that you are compliant now, it can be a good way to showcase your organization’s commitment to information security.

NIST 800-171/CMMC

If you are a contractor or sub-contractor in the Aerospace and Defense industry and you handle CUI, you have very likely heard of NIST 800-171 Rev. 2 and, more recently, Rev. 3. You also have probably been hearing about the Cybersecurity Maturity Model Certification or CMMC. This cluster of requirements has gotten much more attention than ISO 27001, in part because they have been the focal points of much debate over the last few years. Currently, DFARS 252.704.2012 mandates NIST 800-171 Rev. 2 compliance. It is likely Rev 3 and CMMC will be mandated soon (CMMC News: CMMC 2.0 was published as a proposed rule on December 22, 2023).

If you do not handle CUI or if your contract does not specify DFARS 252.704.2012, you do not need to be NIST 800-171 certified at this time. However, if your organization is seeking to grow into the Defense Industrial Base (DIB), now is a good time to begin working toward your NIST 800-171 certification. If your company is ISO 27001 certified, the path to NIST 800-171 compliance will be a little easier. ISO 27001 covers approximately 80-85% of the NIST 800-171 controls. As a C3PAO (Certified Third Party Assessment Organization) candidate, Smithers will be able to help you navigate these certifications in the near future. The path to compliance begins with ISO 9001, and Smithers can help your organization navigate from there. Contact us today to learn more.