Learn more. Explore our webinars.
View past webinars and register for upcoming webinars here.
.jpg?ext=.jpg)
For Aerospace and Defense Contractors, So Many Standards, So Little Time
In the online world you are likely to run into a #FOMO hashtag. FOMO stands for “Fear of missing out” and this acronym is often used to explain the hours of scrolling social media users engage in every day. You don’t want to miss something important!
These days, if you are a manufacturer in the aerospace and defense sectors, you may feel FOMO when it comes to certifications. In this case, “missing out” can translate to missing customers and losing contracts. Understanding the standards and certifications that need to be met, not to mention actually complying to a high degree, can certainly feel overwhelming. Among the standards you are hearing about in 2023 are NIST 800-171/CMMC, ISO 27001, ISO 9001, and AS9100. What are all of these standards and certifications and how do they relate to each other?
NIST 800-171/CMMC
Unlike the other standards mentioned, NIST/CMMC is not a traditional standard and has nothing to do with ISO. NIST 800-171 sets controls that must be complied with in regard to Controlled Unclassified Information, or CUI. If you have contracts as per DFARS 304.252-7012, you should have become compliant with NIST 800-171 effective January 2019. If you have not crossed that off your to-do list, you are not alone. Many contractors have gambled over the last few years and have not become NIST-compliant.
CMMC 2.0, which should be released some time in 2024, is a compliance control for NIST 800-171. Manufacturers will have to prove they are NIST-compliant in order to get the CMMC certification, and the CMMC certification will be required for all companies that handle and/or store CUI.
These two certifications are not technically optional, which differentiates them from the other standards you have been hearing about. If you do not become NIST/CMMC compliant, you will lose contracts and opportunities in the aerospace and defense sectors.
ISO 27001
It can be easy to confuse ISO 27001 with NIST/CMMC in that ISO 27001 is a cybersecurity standard and deals with information security. However, ISO 27001 does not have anything to do with CUI. Its focus is your information security management system, or ISMS. This standard is not mandated, but as is the case with any certification, it can assist in building your brand’s credibility. Your customers and partners will understand their information is safe with you, and these days that is a valuable asset. ISO 27001 is particularly beneficial for manufacturers with international customers.
AS9100
AS9100 dates back to 1999. Its primary focuses are on the quality, safety, and technological processes used by manufacturers in the aerospace and defense industries.
ISO 9001
ISO 9001 is focused on quality management systems or QMS. ISO 9001 was published back in 1987 and has been periodically updated and revised since then. It is one of the more common ISO standards and extends to any type of company, not just manufacturers in the aerospace and defense sectors. Companies with an ISO 9001 certification are recognized as dedicated to quality processes and technology in order to best serve customers.
ISO 9001 is the Building Block, but NIST 800-171 Comes First
With all of these possible standards and certifications to pursue, what should come first for manufacturers serving in the aerospace or defense industries?
If you are not yet compliant with NIST 800-171, that must come first because it is mandated, and has been for about five years. Although some companies are waiting to do anything until CMMC 2.0 is released, the reality is doing so will put your company well behind your competitors who are already compliant. More to the point, perhaps, is that you are risking a cyber breach more without NIST 800-171 compliance than you would be if complying fully. In either case, you are risking relationships with current customers as well as future valuable contracts.
Beyond the required standards, what should be pursued next?
If you are not yet ISO 9001 certified, that is the next best thing for your company to tackle. Not only is this standard prestigious in and of itself, but it also aligns closely with AS9100 and ISO 27001, which means those other two certifications will not be as hard to earn.
If you have any questions about any of these standards and processes, contact us today. We can talk about your company's specific needs, your current status, and where to go from here.
Have a question regarding NIST/CMMC? Maybe it's in our FAQs.
Follow us on LinkedIn
