CMMC 2.0 and IT Security for Southern California Aerospace Contractors

Southern California is home to one of the densest concentrations of aerospace and defense manufacturing in the world. From the Inland Empire to the South Bay, companies producing components for satellites, aircraft, missiles, and unmanned systems are woven into the regional economy at every tier of the supply chain — from large primes down to precision machining shops with fewer than fifty employees. That density creates enormous economic value, and it creates an enormous, concentrated target for adversaries whose mission is to disrupt or penetrate the U.S. defense industrial base.

If your company holds a defense contract — or aspires to — the cybersecurity requirements attached to that work are no longer optional background reading. The Cybersecurity Maturity Model Certification program, DFARS clauses already in force, and the ITAR obligations that govern export-controlled technical data all place specific, enforceable demands on how your IT environment is designed, operated, and documented. This guide is written for decision-makers at aerospace and defense subcontractors and primes who need a clear-eyed, accurate overview of where the compliance landscape stands today and what your company should be doing about it.

Why SoCal Aerospace Companies Are Prime Cybersecurity Targets

The threat to the U.S. defense industrial base is documented, persistent, and specifically focused on smaller contractors. Nation-state actors — particularly those linked to China's People's Liberation Army and intelligence services — have executed sustained campaigns targeting the supply chain precisely because the smaller tiers of the supply chain have historically invested far less in cybersecurity than the primes at the top. Stealing technical data from a Tier 1 prime is hard. Stealing it from a Tier 3 machine shop that feeds the same programs is considerably easier.

Southern California's aerospace corridor amplifies this exposure. Companies here work on some of the most sensitive programs in the U.S. inventory. The technical data they handle — design specifications, test results, manufacturing tolerances, system integration data — has direct intelligence value to foreign governments attempting to close capability gaps with U.S. weapons systems. That data doesn't need to be classified to be strategically valuable. Controlled Unclassified Information about a propulsion component or an avionics interface can accelerate a foreign adversary's own development program by years.

The other dimension of the threat that regional companies underestimate is ransomware. Criminal ransomware groups have learned that defense contractors are high-value targets not only because of extortion potential, but because production disruption can itself constitute leverage — and because the regulatory stakes of a breach involving CUI or ITAR-controlled data give attackers additional coercion tools beyond simple encryption.

What CMMC 2.0 Is and Its Three Levels

The Cybersecurity Maturity Model Certification program is the Department of Defense's mechanism for verifying that contractors actually implement the cybersecurity controls they are contractually required to maintain. The original CMMC 1.0 framework, released in 2020, had five maturity levels and imposed significant third-party assessment requirements across a wide swath of the supply chain. After substantial industry feedback, the DoD released CMMC 2.0 in late 2021, streamlining the model to three levels and aligning it more closely with existing NIST standards that contractors were already working toward.

Understanding which level applies to your company is the first practical question to answer.

The practical reality for most Southern California aerospace subcontractors is that Level 2 is the target. If your contracts involve CUI — and most work touching defense system technical data does — you are expected to meet all 110 NIST SP 800-171 practices. CMMC 2.0 requirements are being phased into new contracts on a rolling basis, with the expectation that the majority of DoD acquisitions will include CMMC requirements within the next few years. The clock is running whether or not a specific contract you hold today includes explicit CMMC language.

DFARS 252.204-7012: The Requirements Already in Force

A critical point that many contractors miss: you do not need to wait for CMMC language to appear in a contract to have binding cybersecurity obligations. DFARS clause 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been a standard requirement in defense contracts since 2017. If this clause is in your contracts, its requirements apply to you right now, regardless of where CMMC implementation stands.

DFARS 252.204-7012 imposes four primary obligations. First, you must implement the 110 security requirements of NIST SP 800-171 on any information system that processes, stores, or transmits Covered Defense Information — which is the DFARS term for what CMMC calls CUI. Second, you must rapidly report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery. Third, you must preserve and provide relevant images and data from any affected systems for at least 90 days following a reported incident. Fourth, these obligations flow down — you are responsible for ensuring that any subcontractors who handle the same data meet the same requirements.

The 72-hour reporting requirement is particularly consequential. Most small to mid-sized contractors do not have a documented incident response plan, let alone the logging infrastructure needed to quickly determine whether CUI was accessed during a security event. Meeting this timeline under pressure requires preparation that most companies haven't done — which is precisely the gap that a managed IT provider familiar with this environment can help close.

Contractors should also be aware that the DoD has ramped up enforcement through False Claims Act mechanisms. A company that falsely affirms CMMC or DFARS compliance — either knowingly or through willful ignorance — faces substantial legal exposure. The Department of Justice's Civil Cyber-Fraud Initiative has already produced settlements in the tens of millions of dollars in cases where contractors misrepresented their cybersecurity posture on federal contracts.

ITAR Data Handling and Your IT Infrastructure

The International Traffic in Arms Regulations govern the export of defense articles, services, and technical data. For aerospace contractors, ITAR's IT implications are substantial and often underappreciated. Any technical data that is subject to ITAR — design drawings, specifications, performance parameters, source code for defense systems — must be controlled such that it cannot be accessed by foreign nationals, whether physically or electronically.

That electronic access restriction has direct consequences for your IT infrastructure. Cloud services used to store or transmit ITAR-controlled data must be operated exclusively on servers physically located in the United States, with access controls that prevent foreign nationals — including employees of the cloud provider who are non-U.S. persons — from accessing the data. Standard consumer cloud services, including many common file-sharing platforms, do not meet this bar by default. Microsoft's GCC High environment and AWS GovCloud are examples of cloud platforms engineered to support ITAR data handling requirements, but they require specific configuration and licensing that differs from standard commercial offerings.

Email is another frequent ITAR compliance gap. Standard Microsoft 365 or Google Workspace tenants route data through global infrastructure and do not provide the access controls required for ITAR technical data. If engineers are emailing drawings or specifications to each other — or to suppliers — using standard commercial email, that data may be traversing infrastructure accessible to foreign nationals in ways that create ITAR exposure. Our team helps aerospace clients evaluate their cloud and email environments against ITAR requirements and implement configurations that reduce this risk.

ITAR violations are not administrative matters. The State Department's Directorate of Defense Trade Controls can impose civil penalties of up to $1.3 million per violation and criminal penalties including imprisonment. A single misconfigured cloud share that exposes ITAR-controlled drawings to an unauthorized party can result in enforcement action that threatens the company's ability to hold defense contracts at all.

CUI: What It Is and How to Protect It in Your IT Environment

Controlled Unclassified Information is the category of government information that requires safeguarding under law, regulation, or policy — but is not classified. For aerospace contractors, CUI includes categories such as Controlled Technical Information (CTI), which covers technical data with military or space application; Export Controlled information under ITAR and EAR; and various other DoD-designated categories tied to specific program sensitivities.

The first step in protecting CUI is knowing where it is. Many contractors handle CUI without having a clear inventory of which systems process it, where it's stored, and how it flows through their environment. This is not an academic exercise — the NIST SP 800-171 controls that apply to your environment apply specifically to the systems and network segments where CUI lives. Without a clear CUI boundary, you cannot scope your compliance program, you cannot prioritize your security investments, and you cannot accurately complete a System Security Plan.

Practically, CUI protection in an IT environment requires several overlapping controls. Access to CUI must be limited to personnel with a need to know and must require authentication — multi-factor authentication for remote access at minimum. CUI at rest must be encrypted using FIPS 140-2 validated cryptographic modules. CUI in transit must be protected by encryption that meets the same standard — meaning plain HTTP, unencrypted FTP, or standard consumer email are all prohibited for CUI transmission. Physical controls must prevent unauthorized access to systems where CUI is stored, and audit logging must capture access events so that anomalous activity can be detected and investigated.

NIST SP 800-171: The Technical Foundation of CMMC Level 2

NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the technical standard that CMMC Level 2 is built on. Its 110 security requirements are organized across 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

For companies that haven't done a formal gap assessment against NIST SP 800-171, the most common deficiencies our team encounters in aerospace environments tend to cluster in a few specific families. Audit and Accountability — specifically the logging of system events with sufficient detail to support incident investigation — is frequently incomplete. Configuration Management — ensuring that all systems are inventoried, that baseline configurations are documented, and that changes are controlled — is often informal or undocumented. Incident Response — having a documented, tested plan for responding to security incidents that includes the 72-hour DFARS reporting obligation — is almost universally absent.

NIST SP 800-171 also requires companies to produce and maintain a System Security Plan (SSP) — a document that describes how each of the 110 requirements is addressed in their environment — and a Plan of Action and Milestones (POA&M) for any requirements that are not yet fully implemented. The SSP is the primary artifact that a C3PAO assessor will evaluate during a CMMC Level 2 third-party assessment. For companies that have never produced one, building it is a substantial documentation effort that requires both technical knowledge of the environment and familiarity with the NIST control framework.

Our team helps clients work toward NIST SP 800-171 compliance by conducting gap assessments, supporting SSP development, and implementing the technical controls needed to address identified deficiencies. We're familiar with the framework's requirements and work with clients across the cybersecurity and managed IT dimensions of compliance readiness.

Practical Steps Aerospace Contractors Should Take Now

Waiting for a CMMC requirement to appear in a specific contract before beginning compliance work is a strategy with very little margin. The controls required by NIST SP 800-171 take time to implement correctly, and the documentation required to demonstrate compliance — SSP, POA&M, policies, procedures — takes additional time to produce. Companies that begin this work six months before a contract assessment will struggle. Companies that begin now are in a fundamentally better position.

The following are the most impactful technical controls for aerospace contractors to prioritize:

• 1
  Network Segmentation with a Defined CUI Enclave. Isolate the systems and network segments that process, store, or transmit CUI from the rest of your environment. Your CUI enclave should have its own VLAN, its own access controls, and firewall rules that restrict what can communicate with it. Systems outside the enclave — guest Wi-Fi, general business workstations, IoT devices — should have no path to CUI systems. This boundary defines the scope of your compliance program and contains the impact of any breach.
• 2
  Endpoint Detection and Response (EDR) on All CUI Systems. Traditional antivirus is not adequate for a defense contractor threat environment. Deploy an EDR platform — such as CrowdStrike Falcon or Microsoft Defender for Endpoint — that provides behavioral detection, threat hunting capability, and the forensic telemetry needed to investigate incidents. EDR also generates the audit logs required by NIST SP 800-171's Audit and Accountability family.
• 3
  Multi-Factor Authentication Everywhere. NIST SP 800-171 requires MFA for all remote access to CUI systems, and best practice is to extend it to all privileged accounts within the CUI enclave as well. Passwords alone are not sufficient protection for systems holding defense technical data. Implement MFA using authenticator apps or hardware tokens — SMS-based MFA is not recommended for this threat environment.
• 4
  Centralized Logging with 90-Day Retention. DFARS 252.204-7012's incident reporting requirement — and NIST's Audit and Accountability controls — both require that you can reconstruct what happened during a security event. This requires centralized collection of logs from endpoints, servers, firewalls, and authentication systems, with retention sufficient to support a 90-day investigation window. A SIEM or log management platform tailored to your environment makes this achievable without burying your IT staff in raw log files.
• 5
  Encrypted Storage and Transmission of CUI. All CUI at rest must be encrypted using FIPS 140-2 validated encryption — BitLocker on Windows workstations, encrypted volumes on servers, encrypted external media. All CUI in transit must use TLS 1.2 or higher. Audit your file shares, email practices, and collaboration tools to confirm that CUI is not moving through unencrypted channels.
• 6
  Documented Incident Response Plan with DFARS Procedures. Write and test an incident response plan that explicitly includes the 72-hour DFARS cyber incident reporting procedure. The plan should identify who makes the reporting decision, how the DC3 online reporting portal is accessed, what information needs to be gathered, and how to preserve system images. Run a tabletop exercise at least annually so that the plan is not the first time your team has thought through these steps under pressure.
• 7
  Vulnerability Management and Patch Cadence. Unpatched systems are the most common initial access vector for both nation-state actors and ransomware operators. Establish a documented patch management process with defined timelines — critical security patches within 72 hours, high-severity within two weeks, routine patches monthly. Your CUI enclave systems should be among the highest-priority targets for patch compliance.

How an AI-Native MSP Can Help with CMMC Documentation and Preparation

The documentation burden of CMMC Level 2 is one of the most frequently cited challenges for mid-market aerospace contractors. The System Security Plan alone — when done properly — is a substantial document that must accurately describe how each of the 110 NIST SP 800-171 practices is implemented in your specific environment. It cannot be a generic template. It must reflect your actual systems, your actual network architecture, and your actual procedures. An SSP that doesn't match reality is a liability in an assessment, not an asset.

This is where working with a managed service provider that is deeply familiar with the CMMC framework adds concrete value. Rather than hiring a compliance consultant to document an environment they've never managed, an MSP that runs your IT infrastructure can produce documentation that accurately reflects what's actually in place. They know which systems are in scope, how the network is segmented, what logging is enabled, and where the gaps are — because they built and operate the environment.

Our team works with aerospace and defense clients to help them work toward the controls and documentation that CMMC Level 2 requires. This includes gap assessments against the 110 NIST SP 800-171 practices, technical implementation of missing controls, SSP and POA&M development support, and the ongoing managed security operations — centralized logging, vulnerability management, endpoint protection, and incident response readiness — that keep a compliant environment compliant over time rather than just at the moment of assessment.

The AI-native dimension of our practice adds a practical advantage in the documentation and monitoring domains. AI-assisted log analysis can identify anomalous patterns in environments where volume makes manual review impractical. Automated configuration compliance checking reduces the labor of verifying that systems remain within their defined baselines. And AI-assisted document drafting, properly reviewed against actual environment data, accelerates the SSP development process without sacrificing accuracy.

We are not a C3PAO — we do not perform the formal third-party assessments required for CMMC Level 2 prioritized acquisitions. What we do is help clients build and operate the IT environment and documentation that supports a successful assessment, and we help them maintain that posture between assessment cycles. If you're working toward a formal C3PAO assessment, we can help you arrive at that assessment ready.