Keekco
Cyber & Compliance

Supplier cyber readiness for aerospace and defence

If a customer such as BAE Systems or an MOD prime has asked you to demonstrate cyber compliance to stay on their approved supplier list, this page explains what they mean and how to get there without guesswork. Keekco prepares aerospace and defence manufacturers for the cyber standards their customers now require, from Cyber Essentials through to NIST 800-171, DefStan 05-138 and CMMC. We are a readiness partner, not a certifier, so our only job is getting you through the assessment your customer expects.

Book a discovery callTake the two-minute readiness check

Why your customers are asking for this now

Defence primes are flowing cyber requirements down their supply chains, and the deadlines are real. The UK Ministry of Defence requires suppliers that handle its information to meet defined cyber standards, and the US Department of Defense is phasing in mandatory third-party CMMC assessments through 2026 for any supplier that touches its data, including UK manufacturers inside those supply chains. The pool of accredited assessors is small relative to the number of suppliers who need them, so the businesses that start early are the ones that keep their contracts.

Which standard do you actually need?

“Cyber compliance” is not one thing, and the gap between the possible requirements is the difference between a modest project and a major programme. Three regimes sit behind most requests:

UK MOD route

Built on Cyber Essentials Plus and a risk-tiered control set under DefStan 05-138, with the Defence Cyber Certification scheme providing third-party assurance. Your customer may reference a Cyber Risk Profile level and a Supplier Assurance Questionnaire.

US DoD route

Implementation of the 110 controls in NIST SP 800-171, registration in the US SPRS, and, under CMMC, third-party (C3PAO) certification at Level 2. This applies if you process information that originates from a US defence programme, regardless of where the work is performed.

NIST Cybersecurity Framework

A lighter, maturity-based self-assessment, sometimes meant when a customer says “NIST” loosely.

The first job of any engagement is to confirm which of these your customer actually requires, because committing to the wrong one is expensive.

How we help: a readiness partner, not a certifier

We work in clear phases. Discovery confirms the regime and maps what is in scope. A gap assessment baselines you against the chosen standard and produces a System Security Plan and a Plan of Action and Milestones. Remediation puts the controls in place: multi-factor authentication, endpoint detection, centralised logging, network segmentation, secure handling of customer drawings, the policy set and staff training. Certification readiness then runs a mock assessment before the formal step with the independent assessor or C3PAO. We hold the methodology and the customer relationship; your in-house team keeps ownership of the systems they run.

Built on the discipline you already have

If you hold AS9100, you already run document control, audit discipline and corrective action. Cyber compliance is that same discipline applied to information security. We extend what you already do well rather than imposing something foreign, which is usually the fastest route through.

Start before the deadline forces you

Assessor capacity is the constraint, not the controls. Suppliers who begin readiness early protect both their certification timeline and the contracts that depend on it. Those who wait risk joining a queue at exactly the wrong moment.

Work with Keekco

Book a discovery call, or take the two-minute readiness check.

Book a discovery callTake the readiness check

Frequently asked questions

Do UK suppliers really need CMMC?
If you handle information that originates from a US Department of Defense programme, even through a UK prime, the DFARS clause and CMMC can apply to you regardless of where the work is performed. If your defence work is purely UK MOD, the DefStan 05-138 and Defence Cyber Certification route is more likely. Confirming which applies is the first step.
What is the difference between Cyber Essentials, NIST 800-171 and DefStan 05-138?
Cyber Essentials is the UK baseline of five technical controls and is often the foundation for everything else. NIST 800-171 is a US set of 110 controls for protecting controlled defence information. DefStan 05-138 is the UK MOD’s risk-tiered standard. Many suppliers need Cyber Essentials Plus as a building block toward one of the larger standards.
When is the CMMC deadline?
CMMC is being phased into US defence contracts, with third-party assessment requirements arriving through 2026. Because accredited assessor capacity is limited, readiness work needs to start well before any contractual date.
Does Keekco certify us?
No, and that is deliberate. Certification must come from an independent assessor or, for CMMC, an accredited C3PAO. We prepare you so that you pass, which keeps our advice impartial.
How long does readiness take?
It depends on the standard and your starting point, but a typical programme runs several months from gap assessment to assessment-ready. Discovery gives you a firm timeline before you commit.
We already have AS9100. Does that cover cyber?
Not on its own. AS9100 governs quality, not information security. The good news is that the discipline transfers: the document control and audit habits behind AS9100 are exactly what a cyber programme needs.