What CMMC means for UK aerospace suppliers

If you supply parts, processes or services into the aerospace and defence sector, you may already have heard the term CMMC, possibly from a customer, possibly in a supplier questionnaire, possibly as a vaguer instruction to "get your cyber security in order." It is easy to assume it is an American requirement that stops at the Atlantic. For a growing number of UK suppliers, that assumption is wrong, and acting on it late is expensive.

This article explains what CMMC actually is, why it can reach a British business, and what getting ready involves. The aim is to replace uncertainty with a clear view of whether this applies to you and what to do about it.

What CMMC is

CMMC stands for Cybersecurity Maturity Model Certification. It is the framework the US Department of Defense uses to verify that the businesses in its supply chain are protecting defence information to a defined standard. The important word is verify. For years, suppliers to the US defence sector were expected to meet a cyber standard but largely attested to it themselves. CMMC changes that by requiring many suppliers to prove it through an independent assessment, rather than simply claiming it.

At its most relevant level for manufacturers, Level 2, CMMC is built on an existing standard called NIST SP 800-171, a set of 110 security controls designed to protect what the US calls Controlled Unclassified Information. So when someone refers to "CMMC Level 2," they are really talking about implementing those 110 controls, documenting them properly, and, for most contracts, passing an assessment carried out by an accredited third party known as a C3PAO.

Why a UK supplier can be caught by it

This is the part that surprises people, so it is worth being precise. The obligation does not follow your location. It follows the data you handle.

The contractual clause that brings CMMC obligations applies based on whether you process information that originates from a US defence programme. If a US-origin programme flows technical information down to you, through a prime contractor such as BAE Systems or Lockheed Martin, or through another supplier above you in the chain, the requirement can reach you regardless of the fact that you operate in the UK and do the work here. Defence supply chains are international, and a UK process house or component manufacturer can easily find itself handling data that carries these obligations without having signed anything directly with the US Department of Defense.

This is why "CMMC is an American thing" is a dangerous simplification. The honest answer to "does it apply to me?" is: it depends entirely on what data you touch, and that is the first thing any serious readiness exercise establishes.

CMMC, NIST and Cyber Essentials: which is which?

Part of the confusion is that several standards get mentioned in the same breath, and they are not the same thing.

NIST 800-171 is the control standard itself, the 110 requirements. CMMC is the certification programme that verifies you have implemented them, including the independent assessment. Cyber Essentials, by contrast, is the UK government-backed baseline of five core technical controls, often the foundation a business builds from, but a long way short of the full NIST control set.

A useful way to picture it: Cyber Essentials gets the basics right, NIST 800-171 defines the full set of controls for protecting defence information, and CMMC is the formal proof that you have done so. A supplier facing US defence requirements may need to travel the whole of that path. A supplier whose defence work is purely UK Ministry of Defence is more likely to be on a different route, built around Cyber Essentials Plus and the UK's own DefStan and Defence Cyber Certification scheme. Confusing the two routes is one of the most expensive mistakes a supplier can make, because committing to the wrong, heavier one wastes money, and assuming the lighter one when the heavier applies risks the contract.

Why starting early matters more than it would for most projects

Most compliance work can be compressed if you throw resource at it. CMMC has a constraint that resists that: the number of accredited assessors is small relative to the number of suppliers who will need them. You cannot buy your way past an assessor's availability.

That creates a sequencing problem. Readiness work takes time. Remediation, putting controls in place, takes longer. And then the assessment itself has to be booked and conducted by a third party whose calendar is finite. Suppliers who begin early move through readiness and remediation while assessor capacity is still reasonably available, and protect both their certification and the contracts that depend on it. Suppliers who wait risk arriving at the queue at the worst possible moment, after a deadline has concentrated everyone's mind at once.

The phased introduction of these requirements into US defence contracts is happening over a defined period [verify the current phase-in timeline before publishing], but the practical takeaway does not depend on the exact dates: the constraint is capacity, and capacity rewards the early.

What getting ready actually involves

Readiness is not a single act. It runs in stages, and the order matters.

It starts with scope: working out precisely which of your systems, people and data fall within the requirement. A tight, well-defined scope is the single biggest lever on cost, because it determines how much of your business has to meet the controls rather than re-engineering everything.

Then a gap assessment: baselining your current state against all 110 controls, producing the System Security Plan that documents how you meet them, and a Plan of Action and Milestones for anything outstanding.

Then remediation, which is where most of the effort and cost sits: multi-factor authentication and access control, endpoint detection, centralised logging, network segmentation or a protected enclave for in-scope systems, secure handling of customer technical drawings, the policy set, incident response, and staff training.

Finally, assessment readiness: a mock assessment to make sure there are no surprises, before the formal step with the accredited C3PAO.

The reassuring part, if you hold AS9100

Most aerospace suppliers already operate a quality management system such as AS9100. If you do, you already run document control, audit discipline, corrective action and evidence-keeping, every day. Cyber compliance is, in large part, that same discipline applied to information security rather than to quality. The controls are different, but the habits of documenting, evidencing and auditing are exactly the ones a cyber programme depends on. Suppliers who recognise this tend to find the path shorter than they feared, because they are extending something they already do well rather than building a culture from scratch.

What to do now

If a customer has raised CMMC with you, or you suspect US-origin defence data flows into your business, the sensible first move is not to start buying security tools. It is to establish two things clearly: whether CMMC actually applies to you and at what level, and what your realistic scope and starting point are. Everything else follows from those answers, and getting them wrong is what makes these programmes expensive.

Keekco prepares UK aerospace and defence suppliers for exactly this, as a readiness partner rather than a certifier, so our only job is getting you through the assessment your customer requires. The background behind that work is genuine: security-cleared experience inside UK aerospace and defence programmes, brought to the suppliers who now have to meet these standards.

If you would like a straight answer on whether CMMC applies to your business and what readiness would involve, book a discovery call, or read more about our aerospace and defence supplier cyber readiness.