DFARS and CMMC 2.0: A Cybersecurity Briefing for Aerospace Startups

For aerospace startups entering the Department of Defense (DoD) supply chain, compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) is no longer an "honor system" based on self-attestation. As of late 2025, the formal integration of the Cybersecurity Maturity Model Certification (CMMC) 2.0 into DFARS has transformed cybersecurity from a best practice into a strict precondition for contract award.

The primary objective of these regulations is the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB).

The Three-Tiered Compliance Model

Under the current DFARS framework (specifically clauses 252.204-7012, 7019, and 7020), startups must achieve a specific CMMC level based on the sensitivity of the data they handle:

Level 1: Foundational (FCI)

• Focus: Basic safeguarding of Federal Contract Information (FCI).
• Requirements: 15 security requirements aligned with FAR 52.204-21.
• Assessment: Annual self-assessment and affirmation uploaded to the Supplier Performance Risk System (SPRS).

Level 2: Advanced (CUI)

• Focus: Protection of Controlled Unclassified Information (CUI).
• Requirements: 110 security practices aligned with NIST SP 800-171.
• Assessment: Requires either a self-assessment or a triennial audit by a CMMC Third-Party Assessment Organization (C3PAO), depending on the specific contract’s sensitivity.

Level 3: Expert (High-Priority CUI)

• Focus: Protecting CUI against Advanced Persistent Threats (APTs) for the DoD's most critical programs.
• Requirements: Over 130 practices, including those from NIST SP 800-172.
• Assessment: Conducted directly by the Defense Contract Management Agency (DCMA) DIBCAC team every three years.

2025–2028 Implementation Timeline

The DoD is currently in Phase 1 of a four-phase rollout that began on November 10, 2025. Startups must monitor the following milestones:

• Phase 1 (Nov 2025 – Nov 2026): CMMC requirements are being included in select solicitations. A current self-assessment score in SPRS is now a mandatory condition for award on these contracts.
• Phase 2 (Nov 2026 – Nov 2027): The DoD will begin mandating C3PAO certifications (Level 2) for a broader range of contracts and option years.
• Phase 3 & 4 (2027 – 2028): Full implementation across all DoD solicitations, including Level 3 requirements for high-priority systems.

Critical Compliance Components

1. Mandatory SPRS Scoring

Contractors are required to conduct a self-assessment against the 110 controls of NIST SP 800-171 and upload their score to the Supplier Performance Risk System (SPRS). A perfect score is 110; any gaps must be documented in a Plan of Action and Milestones (POA&M), though some high-weighted controls cannot be deferred.

2. Subcontractor Flow-Downs

If an aerospace startup acts as a Prime contractor, it is legally responsible for ensuring its subcontractors also meet the required CMMC level. Per DFARS 252.204-7020, Primes must verify that their subcontractors have a current assessment in SPRS before awarding a subcontract involving CUI.

3. Incident Reporting (72-Hour Rule)

Under DFARS 252.204-7012, startups must report cyber incidents that affect covered contractor information systems to the DoD via the Defense Industrial Base (DIB) File Sharing Portal within 72 hours of discovery. This requires having a robust Incident Response Plan (IRP) already in place.

A Roadmap to Certification

Aerospace startups can streamline their compliance journey by following a structured technical path:

• Define the Boundary: Identify exactly where CUI resides within your network. Segmenting CUI into a "compliant enclave" can significantly reduce the scope (and cost) of assessment.
• Draft the System Security Plan (SSP): The SSP is the foundational document for any audit. It describes how each of the 110 NIST controls is implemented across your hardware, software, and physical facilities.
• Address the "Big Three" Technical Hurdles:
  • Multifactor Authentication (MFA): Mandatory for all local and network access to systems containing CUI.
  • FIPS-Validated Encryption: Data at rest and in transit must be encrypted using modules validated under FIPS 140-2 or higher.
  • Shared Account Prohibition: Every user must have a unique identity; shared administrative or engineering accounts are a non-starter for certification.

Cybersecurity as a Strategic Prerequisite

The formalization of CMMC 2.0 within the DFARS framework signifies a permanent change in how aerospace startups must view their digital infrastructure. Cybersecurity has shifted from a peripheral IT concern to a foundational business risk that determines eligibility for federal revenue. As the DoD moves through its multi-phase rollout, the "cost of doing business" now includes a verifiable commitment to the protection of CUI and FCI.

For startups, the path forward requires early investment in a System Security Plan (SSP) and the development of technical enclaves necessary to isolate controlled data. By addressing the "Big Three" technical hurdles—MFA, FIPS-validated encryption, and unique identity management—early in the growth cycle, firms can avoid the operational disruption of last-minute audits and position themselves as trusted partners within the Defense Industrial Base. In a market where trust is now quantifiable through SPRS scores and C3PAO certifications, a robust cybersecurity posture is no longer just a regulatory hurdle; it is a critical competitive differentiator that ensures the long-term viability of your defense tech innovations.

*Disclaimer: The articles on this blog are for informative purposes only and are no substitute for legal advice or an attorney-client relationship. All images are AI-generated. If you are seeking legal advice, please contact our law firm directly.