Aerospace & Defense IT Specialists

Your DoD Contracts Require CMMC Compliance.
We Make That Happen.

Southern California's defense industrial base — from the Boeing supply chain in Anaheim to Northrop Grumman in Redondo Beach — depends on airtight IT compliance. IT Center delivers CMMC 2.0, ITAR, and DFARS-ready managed IT so you can protect CUI, pass third-party assessments, and keep winning DoD contracts. Protecting defense contractors since 2012.

Get CMMC Assessment View Services
CMMC Level 2 Ready ITAR & DFARS Compliant $300 / computer user / Month

Compliance Frameworks Managed

CMMC 2.0 — Levels 1, 2 & 3
Cybersecurity Maturity Model Certification. Mandatory for all DoD prime and sub-contractors handling FCI or CUI data.
ITAR — Parts 120–130
International Traffic in Arms Regulations. Controls defense articles, services, and data on the USML. Criminal penalties for violations.
DFARS 252.204-7012
Safeguarding Covered Defense Information. Requires NIST SP 800-171 implementation and rapid cyber incident reporting within 72 hours.
NIST SP 800-171 — 110 Controls
14 control families protecting Controlled Unclassified Information across all non-federal systems and organizations.
All 110 NIST controls actively monitored and documented
Why Compliance is Non-Negotiable

CMMC 2.0 · ITAR · DFARS — The Stakes Are High

Defense contracts are won or lost on compliance posture. One failed assessment or ITAR violation can end your ability to compete for government work entirely.

CMMC Level 1

Foundational — 17 Practices

Required for contractors handling only Federal Contract Information (FCI). Annual self-assessment with senior official affirmation submitted to SPRS.

  • Limit information system access to authorized users and processes
  • Limit physical access to organizational systems and CUI
  • Perform maintenance on organizational systems
  • Provide security awareness training to personnel
  • Identify, report, and correct information security flaws
CMMC Level 2

Advanced — 110 Practices

Required for contractors handling Controlled Unclassified Information (CUI). Tri-annual third-party assessment by a C3PAO organization is mandatory for critical programs.

  • Full alignment with all 110 NIST SP 800-171 controls
  • 14 control families including Access Control, Incident Response, Risk Assessment
  • System Security Plan (SSP) and Plan of Action & Milestones (POA&M)
  • Multi-factor authentication on all privileged accounts
  • Encrypted data at rest and in transit using FIPS 140-2 validated modules
CMMC Level 3

Expert — 110+ Practices

Required for programs involving highly sensitive CUI associated with critical DoD programs. Government-led assessments are conducted by DCSA.

  • All 110 NIST 800-171 controls plus NIST 800-172 enhanced requirements
  • Advanced persistent threat (APT) defensive posture
  • Proactive threat hunting and continuous monitoring
  • Zero-trust architecture across all connected environments
  • Government-led triennial assessment by DoD assessors
DFARS 252.204-7012

Safeguarding Covered Defense Information

Mandatory contractual clause requiring implementation of NIST 800-171 and rapid reporting of cyber incidents to the DoD within 72 hours of discovery.

  • Implement NIST SP 800-171 across all systems processing CUI
  • Report cyber incidents to DoD within 72 hours via dibnet.dod.mil
  • Preserve and protect images of compromised systems
  • Submit SPRS score before contract award
  • Cloud service providers must meet FedRAMP Moderate equivalency
ITAR Controls

International Traffic in Arms Regulations

22 CFR Parts 120–130 govern export of defense articles and services. IT systems storing or transmitting ITAR-controlled technical data require strict access controls.

  • Restrict access to ITAR-controlled data to U.S. persons only (citizenship verification)
  • Encrypt all ITAR data in transit and at rest
  • Control physical and logical access to engineering CAD/CAM systems
  • Maintain audit logs of all access to controlled technical data
  • Prohibited from storing ITAR data on foreign-hosted cloud services
CUI Categories

Controlled Unclassified Information

CUI is any information the Government creates or possesses that requires safeguarding per law, regulation, or Government-wide policy. Common aerospace categories include:

  • Export Controlled — Technical data subject to EAR or ITAR
  • DoD Critical Infrastructure Security Information
  • Naval Nuclear Propulsion Information (NNPI)
  • Controlled Technical Information (CTI) — specifications and drawings
  • Privacy Act Information relating to DoD personnel

Consequences of Non-Compliance

Contract termination and disqualification from future DoD bids
Debarment from DoD contracting — permanent or multi-year
ITAR criminal penalties: up to $1M per violation and 20 years federal prison
False Claims Act liability for certifying an inaccurate SPRS score
Reputational damage and loss of prime contractor relationships
DCSA facility clearance suspension or revocation
What We Do

Managed IT Services for Aerospace & Defense

Every service we deliver is designed around the unique compliance, security, and operational demands of the defense industrial base. No generic IT — purpose-built for contractors.

Network Segmentation for CUI Environments

Design and enforce network boundaries that physically and logically isolate systems processing Controlled Unclassified Information from general corporate traffic. Firewall policy enforcement, VLAN segmentation, and micro-segmentation aligned to the CMMC scoping guide to minimize your compliance boundary and reduce assessment scope.

CMMC Gap Assessment & Remediation

Complete gap analysis against all 110 NIST SP 800-171 controls. We identify deficiencies, assign risk scores, build your Plan of Action & Milestones (POA&M), and execute remediation to bring you to a passing SPRS score — before the C3PAO auditors arrive.

ITAR-Controlled IT Asset Management

Maintain a complete inventory of all endpoints, servers, and removable media that touch ITAR-controlled technical data. Enforce U.S.-person-only access controls, disable unauthorized ports and peripherals, and maintain audit trails satisfying DDTC requirements for all USML-related systems.

Encrypted Communications (FIPS 140-2)

Deploy and manage FIPS 140-2 validated encryption across all communications channels — email, VoIP, file transfer, and remote access VPN. Ensure that CUI in transit is protected by cryptographic modules approved by NIST's Cryptographic Module Validation Program (CMVP).

System Security Plan (SSP) Documentation

Author, maintain, and version-control your SSP — the foundational document that describes how your organization implements each of the 110 NIST 800-171 controls. Kept current as your environment changes, with full audit history for C3PAO assessors and contracting officers.

Continuous Monitoring & Vulnerability Scanning

24/7 AI-powered SIEM monitoring with automated alerting and response. Regular authenticated vulnerability scans of all in-scope assets. NIST 800-171 control 3.11.2 satisfied through documented, scheduled scanning and remediation tracking integrated with your POA&M workflow.

GFE Policy Management

Establish and enforce Government Furnished Equipment (GFE) policies covering acceptable use, prohibited activities, configuration baselines, and media sanitization procedures. Ensure GFE is never commingled with contractor-owned systems, and baseline configurations are documented and enforced via MDM solutions.

Multi-Factor Authentication (DoD IA Controls)

Deploy phishing-resistant MFA across all remote access, privileged accounts, and systems touching CUI. Implement PIV/CAC-compatible authentication for environments requiring hardware-based credentials. Aligned to DoD Identity and Access Management policies and NIST 800-63B AAL2/AAL3 requirements.

Technical Deep Dive

NIST SP 800-171 — 110 Controls Across 14 Families

CMMC Level 2 is built entirely on NIST SP 800-171. Every control must be implemented and assessable. IT Center manages all 14 families end-to-end.

The 14 NIST SP 800-171 control families cover every aspect of your information environment — from who can log in to how you respond when something goes wrong. IT Center maintains active implementation and evidence documentation for all 14.

3.1 Access Control 22 controls
3.2 Awareness & Training 3 controls
3.3 Audit & Accountability 9 controls
3.4 Configuration Management 9 controls
3.5 Identification & Authentication 11 controls
3.6 Incident Response 3 controls
3.7 Maintenance 6 controls
3.8 Media Protection 9 controls
3.9 Personnel Security 2 controls
3.10 Physical Protection 6 controls
3.11 Risk Assessment 3 controls
3.12 Security Assessment 4 controls
3.13 System & Comms Protection 16 controls
3.14 System & Info Integrity 7 controls
  1. 1

    CUI Environment Scoping

    Identify every asset — endpoints, servers, cloud services, and network components — that processes, stores, or transmits CUI. Define your assessment boundary to limit scope and reduce compliance cost.

  2. 2

    Gap Assessment vs. 110 Controls

    Evaluate current state against every NIST 800-171 requirement. Document implementation status as Met, Not Met, or Partially Met. Assign point values per DoD's scoring methodology to calculate your initial SPRS score.

  3. 3

    System Security Plan (SSP) Authorship

    Write or refine your SSP describing the system boundary, operating environment, and how each control is satisfied. The SSP is the primary artifact reviewed by C3PAO assessors and DoD contracting officers at award.

  4. 4

    POA&M Execution & Remediation

    Build a prioritized Plan of Action & Milestones for every deficient control. Execute technical and administrative remediation with documented milestones, assigned resources, and completion dates tracked to closure.

  5. 5

    SPRS Score Submission

    Calculate your final NIST 800-171 score using DoD's 110-point methodology and submit to the Supplier Performance Risk System (SPRS) via the DoD PIEE portal. Maintain a current score with each remediation milestone completed.

About the SPRS Score

Your SPRS (Supplier Performance Risk System) score ranges from −203 to +110. Every unmet NIST 800-171 control carries a point deduction. A score below 110 requires a POA&M. The score is visible to prime contractors and DoD contracting officers — it directly impacts your ability to win contracts. IT Center actively manages your score and keeps it updated as your environment evolves and remediations are completed.

Southern California Defense Cluster

We Serve the Prime Contractors' Supply Chain

Southern California hosts the densest concentration of aerospace and defense prime contractors in the United States. If you supply to any of these organizations, you need CMMC compliance. We know this ecosystem — and we know the IT requirements these primes demand of their Tier 2 and Tier 3 suppliers.

Boeing
Anaheim, CA
Defense, Space & Security — Phantom Works, rotorcraft, weapons systems
Northrop Grumman
Redondo Beach, CA
Aeronautics, space systems, B-21 Raider stealth bomber prime contractor
Raytheon Technologies
El Segundo, CA
Missiles & Defense, radar systems, electronic warfare solutions
L3Harris Technologies
Los Angeles, CA
Communication systems, ISR platforms, space & airborne systems
SpaceX
Hawthorne, CA
Launch systems, Starlink, DoD national security space launches
The Aerospace Corporation
El Segundo, CA
FFRDC — National security space systems technical guidance and oversight
General Atomics
San Diego, CA
UAV systems (Predator/Reaper), nuclear technologies, defense electronics
Lockheed Martin
San Diego, CA
F-35 components, naval systems, fleet sustainment and logistics

Tier 2 & Tier 3 Supply Chain Compliance

CMMC compliance flows down the supply chain. When a prime contractor like Northrop Grumman or Boeing wins a DoD contract requiring CMMC Level 2, that requirement cascades to every subcontractor who handles CUI — including your company. There are no size exemptions. IT Center specializes in bringing Tier 2 and Tier 3 suppliers into full compliance before contract award deadlines. Our flat-rate $300/computer user/month model means you know exactly what compliance-ready IT costs — no surprise invoices as your assessment date approaches.

110
NIST SP 800-171 controls
actively managed
90
Days to CMMC Level 2
readiness — typical timeline
24/7
AI-powered monitoring
of your CUI environment
168+
Hours saved per
audit cycle with our SSP
Common Questions

Frequently Asked Questions

Everything you need to know about CMMC, ITAR, and compliance-ready IT for aerospace and defense contractors in Southern California.

CMMC Level 1 covers 17 foundational cybersecurity practices and is required for contractors that handle Federal Contract Information (FCI) — basic contract data that doesn’t qualify as CUI. Level 1 allows annual self-assessment with affirmation by a senior company official. CMMC Level 2 encompasses all 110 practices from NIST SP 800-171 and is required for contractors handling Controlled Unclassified Information (CUI). Level 2 for prioritized acquisitions requires a triennial third-party assessment by a C3PAO (Certified Third-Party Assessment Organization). Level 2 also mandates a System Security Plan, a Plan of Action & Milestones, and submission of your SPRS score to the DoD PIEE portal. If your contracts involve technical drawings, specifications, or other defense-related sensitive information, you almost certainly need Level 2.
Yes — CMMC requirements flow down the supply chain. If a prime contractor’s DoD contract includes a DFARS 252.204-7021 clause requiring CMMC certification, the prime must flow that requirement down to every subcontractor that will process, store, or transmit CUI or FCI on the program. There are no exceptions for company size. A five-person machining shop supplying aerospace components can be just as subject to CMMC requirements as a 500-person electronics manufacturer. The level required depends on the nature of the information handled — not the size of your business. If you’re a Tier 2 or Tier 3 supplier to any Southern California defense prime, contact IT Center immediately. The clock on compliance starts at contract award — not when you feel ready.
The formal C3PAO assessment itself typically takes two to five business days of active review for a medium-sized contractor. However, preparing for that assessment — achieving the compliance posture that will actually pass — is an entirely different timeline. For organizations starting from scratch with no prior NIST 800-171 implementation, IT Center’s typical engagement runs 60 to 120 days depending on the complexity of your environment and how many control deficiencies exist at baseline. We compress this timeline through parallel workstreams and dedicated compliance engineering. Most clients can submit an improved SPRS score within 30 days of engagement start, with full C3PAO readiness achieved within 90 days for straightforward environments.
Controlled Unclassified Information is any information the Government creates or possesses — or that an entity creates or possesses on behalf of the Government — that a law, regulation, or Government-wide policy requires safeguarding or dissemination controls. In aerospace and defense contexts, CUI most commonly appears as controlled technical information (CTI) such as technical drawings, specifications, and engineering data; export-controlled data subject to EAR or ITAR; and information covered by DFARS 252.204-7012. IT Center conducts a CUI discovery exercise as part of every engagement — mapping your data flows, reviewing file shares and cloud repositories, and classifying information against the CUI Registry categories maintained by the National Archives. This scoping work defines your compliance boundary and directly determines the cost and complexity of your CMMC implementation.
ITAR absolutely applies to IT systems. The regulations govern “defense articles” — which include technical data — and “defense services.” Technical data is broadly defined to include information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This covers CAD files, engineering drawings, specifications, test results, and source code related to a controlled defense article. Your file servers, cloud storage, email systems, and engineering workstations that touch this data must be configured to prevent unauthorized foreign nationals (including employees who are not U.S. persons) from accessing it. ITAR violations are strict liability in many cases — intent doesn’t matter. IT Center implements technical controls — access restrictions, encryption, audit logging, and endpoint controls — that satisfy ITAR’s effective controls standard for your IT environment.
Yes. IT Center guides you through the complete SPRS submission process. We perform the scored assessment of your 110 NIST SP 800-171 controls using DoD’s point-weighted methodology (where each control carries a specific negative point value if not met, and a perfect score is 110). We calculate your total score, help prepare the supporting System Security Plan, and walk your team through submission in the DoD PIEE (Procurement Integrated Enterprise Environment) portal under the Supplier Performance Risk System module. We also help you establish a cadence for updating your score as remediation milestones are completed, so your SPRS record accurately reflects your improving compliance posture. Submitting an inaccurate SPRS score can create False Claims Act exposure — accuracy matters as much as speed.
A failed C3PAO assessment means you have not achieved the required CMMC level and cannot be awarded or continue performance on contracts requiring that certification. The C3PAO will issue a Final Assessment Report identifying deficient practices. You will need to remediate those deficiencies and undergo a follow-up assessment — at additional cost and with delay. For contractors mid-performance on an existing contract, failure can trigger a cure notice from the contracting officer. The best defense is never taking a formal assessment until you are ready. IT Center’s pre-assessment readiness review replicates the C3PAO assessment methodology — we find the gaps before the assessors do, remediate them, and only recommend scheduling the formal assessment when your environment will pass. We have never had a client fail a C3PAO assessment after completing our full readiness program.
Get Started

Start Your CMMC Assessment Today — Before Your Next Contract Requires It

IT Center has guided aerospace and defense contractors through CMMC, ITAR, and DFARS compliance since 2012. Our flat-rate $300/computer user/month model means compliance-ready IT with no surprise invoices and no per-ticket billing. Let’s find out where your SPRS score stands today.

(888) 221-0098
sales@itcosc.com
1159 Pomona Rd Suite B, Corona, CA 92882
Response within 2 business hours — Mon–Fri 8am–6pm PST  |  Emergency: 24/7/365

Request Your Free CMMC Gap Assessment