AS9100D, ISO 9001:2015, and CMMC: What It Takes for a Small Advanced Manufacturing Startup to Qualify as an Aerospace and Defense Supplier

Aerospace and defense supplier markets are gated by certification frameworks. A startup with a technically excellent product cannot enter primes, Tier 1 integrators, or DoD program supply chains without the quality management system credentials and cybersecurity controls that the industry has institutionalized as the entry requirement. For an advanced manufacturing startup like INTALUS — whose recent LinkedIn post explicitly noted standardization of HARF facility workflows to AS9100D, ISO 9001:2015, and CMMC Level 1 to 2 expectations — the compliance build-out is not bureaucratic overhead; it is the operational unlock that converts a research-stage technology demonstrator into a qualified production supplier. The three frameworks together cover the quality, traceability, and cybersecurity foundations that aerospace and defense customers require, and standardizing to all three is the explicit posture of a company preparing to serve military and commercial programs.

ISO 9001:2015 — The QMS Foundation

ISO 9001:2015 is the international standard for quality management systems, applicable across virtually every industry. It defines the structural elements a company must have in place to demonstrate consistent ability to provide products and services that meet customer and regulatory requirements: leadership commitment, documented policies and procedures, risk-based thinking, planning and resource management, operational controls, performance evaluation, and continuous improvement. For a small startup, building an ISO 9001:2015-compliant QMS typically requires six to twelve months of dedicated effort to document procedures, train staff, establish records and traceability practices, and pass an external certification audit. The investment is meaningful but not extreme, and ISO 9001:2015 is the foundation on which industry-specific standards (including AS9100D) are layered.

AS9100D — The Aerospace Layer

AS9100D is the aerospace industry's quality management system standard, published by the SAE International with input from major aerospace primes. It incorporates the entirety of ISO 9001:2015 and adds aerospace-specific requirements that reflect the industry's failure-cost calculus and regulatory environment. Among the additions: counterfeit parts prevention (a major aerospace supply chain risk), configuration management (rigorous tracking of part revisions and changes), foreign object debris (FOD) controls, first article inspection, special process controls (heat treatment, welding, coating, non-destructive testing — often Nadcap-accredited), product safety considerations, and project management requirements. AS9100D certification is a hard prerequisite for direct supplier relationships with major aerospace primes and most Tier 1 integrators. The path from no QMS to AS9100D certification typically takes twelve to eighteen months for a small startup that has not previously held ISO 9001:2015.

CMMC — The DoD Cybersecurity Model

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense framework that governs how companies in the Defense Industrial Base must protect federal contract information (FCI) and controlled unclassified information (CUI). Under the current CMMC 2.0 structure, Level 1 covers basic safeguarding of FCI through 17 fundamental practices and is verified through annual self-assessment. Level 2 covers protection of CUI through the 110 practices specified in NIST SP 800-171 and, for most contracts involving CUI, requires third-party assessment by an authorized CMMC Third-Party Assessor Organization (C3PAO). Level 3 covers the most sensitive CUI and adds additional NIST 800-172 practices with government-led assessment. INTALUS's stated alignment to CMMC Level 1 to 2 expectations places it on the path to handling FCI broadly and CUI for the contract types that require Level 2 assessment — the relevant range for a small advanced manufacturing supplier engaging with defense programs.

Why All Three Together Matter

A startup pursuing aerospace and defense customers in parallel cannot pick one of the three frameworks; the customer base requires effectively all of them. ISO 9001:2015 is the foundation that AS9100D requires, AS9100D is the entry credential for aerospace customer engagement, and CMMC is the entry credential for DoD prime and subcontractor engagement that involves FCI or CUI. Building all three in parallel — as opposed to sequentially — is the more efficient approach but also the more demanding one, requiring a QMS architecture that captures aerospace-specific requirements from day one and a parallel cybersecurity build-out that establishes NIST 800-171 controls in the same time window. The combined capital and time cost for a startup to reach AS9100D certification plus CMMC Level 2 readiness is meaningful — typically in the range of several hundred thousand dollars and twelve to twenty-four months of dedicated effort, depending on starting maturity, facility complexity, and external consulting investment — but is broadly considered an unavoidable cost of entry into the addressable market.

Multi-Axis Robotic Directed-Energy Platforms and Special Process Controls

INTALUS's HARF facility operates custom multi-axis robotic directed-energy platforms — purpose-built motion systems that integrate precision multi-axis robotic positioning with directed-energy processing heads. In AS9100D terms, this kind of capital equipment typically falls under the category of "special processes," defined as processes whose results cannot be fully verified by subsequent inspection or test of the product. Examples include heat treatment, welding, brazing, certain coating processes, and energy-beam material modification. AS9100D requires that special processes be controlled through validated process parameters, qualified operators, recorded process data, and ongoing monitoring of process capability. Many special processes are additionally accredited under Nadcap (the National Aerospace and Defense Contractors Accreditation Program), an industry-managed program that verifies special process compliance through standardized audits accepted by the major aerospace primes. For a startup operating non-standard process equipment, building documented process control around special processes is a substantial portion of the AS9100D compliance work.

Talent and the HARF / Purdue Advantage

The talent constraint on building an aerospace and defense compliance program is real and often underestimated. Quality engineers who understand both materials science and aerospace QMS practice are scarce; manufacturing engineers who can operationalize AS9100D requirements on advanced production equipment are even scarcer; and the combination of aerospace QMS literacy with cybersecurity competence (for CMMC) is rarer still. Locating a production facility inside an established aerospace research and manufacturing ecosystem — Purdue University's HARF complex in West Lafayette, Indiana, is one of the most prominent examples — provides direct access to graduates and experienced engineers who have worked alongside aerospace and defense programs, materials research groups, and advanced manufacturing labs. INTALUS's open positions at HARF (Manufacturing Engineering intern, Application Engineer, Manufacturing/Process Engineer, and additional roles) target exactly this talent pool and are characteristic of the team build that supports parallel AS9100D, ISO 9001:2015, and CMMC compliance work.

Why Startups Invest Early

Investing in AS9100D, ISO 9001:2015, and CMMC certification before achieving substantial production revenue feels counterintuitive — the financial cost is real, the management bandwidth is significant, and the immediate revenue impact is zero. The economic logic is forward-looking. Without these credentials, a startup cannot bid on the contracts that would justify scaling production capacity; it cannot establish direct supplier relationships with the primes whose programs determine market access; and it cannot accept the controlled information that defense engagement requires. Companies that defer compliance investment until "after" they have product-market fit often discover that they cannot reach product-market fit in aerospace and defense markets without the credentials in the first place. INTALUS's parallel build-out — patented technology, customer history with NASA and Formula 1, recognition from Loudoun and Vinnova, and now a HARF facility being qualified to AS9100D, ISO 9001:2015, and CMMC standards — reflects the deliberate sequencing required to enter the aerospace and defense supplier market at the level of qualified production rather than research demonstration.

Frequently Asked Questions