The Desk · Founding Inquiry 02

Which of the fourteen control families does my AS9100 QMS already cover?

When you map a mature AS9100 system against the 14 NIST 800-171 control families, the typical pattern is 4 Greens, 7 Ambers, and 3 Reds. The map is your starting position — and your QMS is usually much further along than you think. The families where the discipline exists but the scope needs to extend. The families where genuinely new technical capability is required.

Asker Shop Owner · Metal Fabrication · 85 Employees
Submitted Published

The Question

"We just finished our AS9100 recertification audit with zero minors. Our consultant wants us to buy a completely separate 'CMMC policy pack' for the 14 NIST 800-171 families. How much of our existing quality system actually maps over to these families? Do we really need to start from scratch?"

The Discipline

You do not need to start from scratch, and you should resist buying a parallel policy universe. If you run a mature AS9100 system, you already possess the operating discipline required for the majority of the NIST 800-171 control families.

NIST SP 800-171 Rev. 2 contains 110 security requirements organized across 14 families. Assessment happens requirement-by-requirement, not family-by-family, using the assessment objectives in NIST SP 800-171A. The family-level map below is the starting pattern; your SSP documents implementation requirement-by-requirement.

The clock is running. SPRS has already become the system of record for DoD’s NIST SP 800-171 and CMMC status evidence. For contracts subject to DFARS 252.204-7019 and 252.204-7020, contractors required to implement NIST SP 800-171 must have a current DoD assessment score posted in SPRS. Under the CMMC acquisition rule effective 10 November 2025, applicable solicitations and contracts may also require current CMMC status, CMMC unique identifiers, and annual affirmations of continuous compliance in SPRS. Phase 1 began 10 November 2025 and includes Level 1 Self and Level 2 Self for applicable contracts. Phase 2 begins one year later and adds Level 2 C3PAO requirements for applicable contracts. Phase 3 begins one year after Phase 2 and expands Level 2 C3PAO requirements to all applicable DoD solicitations and contracts, with Level 3 DIBCAC requirements for applicable higher-risk procurements.

When you map a mature quality system against the 14 families, a consistent pattern emerges:

4 Greens: strong QMS operating leverage. These are families where a mature AS9100 QMS typically provides substantial operating discipline, but still requires CUI-specific language and evidence: Awareness & Training, Personnel Security, Physical Protection, and Incident Response, via CAPA extension.

7 Ambers: QMS discipline exists, but cyber implementation must be added. These are families where AS9100 gives you useful management-system muscle, but not enough control implementation by itself: Access Control, Audit & Accountability, Configuration Management, Maintenance, Media Protection, Risk Assessment, and Security Assessment.

3 Reds: genuinely new or mostly technical capabilities. These are families where the shop should expect new technical tools, managed services, or formal IT/security implementation: Identification & Authentication, System & Communications Protection, and System & Information Integrity. This is where you actually need to spend money on technical capabilities — tools or managed services.

Do not let a consultant convince you that information protection is entirely novel. Map what you have. Extend where necessary. Build only what is missing. The map becomes the outline of your System Security Plan — the document a C3PAO works from, structured by the NIST SP 800-171A assessment objectives with cross-references to your quality manual where the discipline is already in place. Building from your existing QMS strengthens the truthfulness of your SPRS affirmation: the requirements you affirm are the requirements you actually implement and evidence.

Authority
  • NIST SP 800-171 Rev. 2 · Families 3.1 through 3.14; 110 security requirements; System Security Plan requirement at 3.12.4; assessment objectives at NIST SP 800-171A
  • NIST CUI SSP Template · Supplemental template for documenting system boundaries, environments of operation, requirement implementation, and system interconnections
  • AS9100 Rev D · Clauses 7.1.2 (People), 7.1.3 (Infrastructure), 7.1.5 (Monitoring and Measuring Resources), 7.1.6 (Organizational Knowledge), 7.2 (Competence), 7.5 (Documented Information), 8.4 (Control of Externally Provided Processes), 8.5.6 (Control of Changes), 9.1 (Monitoring, Measurement, Analysis, Evaluation), 9.2 (Internal Audit), 10.2 (Nonconformity and Corrective Action)
  • DFARS 252.204-7019 and 252.204-7020 · NIST SP 800-171 DoD Assessment and SPRS score-posting requirements
  • DFARS 252.204-7021 and 252.204-7025 · CMMC level requirements, CMMC UID, current CMMC status, and affirmation of continuous compliance
  • 32 CFR Part 170 · CMMC Program; Level 2 alignment to NIST SP 800-171 Rev. 2; Level 2 self-assessment and certification assessment requirements; affirmation; scoring methodology
Provenance Founding Inquiry. Drawn from practitioner conversations that shaped It Takes the Whole Shop. Not a live practitioner submission. Future inquiries in this archive respond to questions submitted through the Desk intake and sanitized per the four-point template.
The Desk provides discipline guidance, not a compliance determination. Your specific implementation path should be validated by your Registered Provider Organization (RPO) or internal counsel prior to a C3PAO assessment.

The Desk is open.

Ask the discipline question in front of you. Answers publish within seven days.

Submit a Question