Smithers provides several certification services to manufacturers and suppliers in the Aerospace and Defense industry. Because these industries emphasize quality, accuracy, reliability, and confidentiality, certifications are of high importance. Why work with Smithers as you pursue the certifications your organization needs? The prime benefit for an organization working in Aerospace or Defense is that Smithers can offer continuous assessments. This means as a single certifying body, we can help you build one certification on top of another without needing to start the certification process from scratch every single time. Given the time and investment it can take to find a certifying partner you trust, this is a significant advantage.

Smithers also ensures companies working in these sectors that the relationship is more important than benefits to Smithers itself. Our auditors are focused on relationships, and working with the same company over several processes and over a muti-year process will also provide you with pricing predictability and process stability.
Aerospace and Defense manufacturers have many certifications to consider and sometimes it is difficult to ascertain which ones your organization needs to pursue. With in-depth knowledge of the different standards, Smithers can guide you to what requirements you must comply with. Below is a list of certifications we offer along with information on how some standards overlap with and or/relate to each other.

ISO 9001

Regardless of what industry you work in, the ISO 9001 standard is the logical place to begin your certification journey. Smithers will work with your organization as you begin the ISO 9001:2016 process. Beginning with the ISO 9001 will establish a managerial and organizational framework that will make it easier for your organization to navigate subsequent certifications.


The AS9100 certification is specifically for manufacturers in the Aerospace and Defense industry. If you are just beginning your certification process, it is ideal to begin with ISO 9001 and then build the AS9100 on that framework. A gap analysis between the two standards quickly reveals why. By earning the ISO 9001 certification you are also complying with most facets of the AS9100. Most of the differences are areas where the AS9100 speaks directly to Aerospace and Defense organizations. For example, the requirements section is almost identical, but the AS9100 adds a counterfeit part requirement and a product safety requirement specifically for the Aerospace industry. The leadership section is mostly identical but the AS9100 adds a statement about a management representative being required for critical QM issues. Because Smithers has expertise in both standards, we will be able to navigate your organization toward AS9100 compliance while we build the foundational ISO 9001 process with you. Working with the same company will negate the need to search for a new certifying body as you pursue the AS9100, which also will save time and money.

Need Help?


If your organization is focused on the procurement of materials, parts, and assemblies within the Aerospace industry, the AS9120 is a valuable certification for you. Chronologically, the best time to pursue this certification is after you have the ISO 9001 and the AS9100 under your belt. Just as the AS9100 builds on ISO 9001, the AS9120 builds on both standards with specificities for material procurement. When comparing AS9100 with AS9120, you will notice some key deletions and additions in the 9120 standard. The most significant deletions are from AS9100 section 8 and include operational risk, product safety, testing for design verification/validation, special processes, and production process validation. Definitions added to AS9120 include Certificate of Conformity, Distributor, Splitting, Test Report, and Unapproved Part.


If your company is involved in product maintenance or repair in the Aerospace industry, the AS9120 is not the correct certification to pursue. In this case you need to be certified to the AS9110 standard. Smithers can assist you with this certification as well, so if the AS9110 certification is on your radar, we can incorporate that into your plan.

Ready to Start Your Certification Journey?

Book a Meeting

Certifications Tied to Cybersecurity

ISO 9000 and AS9100 are quality management certifications that cater specifically to the Aerospace and Defense industry. There is one key facet they do not touch which companies in this industry have to be mindful of, and that is CUI. Although CUI is mostly thought of in parallel with cybersecurity, proper CUI protection also involves proper physical storage, access, and security. There are a few different standards tied to this niche area of focus.

ISO 27001

Just as AS9100 builds directly on ISO 9001, ISO 27001does the same. Indeed, ISO 9000 and ISO 27001 are the same except for the Annex A controls in ISO 27001. These controls specify standards relating to cybersecurity principles, but they do not cover the topic of Controlled Unclassified Information, or CUI. Annex A contains fourteen different control families. They cover a wide range of topics including Operations, Communications, and Information Security as well as information accessibility, information management, and more. If you have international customers, ISO 27001 may be mandated because of the GDPR. Even if your customers are not asking that you are compliant now, it can be a good way to showcase your organization’s commitment to information security.

NIST 800-171/CMMC

If you are a contractor or sub-contractor in the Aerospace and Defense industry and you handle CUI, you have very likely heard of NIST 800-171 Rev. 2 and, more recently, Rev. 3. You also have probably been hearing about the Cybersecurity Maturity Model Certification or CMMC. This cluster of requirements has gotten much more attention than ISO 27001, in part because they have been the focal points of much debate over the last few years. Currently, DFARS 252.704.2012 mandates NIST 800-171 Rev. 2 compliance. It is likely Rev 3 and CMMC will be mandated soon (CMMC News: CMMC 2.0 was published as a proposed rule on December 22, 2023).

If you do not handle CUI or if your contract does not specify DFARS 252.704.2012, you do not need to be NIST 800-171 certified at this time. However, if your organization is seeking to grow into the Defense Industrial Base (DIB), now is a good time to begin working toward your NIST 800-171 certification. If your company is ISO 27001 certified, the path to NIST 800-171 compliance will be a little easier. ISO 27001 covers approximately 80-85% of the NIST 800-171 controls. As a C3PAO (Certified Third Party Assessment Organization) candidate, Smithers will be able to help you navigate these certifications in the near future. The path to compliance begins with ISO 9001, and Smithers can help your organization navigate from there. Contact us today to learn more.

Latest Resources

See all resources