Comparing CMMC with ISO 9000, AS9100, and ISO 27001

In a prior post, we met a business development manager seeking to work with a Department of Defense (DoD) prime contractor. He hoped his company’s AS9100 certification could make up for not having a CMMC Level 2 certification. Clearly, AS9100 alone was insufficient, and his company didn’t get the contract. But what about those other standards—ISO 9000, AS9100, and for that matter, ISO 27001? How do they compare with CMMC?

An Overview of Quality Management and Its Standards

ISO 9001/14001, AS9100, and ISO 27001 are all quality management standards. Quality Management isn’t a new idea; it's existed for as long as people have been producing goods and services. Formal quality management systems became widely used starting in the 1980s. These help to ensure the quality of your products or services by implementing processes and procedures that promote consistency and reduce errors. They also provide assurance of quality to those who might want to work with you—a.k.a. your customers. They might be a prerequisite just to get a meeting with a customer, or to become a supplier or partner. They might even be written into contracts as a requirement.

Quality standards frequently encountered include:

• ISO is a well-known and longstanding international quality standard. Developed by the International Organization for Standardization (ISO). The most utilized include:
  • ISO 9001:2015 Quality Management Systems (QMS)
  • ISO 14001:2015 Environmental Management Systems

These standards define accepted quality and environmental principles, requirements for achieving them, and guidelines on how to meet those requirements. ISO is not industry-specific, and the standards are adaptable to any industry and any realm of business.

• AS9100 (AS9100D) specifies QMS requirements for aviation, space, and defense organizations. It was developed by the Society for Automotive Engineers (SAE International) and includes ISO 9001:2015 but additionally includes requirements specific to the aforementioned industries. This standard concerns the quality and safety of equipment used for aviation, space, and defense.
• ISO 27001 (ISO/IEC 27001:2022) provides for information security, cybersecurity and privacy protection. It was developed jointly by the ISO and the International Electrotechnical Commission (IEC). Like AS9100, it builds on ISO 9001, but rather than being industry-specific, it’s geared toward managing information security and includes cybersecurity and protection of data. It’s an area of expertise for CyberNINES, and our services include ISO 27001 protocols as well as NIST SP 800-171 (the basis for CMMC).

Different but Similar Approaches

ISO and AS compliant and certified companies—as well as those who have pursued other stringent quality standard certifications such as ISO/TS 16949 Automotive Quality Management or ISO/ASTM 52920:2023 Additive Manufacturing—may have an easier time on their CMMC compliance journey. While CMMC focuses specifically on DoD contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the U.S. government, the approach is similar. They each have requirements and guidelines for becoming compliant as well as certified. They all serve to make your company stronger and provide a competitive advantage over those who don’t have the certifications. They all stress continuous process improvement. They all require a rigorous certification process to demonstrate compliance, and certification must be renewed periodically. Any or all of them might be required by contract for one or more of your clients.

On the other hand, ISO 9000, AS9100, and ISO 27001 are internationally agreed-upon quality standards. Unlike CMMC, they are not mandated by a governing body and don’t have the force of law; nevertheless, they may be required contractually. Their requirements are more generalized. They all seek to implement processes and improve quality, but if your organization is seeking certification for these standards, you have some flexibility in how the requirements are implemented.

There is some synergy between CMMC and other quality standards. There will be some overlap in requirements, even if that overlap isn’t complete. The effort and expense you put in to achieve one certification will certainly go a long way in helping you achieve another, especially if you plan well. Working with an expert partner such as CyberNINES can help you optimize your efforts.

CyberNINES is the Partner You’re Looking For

Still have questions? CyberNINES has answers—and so much more! Contact us find out how we can help your company become CMMC certified. You can learn more about our services here.

Next up—some key things to consider as you wait for CMMC rollout

Additional Reading

• https://cybernines.com/cmmc-overview
• https://blog.cybernines.com/cmmc-explained-for-small-business-owners
• https://blog.cybernines.com/controlled-unclassified-information
• https://blog.cybernines.com/profitable-partnerships-boost-your-insurability-with-cybernines
• https://blog.cybernines.com/finding-the-best-msp
• https://www.pipelinepub.com/cybersecurity-assurance-2024/CMMC-cybersecurity-certification-guide

Resources

• https://dodcio.defense.gov/CMMC/About/
• https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
• https://www.defenseandmunitions.com/article/if-i-have-an-iso-9001-as9100-or-iso-27001-certification-do-i-need-cmmc/
• https://www.archives.gov/cui/registry/category-list
• https://www.iso.org/standards/popular/iso-9000-family
• https://www.sae.org/standards/content/as9100/
• https://www.iso.org/standard/27001