Machine Shop Certifications: Which Ones to Get and in What Order

ISO 9001: Start Here

ISO 9001 is the baseline quality management system certification recognized worldwide. It proves your shop has documented processes for production, inspection, purchasing, corrective action, and management review. Nearly every other aerospace and defense certification builds on ISO 9001 as a foundation. If you do not have ISO 9001, get it first. Nothing else makes sense without it.

AS9100: The Aerospace Standard

AS9100 is ISO 9001 plus aerospace-specific requirements: configuration management, risk management, counterfeit parts prevention, special process controls, and first article inspection per AS9102. AS9100 certification is what aerospace primes and tier-1 suppliers look for when qualifying new vendors. It is listed in the OASIS database, which is the first place most aerospace buyers search when sourcing. If you want aerospace work, you need AS9100. The jump from ISO 9001 to AS9100 is significant but manageable because you already have the quality system foundation.

ITAR Registration: Required for Defense

ITAR (International Traffic in Arms Regulations) registration is not a quality certification. It is a legal registration with the Directorate of Defense Trade Controls (DDTC) that allows your shop to manufacture or handle defense articles and technical data. If you machine anything on the US Munitions List, or if your customer requires ITAR compliance, you must be registered. The registration itself is straightforward, but the compliance requirements are serious: physical security, access controls, visitor logs, cybersecurity controls for CUI, and training for all employees with access to ITAR-controlled data. Many shops register early because it is relatively cheap and signals to defense primes that you are serious.

DFARS and NIST 800-171: Protecting Defense Data

DFARS 252.204-7012 requires any contractor handling Controlled Unclassified Information (CUI) to implement the security controls in NIST SP 800-171. This means your IT systems, email, file storage, and network must meet 110 specific security requirements covering access control, encryption, audit logging, incident response, and more. This is not optional for defense contracts that flow down DFARS clauses. Many small shops underestimate the IT investment required. You will likely need to upgrade your email to a CMMC-compliant enclave, implement multi-factor authentication, encrypt all CUI at rest and in transit, and maintain a System Security Plan (SSP) with a Plan of Action and Milestones (POA&M).

CMMC Level 2: The New Compliance Standard

The Cybersecurity Maturity Model Certification (CMMC) Level 2 replaces self-attestation of NIST 800-171 compliance with third-party assessment. If your contracts require CMMC Level 2, a certified third-party assessor (C3PAO) must verify that you have implemented all 110 NIST 800-171 controls. The CMMC rule is being phased into contracts starting in 2025. Shops that have already implemented NIST 800-171 controls are well-positioned. Shops that have not started should begin immediately because the assessment backlog is growing and assessors are limited.

Nadcap: Special Process Accreditation

Nadcap (National Aerospace and Defense Contractors Accreditation Program) accredits specific manufacturing processes: heat treating, welding, non-destructive testing, chemical processing, coatings, and others. Unlike AS9100, which covers your overall quality system, Nadcap audits a single process in depth. If your shop performs heat treatment, NDT, welding on flight hardware, or chemical processing like anodizing or chem film, your aerospace customers will likely require Nadcap accreditation for that process. Nadcap audits are notoriously detailed and the failure rate on first attempts is high. Budget time for a pre-audit gap assessment.

The Recommended Order

For a machine shop starting from zero certifications and targeting aerospace/defense work, here is the practical sequence:

• ISO 9001 first. It is the foundation for everything else and opens doors to commercial work immediately.
• ITAR registration next. It is cheap, fast, and signals defense capability to primes who are looking.
• AS9100 after your ISO 9001 system is mature (at least one full certification cycle). This is what gets you into the OASIS database and qualified with aerospace primes.
• NIST 800-171 / CMMC Level 2 when you are bidding defense contracts with CUI requirements. Start the IT buildout early because it takes longer than people expect.
• Nadcap only if you perform a special process that your customers require accreditation for. Not every shop needs it.

Common Mistakes

The most common mistake is trying to get AS9100 before ISO 9001 is working well. If your quality system is shaky, the AS9100 audit will expose every weakness. The second most common mistake is ignoring CMMC until a contract requires it. By then you are 12-18 months away from compliance and the contract has already gone to a shop that was ready. Third: underestimating Nadcap. Shops that walk into a Nadcap audit without a pre-assessment almost always fail the first time.

What Certifications Actually Do for Your Business

Certifications are a filter. Aerospace primes use them to narrow the supplier pool before evaluating price, lead time, or capability. If you do not have AS9100, your quote does not get read. If you are not ITAR registered, you are excluded from defense RFQs. The certifications themselves do not make you a better shop. They make you a visible shop. The quality system improvements that come from implementing them properly do make you a better shop, but only if you treat the system as a real operating tool and not just an audit prop.