Preparation & Partnership
The Qarbon Aerospace Journey to CMMC Level 2 Certification with Redspin
Qarbon Aerospace, a leading aerospace manufacturer supporting critical defense programs, was the 531st organization out of over 200,000 defense contractors to achieve CMMC Level 2 certification. The company chose Redspin as its CMMC 3rd Party Assessment Organization (C3PAO) for their assessment journey. By proactively completing a mock assessment ahead of their actual certification, Qarbon Aerospace identified areas needing improvement, resolved gaps, and approached their formal assessment with confidence.
Given the high number of organizations seeking CMMC certification (OSCs) and the limited number of assessors, missteps and delays can turn into months of setbacks. Qarbon Aerospaces’s proactive decision to simulate the assessment process before undergoing their real assessment paid off. Their journey emphasizes the value of preparation, the importance of partnering with experienced assessors, and the high stakes of skipping readiness in the race for certification.
Who is Qarbon Aerospace?
Our company is a premier manufacturer of cutting-edge composite components and assemblies at all levels of complexity. Our products are installed on the industry’s most advanced commercial and military aircraft. A US-owned company with a global footprint of almost two million square feet of state-of-the-art facilities, Qarbon Aerospace competitively solves the market’s toughest challenges, on time, with “quality assured in every fiber.
Eric Holloway
In this conversation, Eric Holloway, Chief Information Officer at Qarbon Aerospace, shares his insights and experiences with Redspin and the CMMC assessment process.
Qarbon Aerospace and the Level 2 Certification Decision
Before pursuing CMMC Level 2 certification, how would you describe Qarbon Aerospaces’s cybersecurity infrastructure and practices?
Previously, our practices were informal and lacked consistent structure. While our technology capabilities were rapidly evolving and maturing, and in great shape from an implementation standpoint, they often outpaced our ability to apply governance and process discipline. We needed greater focus and rigor to ensure that our policies and documentation reflected the strength of our technical environment. The CMMC process helped us and our leadership team align those two sides—confirming that we not only did the right things but could clearly demonstrate them.
What factors influenced your decision to pursue CMMC Level 2 certification?
There were multiple issues in play. First and foremost, DoD contractor requirements and the DFARS 252.204-7012/7019/7020 helped us determine Level 2 was right for us. We understood that meeting the rigorous Level 2 requirements would provide us with competitive advantage, as well as help us meet supply chain requirements, better manage risk, and significantly improve our cybersecurity posture. Through our strategic forecasting and anticipation of future DoD requirements, we knew pursuing Level 2 was what we needed to do.
Starting on the Assessment Path
Did you have any primary challenges or gaps when beginning your CMMC Journey?
Yes, we had several. We lacked adequate documentation of our cyber processes and procedures. There was also a bit of cultural apathy, as CMMC compliance was often perceived as purely an IT issue, which it is not – it’s an organization-wide initiative. We also had challenges in finding appropriate partners who know DoD Contracting and the requirements for CMMC Level 2.
What led you to choose Redspin as your C3PAO?
Initially, we were referred to Redspin, and immediately after our first meeting, we knew that they were the right fit for us. Redspin’s strong reputation and fair approach were what we were looking for in an assessor. Having been around the “CMMC block” many times, their consistent views into OSCs’ challenges and what is needed to achieve certification conveyed the understanding and expertise we wanted in such an important partnership.
Preparation: The Mock Assessment
Qarbon completed a mock assessment with Redspin prior to the official certification. What was the internal rationale for doing a mock first?
Going through assessment is a major milestone. If you fail, it can take months before you get another opportunity, so we knew it was critical to be as prepared as possible. By completing a mock assessment with Redspin, we were able to identify exactly where our readiness fell short of Level 2 requirements and create a focused plan to close those gaps. This proactive step significantly reduced our risk of failure during the formal assessment.
The process also helped address cultural challenges by deepening our team’s understanding of what was required and why it mattered. The mock assessment validated our interpretations of CMMC Level 2 expectations, confirmed that our documentation and evidence met the standard, and ultimately strengthened our confidence going into the real assessment.
Did your mock assessment provide any key insights or surprises that influenced your preparation?
Yes. We learned that our policies were at times out of synch with configurations or practice. Also, CMMC requires a lot of process documentation, and sharpening ours was quite a heavy lift; the time to produce the evidence of compliance is significant. Fortunately, the mock assessment gave us a concrete understanding of what was needed and a workable approach to get it done. Through that discovery, our team felt an improved ownership of our cyber responsibilities and a greater sense of discipline around our cyber posture.
Given what we learned, had we skipped the mock assessment and gone straight to certification, it’s quite possible we would not have been ready and faced delays in getting over the finish line. But thanks to good preparation and our work with Redspin, we were ready and had the confidence to get through it.
Certification Results & Impact
Has Level 2 certification influenced Qarbon’s approach to continuous cybersecurity improvement?
Yes! The program absolutely influences the maturity of our cyber programs. It enabled our IT team to improve our security and build awareness across the business functions about why this is important and everyone’s role in observing proper cyber practices.
Any words of wisdom for other aerospace and manufacturing companies just beginning their CMMC process?
Continuing to delay your CMMC journey or not being properly prepared for an assessment will likely have an unfavorable impact on existing or new contract awards being delayed or falling out of compliance.
The limited availability of assessors, combined with high demand and frequent assessment failures, has created a significant industry bottleneck. Preparation is critical to success; passing on the first attempt avoids costly delays and rework. Our engagement with Redspin exemplified effective collaboration and a results-driven partnership, focused on shared goals and continuous improvement.
For us, we had a positive and productive experience with Redspin, marked by strong collaboration and a results-oriented approach. The engagement reflected a strong partnering dynamic focused on shared goals and continuous improvement.
Note: Mock vs. Formal Assessment – No Conflict of Interest
Redspin conducted a mock assessment and a formal C3PAO Level 2 certification assessment for Qarbon Aerospace without any conflict of interest.
A mock assessment is a practice run of the certification process—it does not include guidance, remediation support, or consulting. It’s designed solely to simulate the assessment experience and help the organization identify gaps on its own.
By contrast, a gap assessment includes advisory feedback, recommendations, and hands-on consulting, which would create a conflict of interest for a C3PAO Level 2 formal assessment.
Because Redspin’s mock assessment remained an independent, non-advisory simulation, the company maintained full compliance with CMMC conflict-of-interest standards and was able to later serve as Qarbon’s authorized C3PAO for the official assessment.
