Keystone Aerospace LLC — CMMC Case Study

Overview

Company profile, mission, contracts summary and key facts

Company: Keystone Aerospace LLC (CAGE: 6KZ12). Keystone designs, manufactures, and integrates avionics, flight controls, and sustainment services for fixed-wing military platforms. Founded 1998. Headquarters: Wichita, KS; Secondary sites: Huntsville, AL; San Diego, CA.

Employees: 14,563 | Annual Revenue: $240M | Active Contracts: 23.

Primary Products & Services

Flight-control actuators & servo systems
Avionics integration & mission computing
Airframe structural components & sustainment
Systems engineering and field support

Export Controls & CUI Categories

ITAR: Defense articles related to flight controls and avionics; EAR: dual-use electronics (ECCN 3A991). Licensing required for international transfer; DSP-5/TAA likely for some suppliers.

Mapped categories from active contracts: Technical Data — c_001,c_004,c_007,c_010,c_014,c_019; Export Controlled Tech Data — c_002,c_005,c_008,c_014,c_018; Maintenance Records — c_003,c_009,c_015,c_020; Operational Data & PII — c_012; Proprietary Manufacturing Data — c_013; SBOM & Builds — c_019; Research Data — c_021.

Contracts (sample)

Contract #	Prime	Description	CUI	Export
W56-FA-2001	USAF	Flight Control Computer Integration & Test	CUI: Technical Data	ITAR
N00019-21-C-3001	USN	Avionics Mission Computer Subsystems	CUI: Export Controlled Tech Data	ITAR / ECCN 3A991
FA8650-24-C-0050	AFLCMC	Sustainment & Field Service Support for legacy control surfaces	CUI: Maintenance Records	EAR
W91CRB-25-C-1100	US Army	Flight control actuator prototype supply	CUI: Technical Data	ITAR
HQ0147-22-D-2001	DARPA	Avionics experimental mission computer integration	CUI: Export Controlled Tech Data	ITAR / ECCN 3A991
FA8620-23-C-4002	AFLCMC	Mission computer sustainment and patch management	CUI: Maintenance Records / Technical	EAR
N68335-22-C-9004	USN	Integration of sensor-fusion modules	CUI: Technical Data / Proprietary	ITAR / ECCN 3A991
FA8219-25-D-0001	SOCOM	Special mission avionics retrofit kits	CUI: Export Controlled Tech Data	ITAR

Position: upper-left

IT Environment

Asset inventory, systems, cloud/on-prem split

Asset Inventory

Asset ID	Name	Type	Owner	Location	Sensitivity
AS-0001	Prod ADSP Build Server	Server (On-prem)	Engineering IT	Wichita, Data Center	CUI: Technical
AS-0102	Design Workstations	Endpoint	Aero Eng	Huntsville Lab	CUI: Technical
AS-0203	ERP / Finance	SaaS (Cloud)	Finance	Cloud (US)	PII / Sensitive

Systems & Services

On-prem VMware cluster hosting build/test environments (Wichita)
Azure Gov tenancy for subcontractor collaboration
Enterprise SSO (SAML) with AD
SIEM: Elastic Stack (90-day retention)

Network & Infrastructure Details

Internal VLANs: 12 (Prod, R&D, Finance, Labs, DMZ, DevOps/CI, Test, Guest, Mgmt, Voice, IoT, Backup)
VPN Networks: 3 — site-to-site IPSec (Wichita & Huntsville & San Diego), secure client VPN for remote engineers (MFA), and a partner/prime VPN with strict ACLs.
Backup Systems: Veeam-based on-prem backups with encrypted tape vault; nightly replication to Azure Gov snapshots; immutable backup retention for CUI snapshots (1 year).
Wireless: Corporate 802.1X SSID for staff (enterprise certs), separate Guest SSID on Guest VLAN with captive portal; enterprise APs (Aruba/Cisco) centrally managed.
Switches & Access: Cisco Catalyst core (9500) and Catalyst 9300 access switches; distribution switches with PoE for APs and edge aggregation; dedicated management VLAN.
Routers: Router at each site (Cisco ISR series) terminating site VPNs, providing routing (OSPF/BGP as needed) and QoS for critical links.
Firewalls: Palo Alto PA-5220 pair (HA) at primary sites; Palo Alto PA-3220 at smaller locations; NGFW rules with IDS/IPS and SSL inspection.
SOC: Internal SOC (Security Ops) monitoring via Elastic Stack, 24x5 alerting with an on-call rotation and playbooks for DFARS/NIST reporting and incident escalation.
Servers: ~60 virtual servers across sites (build/test ~20, app/web ~10, DB cluster ~6, AD/auth ~4, file/storage/backup ~8, SIEM collectors ~4, management/dev ~8).
Email Systems: Microsoft 365 (Exchange Online) with DLP, conditional access and M365 Defender; on-prem mail gateways used for partner transfer controls and archival.

Position: upper-right

Network Architecture

Keystone operates a segmented network with VLANs for Production, R&D, Finance and an isolated DMZ. Site-to-site IPSec VPNs connect Wichita, Huntsville and San Diego. NGFWs enforce segmentation and a jump host model supports partner access. Backups replicate to encrypted off-site vaults and Azure Gov snapshots.

Design notes

VLANs: 10 Prod, 20 R&D, 30 Finance, 40 Labs
DMZ for partner portal with strict ACLs and transfer jump hosts
Subnets: /22 site clusters, /24 per VLAN
Firewalls: Palo Alto NGFWs with HA

CUI Data Flows

CUI is received via secure prime portals (SFTP), partner web uploads, and controlled email channels with DLP. CUI is staged in the DMZ portal, transferred to on-prem build servers, processed by engineers, and archived to Azure Gov storage. Exports require licensing.

Marking & Resting Points

DMZ partner portal (staging)
ADSP Build Server (processing)
Azure Gov archive (resting)

CUI Data Flow

Security Gaps

Findings (prioritized):

Practice ID	Finding	Severity	Affected System
AC-3 / 3.1.5	Missing RBAC on engineering build server; shared generic accounts	High	ADSP Build Server
AU-2 / 3.3.1	Logging not forwarding critical CUI events to SIEM	High	SIEM / Build Servers
CM-2 / 3.4.2	Baseline configs not enforced on R&D workstations	Medium	Huntsville Workstations
MA-2 / 3.7.1	Maintenance tracking lacks time-bound vendor access	Medium	Vendor Remote Access
IA-5 / 3.5.3	Privileged remote logins not enforced with MFA	High	VPN & Jump Hosts
MP-4 / 3.8.3	Removable media controls are procedural only	Low	Workstations / Labs

Vendor & Third-Party Risk

Supplier	Services	Access Type	SCRM Status
AeroParts LLC	Structural subassemblies	Physical shipments, portal uploads	Level 2 (partial)
NavSys Inc	Avionics sensors	SFTP drops	Onboarding (PCL pending)
CloudGov Solutions	Azure Gov tenancy	Cloud IAM roles	Assessment completed

CMMC Domain Assessment

Ratings: Compliant / Partial / Non-Compliant

Domain	Rating	Notes
Access Control	Partial	RBAC gaps on build servers; MFA partial
Asset Management	Compliant	Inventory maintained
Audit & Accountability	Partial	Logging gaps for CUI
Configuration Management	Partial	Baseline enforcement limited to prod
Identification & Authentication	Partial	Privileged MFA not enforced
Incident Response	Partial	Plan exists; tabletop not executed
Maintenance	Partial	Vendor access controls procedural
Media Protection	Partial	Removable media controls weak
Security Assessment	Partial	Assessment cadence; artifacts missing
System & Comm Protection	Partial	Segmentation present; enforcement gaps

POA&M

Finding	Action	Owner	Target Date	Status
AC-3: RBAC missing on build server	Implement RBAC, remove shared accounts, enforce least privilege	Dir. Engineering IT	2026-07-31	Open
AU-2: Logging gaps	Configure audit forwarding for CUI events to SIEM, increase retention	Security Ops	2026-06-15	Open
IA-5: MFA not enforced for privileged remote logins	Extend MFA to privileged accounts and VPN jump hosts	IT Ops	2026-05-30	Open
CM-2: Baseline configs not enforced	Deploy config mgmt tool, enforce golden images for R&D	Config Mgmt Lead	2026-08-15	Open
MA-2: Maintenance tracking & vendor access	Introduce time-bound vendor accounts and session recording	Ops Manager	2026-07-01	Open
MP-4: Removable media controls lacking technical enforcement	Implement USB control software and enforce encryption	Endpoint Security Lead	2026-06-30	Open

SSP Summary

System Boundary: CUI resides on ADSP Build Server, Azure Gov storage, and select engineer workstations. Boundary includes NGFWs, SSO identity provider, SIEM, and transfer jump hosts.

SSP Evidence Checklist

Artifacts: system boundary diagram, network topology, asset inventory, RBAC matrix, SIEM config, backup details, baselines, vulnerability scans, vendor logs, policies, training records, IR plan, POA&M.

Audit Evidence Log

Finding	Evidence
AC-3	Account lists, RBAC policy, AD exports, interview with Dir Eng IT
AU-2	SIEM config, forwarder settings, sample logs showing CUI access
CM-2	Baseline configs, image manifests, software inventory reports
MA-2	Maintenance tickets, vendor session logs, temporary account rosters
MP-4	Removable media policy, DLP logs, USB allowlist

Scenario Injects

USN Prime submits encrypted dataset; unmarked files observed on R&D workstation — trace flow and update POA&M.
Vendor requests emergency remote maintenance without SCRM attestation — decide controls and evidence.
SIEM detects exfil pattern from engineer workstation to unknown IP — triage and notify prime per DFARS.
Auditor finds unlabeled Azure Gov storage container — reconcile and remediate.