Defense AM procurement is a different animal. You’re not just buying parts—you’re managing ITAR, CMMC, Nadcap, AS9100, CUI handling, and a compliance stack that disqualifies most shops before the first part ever hits a printer.
The compliance stack is heavier than commercial aerospace. You’re not just managing AS9100 and FAR/DFARS—you’re adding ITAR restrictions, CMMC mandates, Nadcap qualification, CUI handling procedures, and often special security agreements. AM isn’t yet mature across the defense industrial base. There are qualified shops, but not many. Pick the wrong one and you’ve got a serious problem plus a schedule slip.
Design for AM is still evolving in defense programs. Your prime contractor may ask you to qualify designs that were never built additively before. Supply chain visibility is critical—material traceability, powder management, build records, and post-processing all have to be documented. You can’t just call a shop and say “can you make this?” You need to know their entire compliance posture before you place an order.
ITAR restricts the export of defense-related technical data—designs, specifications, manufacturing processes, even conversations about how to make the part. Your AM supplier’s facility must be U.S.-owned and controlled under ITAR’s specific definitions. Access to technical data must be controlled, and data storage and communication must be secure. No floating around in unsecured cloud accounts.
Are they registered with the State Department? Who has access to technical data—can they list by name the employees who will touch your files? How do they store and transmit controlled data? Do they have a formal ITAR compliance officer? Have they ever been audited by the State Department or DCSA? If they get vague or push back on these questions, don’t share your data with them.
If your AM supplier outsources any work—heat treat, machining, inspection—that facility also needs to be ITAR-compliant. You can’t assume the subcontractor is handled. Ask for a list of all subcontractors and their ITAR status. If they’re evasive, that’s a problem.
CMMC is now mandatory for most defense contractors and cascading down to suppliers. Level 1 covers basic cyber hygiene—password policies, firewalls, antivirus. Level 2 adds encrypted storage, network segmentation, incident response, and formal procedures. Level 3 is significantly more rigorous with continuous monitoring and supply chain risk management. Most AM suppliers handling CUI need at least Level 2.
When you share technical data with a supplier, you’re asking them to handle it securely. If they’re CMMC-certified, a third party has verified their systems actually meet standards. If they’re not certified, you’re assuming the risk. For anything with CUI or sensitive design data, that’s not acceptable. Ask for their certification level, their timeline if they’re pursuing it, and who manages cybersecurity internally.
AS9100 is the aerospace and defense quality management standard—configuration management, traceability, foreign object detection. Nadcap goes deeper. It’s a third-party accreditation where technical experts audit your supplier’s specific competency in additive manufacturing. Nadcap auditors review build files, inspect equipment, analyze material handling, and observe actual builds. Many large primes now require both.
Ideally, you want both: AS9100 for quality system discipline and Nadcap for technical competency in AM. Getting Nadcap-accredited takes 6–12 months minimum. If your supplier is pursuing it, ask when they expect to achieve accreditation. If they say “next month” and haven’t started, they’re not serious.
ITAR-registered. AS9100-certified. Nadcap-accredited for metal AM or actively pursuing with a clear timeline. Full material traceability and documentation capability. Verifiable experience with defense programs and references available. If they can’t check these boxes, they’re not ready for your program.
CMMC Level 2 or higher. CUI security plan in place. In-house post-processing capability or vetted subcontractor relationships. Formal FAI and design review procedures. Willingness to undergo security agreement and facility audit. Find a vendor that hits the non-negotiables plus most of these, and you’ve found a good partner.
“We can get certified” is not the same as “we are certified.” Don’t hold up your program waiting for someone to probably get Nadcap. Verify subcontractors meet requirements—that’s on you, not just your supplier. Don’t treat AM like traditional manufacturing; it has different failure modes and documentation requirements. And don’t accept overly aggressive lead times. A supplier who promises unrealistic timelines is setting you up for failure.
You’ve done the compliance homework. We work with certified AM facilities that already understand defense procurement—ITAR, Nadcap, AS9100, the whole stack. One partner. One PO. That’s how defense AM should work.
Request a Quote