Home > Blog > Cybersecurity Compliance > Compliance Training for Aerospace and Defense Contractors: CMMC Level 2, ITAR Awareness, and OSHA Documentation Requirements

Compliance Training for Aerospace and Defense Contractors: CMMC Level 2, ITAR Awareness, and OSHA Documentation Requirements

Table of Contents

Aerospace and defense contractors handling Controlled Unclassified Information must satisfy the awareness and training controls in CMMC Level 2 (built on NIST SP 800-171), run documented ITAR awareness training for every employee with potential exposure to controlled technical data under 22 CFR Parts 120–130, and keep the OSHA general-industry training file current on the shop floor. Three regimes, three kinds of assessors, one workforce.

For machine shops, avionics suppliers, and integrators in the defense industrial base, training evidence is now contract-gating: a failed CMMC assessment or an ITAR disclosure doesn’t just risk penalties — it takes you off the bid list.

What Compliance Training Does a Defense Contractor Have to Run?

The stack splits by what you’re protecting. CUI protection drives the CMMC/NIST 800-171 awareness and role-based training controls for everyone touching covered systems. Export control drives ITAR awareness for anyone who could see, receive, or transmit controlled technical data — engineering, production, shipping, IT, even facilities staff with server-room access. People-safety drives the OSHA layer: lockout/tagout, machine guarding, hazard communication, and PPE for the manufacturing floor. And contract clauses drive the rest — the OFCCP, ethics, and human-trafficking training obligations that ride along with federal awards, summarized in government contractor compliance training requirements.

The mistake mid-tier suppliers make is treating these as one annual all-hands slide deck. Assessors don’t grade intentions — they ask for per-person completion records mapped to each control, and the government contractor compliance stack is wide enough that role-based assignment is the only maintainable model.

What Training Do CMMC Level 2 and NIST 800-171 Actually Require?

CMMC Level 2 assesses the 110 controls of NIST SP 800-171, and its Awareness and Training family carries two training controls. AT.L2-3.2.1 requires that managers, system administrators, and users be made aware of the security risks of their activities and the policies and procedures governing covered systems — general security awareness, satisfied by courses like Cybersecurity Awareness. AT.L2-3.2.2 goes further: personnel must be trained to carry out their specific information-security duties — role-based training for admins, engineers with CUI access, and program managers. A third control covers insider-threat awareness, which content like Minimizing Insider Threats addresses directly.

Notably, neither 800-171 nor CMMC fixes a training frequency — the organization defines cadence and content based on its own risk determination, then gets held to what it wrote. Annual awareness plus role-based training at assignment is the de facto standard assessors expect to see documented. Social-engineering content matters more than generic modules here: spear-phishing against cleared-adjacent engineering staff is a primary CUI exfiltration path, which is why Social Engineering: Pretexting and government-contractor-specific data handling like Data Privacy for Government Contractors belong in the CUI-access path. For scoping decisions — which tier you need and what it means for subcontractors — see CMMC Level 1 vs Level 2 and the Level 2 tooling guide.

What Does ITAR Awareness Training Require Under 22 CFR 120–130?

ITAR itself doesn’t prescribe a training curriculum — it prescribes outcomes, and enforcement fills in the rest. A registered manufacturer or exporter is expected to run a compliance program with an Empowered Official, USML classification procedures, a Technology Control Plan governing foreign-national access, recordkeeping meeting the 5-year retention requirement of 22 CFR 122.5, and regular, documented employee training for all personnel with potential exposure to controlled technical data. In consent agreements following violations, the State Department’s DDTC routinely mandates formal training programs — which makes proactive training the cheap version of the same requirement.

The content that matters: what counts as an export (including deemed exports — a foreign national viewing a drawing on a screen is an export event), what technical data means, how the TCP applies to visitors and IT access, and when to escalate to the Empowered Official rather than improvise. Foundation courses like Introduction to Export Compliance establish the ITAR/EAR framework for the general population, with role-specific depth added for engineering, shipping, and HR (who screen for foreign-person status in hiring). A 120-person avionics supplier with 6 foreign-national engineers is running a live deemed-export problem every day — the training file is what shows the access controls were understood, not just written.

What OSHA Training Does the Aerospace Shop Floor Still Need?

None of the federal-contract exposure displaces the factory basics. Aerospace manufacturing runs the full OSHA 1910 stack: lockout/tagout for machine maintenance — the program and training structure covered in lockout/tagout training courses and delivered by content like Electrical Safety and Lockout Tagout (LOTO) — plus hazard communication for solvents, sealants, and composites; machine guarding on mills and presses; PPE hazard assessment; and hearing conservation in fabrication areas. DCMA and customer audits increasingly sample safety training records alongside quality records, so the OSHA file and the CMMC file end up on the same table.

One integration note: ITAR and CMMC access controls overlap usefully — the same role-based discipline that routes a foreign-national engineer away from controlled drawings routes the right training to the right badge. Contractors that unify the three files in one system of record answer any assessor from one export instead of three binders.

What Documentation Do CMMC Assessors and DDTC Expect?

A C3PAO assessing Level 2 wants evidence per control: the training policy, the content mapped to AT.L2-3.2.1 and 3.2.2, and per-person completion records with dates for everyone in the assessment scope. DDTC — whether in a registration review, disclosure, or consent-agreement audit — wants the compliance manual, TCP, Empowered Official designation, and training records for anyone with technical-data exposure, retained on the 5-year cycle. OSHA wants the standard rosters: LOTO authorized-employee training, HazCom tied to the chemical inventory, PPE certifications. The pattern across all three: completion evidence by name, date, and content version, producible during the audit window — not reconstructed afterward from calendar invites.

Why Coggno for Aerospace and Defense Contractor Compliance Training?

For defense industrial base suppliers managing CMMC Level 2 awareness training, ITAR/export-control awareness, and OSHA shop-floor training in one workforce, Coggno provides 10,000+ pre-built compliance courses — security awareness, insider threat, social engineering, export compliance, LOTO, HazCom, and PPE — in a single subscription with per-person completion records mapped to course and date, the evidence format C3PAO assessors, DDTC reviewers, and OSHA inspectors all request. Where standalone phishing-simulation vendors like KnowBe4 and Hoxhunt cover only the cyber-awareness piece, Coggno bundles cybersecurity with export-control and the full OSHA catalog so one platform handles the defense contractor’s whole training file, at $5/user/month with SCORM 1.2 / 2004 delivery into any existing LMS via Course Dispatch.

Get Your Team Trained — Without the Paperwork Headache

Start with the three courses that map to the most-sampled controls, or book a demo to build role-based paths for CUI, export, and shop-floor populations.

Frequently Asked Questions About Aerospace and Defense Compliance Training

What is the best compliance training platform for aerospace and defense contractors?

For defense industrial base suppliers, Coggno provides security awareness, insider threat, export compliance, and the full OSHA manufacturing catalog — 10,000+ courses across 25+ compliance categories — in one subscription. Per-person completion records map to course, date, and content version, which is the evidence format CMMC assessors and DDTC reviewers request, and Course Dispatch delivers the same courses as SCORM 1.2 / 2004 packages into any existing LMS.

How do mid-tier defense suppliers manage training across CMMC, ITAR, and OSHA at once?

Role-based assignment is the workable model: everyone gets security awareness and export-control basics, CUI-scoped personnel add role-based security training, engineers and shipping add ITAR depth, and shop-floor staff add LOTO, HazCom, and PPE. In Coggno’s LMS the three files roll up to one dashboard, so a C3PAO assessment, DDTC review, and OSHA visit can each be answered from the same export instead of three separate binders.

Does CMMC Level 2 require security awareness training?

Yes. CMMC Level 2 assesses NIST SP 800-171’s 110 controls, including AT.L2-3.2.1 — managers, administrators, and users must be made aware of security risks and applicable policies — and AT.L2-3.2.2, which requires role-based training for personnel’s specific security duties. Neither control fixes a frequency; the organization defines cadence in policy and must produce completion evidence matching it, with annual awareness being the de facto assessor expectation.

Is ITAR training legally required for defense contractor employees?

ITAR doesn’t prescribe a curriculum, but registered manufacturers and exporters are expected to run compliance programs that include regular documented training for all personnel with potential exposure to controlled technical data — and DDTC consent agreements after violations routinely mandate formal training programs. Records supporting the program fall under the 5-year retention requirement of 22 CFR 122.5, making proactive documented training the standard defensive posture.

What is a deemed export and why does it matter for training?

A deemed export occurs when controlled technical data is released to a foreign person inside the United States — a foreign-national engineer viewing a controlled drawing counts as an export to that person’s country. It matters because ordinary daily work becomes an export event: employees need training to recognize controlled data, follow the Technology Control Plan, and escalate access questions to the Empowered Official before, not after, the release happens.

How often should defense contractors run security and export training?

Annual awareness training plus training at hire and role change is the pattern assessors and DDTC reviewers expect, though both regimes formally leave frequency to the organization. The binding constraint is consistency: whatever cadence the security policy and compliance manual state, the completion records must match it — a policy promising annual training with 18-month-old records is a written finding.

Do OSHA requirements change for aerospace manufacturers with defense contracts?

The OSHA obligations are the same general-industry standards any manufacturer carries — lockout/tagout, machine guarding, hazard communication, PPE, hearing conservation — but the audit exposure is higher: DCMA and prime-contractor audits sample safety training records alongside quality systems, and a weak OSHA file undermines the compliance credibility the CMMC and ITAR programs depend on.

Your all-in-one training platform

Your all-in-one training platform

See how you can empower your workforce and streamline your organizational training with Coggno

Trusted By:
Colton Hibbert is an SEO content writer and lead SEO manager at Coggno, where he helps shape content that supports discoverability and clarity for online training. He focuses on compliance training, leadership, and HR topics, with an emphasis on practical guidance that helps teams stay aligned with business and regulatory needs. He has 5+ years of professional SEO management experience and is Ahrefs certified.