As you may already know, the next version of AS9100 is being rebranded as “IA9100” and will add a new clause on “information security,” i.e., cybersecurity. This is problematic for a whole lot of reasons, so I will just pick the top three.
Not Gonna Work
The move comes as cybersecurity threats increase, yes, but the commensurate panic over them is decidedly not commensurate. It’s being ddriven largely by cybersecurity consulting firms who want to use FUD to sell their wares, and the notoriously misanthropic, smug, poorly-bathed, and frankly irritating crowd of Chief Information Security Officers (CISOs) who see the terror of “cyber attacks” as a way to force their way into the hearts and minds of CEOs who they so pathetically envy. (Pro tip: this desperate, sweaty tactic makes the CEOs hate you more.)
The ridiculous irony is that all the cyber protections, hardening, and “controls” demanded by schemes like NIST, ISO 27001, CMMC, SOC 2, etc., are defeatedly nearly instantly every time a dumb employee clicks a link in an email. Phishing via simple email scams is the most prevalent (and successful) form of cyber incursion, but you can’t sell millions of dollars in books and seminars and subscription-based “off premises” solutions if you focus on this obvious fact.
So the very first problem with the inclusion of cybersecurity in IA9100 is that it comes from a very poor motivation: “cybersecurity is hot right now.” That’s the same reason the ISO 9001 added risk in 2015 and climate change in 2024, not because ISO did a study on the need to shoehorn these off-topic concepts into a quality management system standard, but because someone told them they could sell more standards if they hitched their star to these hot-button ideas. Now, AS9100 will do the same with cyber, because CISOs and cyber consultants temporarily have their ear. I call this the “Oh, look! A squirrel!” school of standards development.
CB Auditors Are Not Qualified
The next problem is the most obvious, but which is being ignored entirely. Aerospace QMS auditors have no credentials or qualifications to audit cybersecurity in the first place. But 24 hours after IA9100 is released, they will be expected to be cyber experts capable of performing objective and impartial audits of each aerospace company’s information security management systems. Worse, they will be writing nonconformities against whatever their pea-brains might view as a potential weakness, and then dangling companies’ IA9100 certifications over them if they don’t respond properly.
Now, because Probitas is an SAE and IAQG partner, yes, they will probably force every IA9100 auditor to undergo special (and expensive) “re-authentication training” that includes 15 minutes on how to audit information security management systems. But that’s just a scamp; the training isn’t good, it’s only there to shove money into the pockets of Probitas, SAE and IAQG higher-ups. Don’t believe it? See the recent mandatory AS9101 training forced onto auditors, even as IAQG ignores enforcement of that standard as a matter of unspoken, but universal, policy.
Abandon Ship, Y’all
Finally, there’s the fact that adding a complex, expensive, and largely performative requirement like cybersecurity to an aerospace quality standard will have the opposite effect. More companies will drop their AS9100 entirely and avoid upgrading to IA9100. That means a reduction in quality and no improvements at all related to cyber.
The same is true of all the other performative additions planned: ethics, “quality of work life,” worker safety, climate change, etc. All of these are important issues covered by other standards and, better yet, actual laws. By dumping them all into ISO 9001 and IA9100, they are reduced to name-dropped soundbites, ensuring they don’t get the actual attention they need.
It’s already an industry joke that quality managers also have to manage health, safety, and environmental management under the ridiculous Swiss Army knife title of “QHSE Manager” — why hire four people when you can find one guy to do it all for less than a single full salary? — now, those same guys are going to have to be experts in cybersecurity, ethics, and human resources management.
The bigs, like Boeing and RTX / Raytheon, think they can continue to bully their supply chain into adopting IA9100, but the reality is that the number of waivers issued by those same companies is increasing. Suppliers simply push back and tell them they can’t implement these increasingly onerous and expensive certification requirements without raising prices. If you want to see an aerospace prime pull a requirement out of their contract quick, tell them you have to jack up your per-piece price to compensate.
And, by the way, you should. I mean, what is the Department of Defense gonna do, buy from China?
But there are no big thinkers on any of these committees, so you can fully expect them to continue on this ridiculous, self-defeating path. If there is one truism in the QMS certification world, it is that the quality of standards decreases exponentially with the number of consultants who write them.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
