There is no formal, public commitment today that a future AS9100 revision will explicitly add “digital technologies and cybersecurity” as named clauses. However, the direction of travel makes it increasingly likely that future revisions will more directly acknowledge digitalization and cyber risk, at least at the level of expectations for information, configuration, and risk control.
What AS9100 already covers today
Even without explicit “cybersecurity” language, current AS9100 requirements already touch key areas affected by digital systems:
- Documented information control: Digital work instructions, NC programs, routings, and inspection plans must be controlled, versioned, and protected against loss or unintended change.
- Configuration management: Software-driven configurations (CNC programs, PLC/robot recipes, test sequences) fall under configuration control, including change approval and traceability.
- Risk-based thinking: Risks related to system outages, data corruption, unauthorized changes, and loss of traceability can and should be treated as quality and delivery risks.
- Operational planning and control: Use of MES, ERP, PLM, QMS and other digital systems to control operations must be planned, validated where appropriate, and monitored for effectiveness.
In practice, many AS9100 audits already probe how digital systems are controlled, even if the word “cybersecurity” is not prominent in the text.
Why explicit cybersecurity language is likely to increase
There are several drivers that make more explicit treatment of digital and cybersecurity topics in future AS9100 revisions likely, even if details are not yet defined:
- Rising dependency on digital systems: Paper-only processes are rare in aerospace. Loss, corruption, or manipulation of digital travelers, work instructions, or quality records is now a primary quality and delivery risk.
- Interface with defense and regulatory requirements: Many AS9100-certified organizations must also meet requirements such as NIST 800-171, DFARS 252.204-7012, and CMMC. While AS9100 will not duplicate these frameworks, it is increasingly expected to align with them at a high level.
- Data integrity and traceability expectations: As more evidence for conformity lives in digital systems, IAQG has a strong incentive to clarify expectations for data integrity, access control, and change traceability in those systems.
That said, any changes must go through the IAQG consensus process and will be evolutionary rather than a wholesale transformation of AS9100 into a cybersecurity standard.
What AS9100 is unlikely to do
Even if digital and cybersecurity topics appear more explicitly in future revisions, there are clear limits to what AS9100 is likely to cover:
- It will not replace dedicated cybersecurity frameworks: Detailed technical controls (e.g., encryption standards, firewall rules, endpoint configurations) are more appropriately governed by frameworks like NIST 800-53 or NIST 800-171, and sector-specific rules such as DFARS or CMMC.
- It will not guarantee compliance outcomes: AS9100 can require that cybersecurity risks relevant to product quality and delivery are identified and controlled, but it cannot guarantee regulatory compliance or immunity from cyber incidents.
- It will not mandate specific vendors or architectures: Plants will continue to operate mixed OT/IT environments with legacy MES, ERP, PLM and point solutions. AS9100 is unlikely to prescribe a particular toolset or reference architecture.
Practical implications for digital and brownfield environments
Regardless of when or how AS9100 evolves, most aerospace manufacturers and MROs already need to treat digital and cybersecurity topics as quality and operational risks:
- Brownfield coexistence: Plants typically run a mix of legacy machines, on-prem systems, cloud services, and custom integrations. Rather than assuming a clean-slate replacement, you should define how each system contributes to your QMS, traceability, and evidence trail, and how you control access and changes.
- Change control and validation: When MES, ERP, PLM, QMS or data integration layers change, you may need impact analysis, testing, and documented approvals. In regulated, long-lifecycle environments, this is often the limiting factor that makes full replacement strategies slow, expensive, or high-risk.
- Data integrity and auditability: You should be able to show auditors which systems store records of conformance, how those records are protected, who can change them, and how changes are logged and reviewed.
- Alignment with cybersecurity programs: If your organization is implementing NIST 800-171, CMMC, or similar, you can map controls that affect production data, digital travelers, and quality records into your AS9100 processes (e.g., risk management, document control, training, internal audits).
How to prepare without waiting for a revision
Instead of trying to predict exact wording of a future revision, most organizations can take pragmatic steps now:
- Explicitly identify which digital systems are part of your QMS and traceability chain, and ensure they are covered by document control, configuration management, and risk management processes.
- Ensure there is ownership for cybersecurity and data integrity at the interface between IT, OT, and quality, not just within IT alone.
- Include cyber-related disruptions (loss of MES, corrupted NC files, unauthorized changes to work instructions) in business continuity and risk assessments.
- Run internal audits that challenge how digital processes and records would stand up in an AS9100 audit, including access control, change history, and evidence retrieval.
This approach remains valid regardless of the exact timing or content of any future AS9100 revision and respects the reality of long asset lifecycles, mixed vendors, and integration constraints.
