Security Intelligence

Security for Aerospace and Defence Contractors | CloseProtectionHire

Q: "What state-sponsored threats do aerospace and defence contractors face?"

"Aerospace and defence IP is among the highest-priority targets for state-sponsored economic and military espionage. The NSA/CISA/FBI advisory framework identifies PRC, Russian, Iranian, and North Korean state-sponsored actors as the primary threats to defence contractors. PRC threat actors (APT10, APT41, and related groups) have been indicted in US federal court for infiltrating the networks of defence contractors including Lockheed Martin, Boeing, and Raytheon. The UK NCSC has similarly attributed sustained campaigns against UK aerospace contractors to PRC-aligned actors. Beyond digital intrusion, physical security risks include targeted recruitment of cleared personnel, honey-pot approaches at conferences, and in some cases deliberate placement of intelligence-collection assets within contractor supply chains. The FBI's 2022 annual threat assessment notes that nearly 97% of counter-intelligence matters involve nation-states, with China identified as the most pervasive threat."

Q: "What is ITAR and what personal criminal risk does it create for executives?"

"ITAR (International Traffic in Arms Regulations, administered by the US State Department under 22 CFR Parts 120-130) controls the export, transfer, and retransfer of defence articles, technical data, and defence services listed on the US Munitions List (USML). For executives and programme managers, the key personal criminal risk is: ITAR violations are federal criminal offences with personal liability -- not just corporate liability. 22 U.S.C. 2778(c) provides penalties of up to USD 1 million per violation and up to 20 years imprisonment for individuals who wilfully violate ITAR. The most common executive-level ITAR risk involves: transferring technical data to foreign nationals without required authorisation (including within the company where foreign nationals are employed), discussing controlled technology at international conferences or with foreign partners without export licence, and making representations about ITAR compliance that turn out to be inaccurate. In 2024, the State Department's Directorate of Defense Trade Controls (DDTC) continued a pattern of consent agreements with major contractors for ITAR violations, several of which included provisions relating to inadequate access controls for foreign national employees."

Q: "How should a defence contractor executive approach a business trip to a P1 city?"

"Aerospace and defence contractor executives visiting P1 cities face a combined threat profile: general P1 city security risks (KFR, robbery, organised crime) plus the specific risk of being identified as a high-value intelligence target by foreign services. The pre-travel protocol should include: clean device (travel-specific device with no access to controlled technical data or classified systems -- NCSC/FBI guidance applies), briefing on approaches by individuals seeking classified or controlled information (honey-pot, elicitation at events), notification to the company security officer of the itinerary, travel to exhibition or conference venues with standard P1 city precautions (vetted transport, accommodation security review), and review of the specific country's status under US export control and OFAC sanction regimes. Some P1 cities -- specifically those in countries under comprehensive US sanctions or arms embargo -- create additional ITAR/EAR compliance complexity for contractor travel."

Q: "What security clearance considerations apply to close protection for cleared defence personnel?"

"Close protection officers assigned to defence contractor executives or cleared government personnel face specific considerations. Where the close protection officer will have access to classified information environments (secure facilities, classified discussions, classified documents), some clients require that the CPO holds a baseline security clearance. In the UK, the Baseline Personnel Security Standard (BPSS) is the minimum for access to official sensitive information, with SC (Security Check) and DV (Developed Vetting) for higher classifications. In the US, the equivalent minimum for access to Confidential/Secret information is the National Agency Check (NAC) or Secret clearance. A close protection officer operating in support of classified-environment principals should discuss clearance requirements with the security officer of the employing organisation before deployment. The reality in most commercial close protection operations is that CPOs do not hold clearances and their access is managed by restricting their presence during classified discussions."

Q: "What facility security standards apply to defence contractor premises?"

"Defence contractor facilities handling classified information or controlled hardware must comply with the physical security standards required by their government customers. In the US, the NISPOM (National Industrial Security Program Operating Manual, NISP Operating Manual 32 CFR Part 117, effective February 2021) sets the standards for contractor facilities holding classified government contracts. Specific requirements cover: secured compartmented information facilities (SCIFs) for classified systems work, access control standards, visitor management, personnel security vetting, and insider threat programme requirements. In the UK, the HMG Security Policy Framework (SPF) and the Cyber Essentials Plus requirements apply to classified government contract holders. Physical security standards typically require: alarmed perimeter with CCTV, access control with biometric or smart card entry to classified areas, a two-person rule for access to certain classified areas, and a cleared facility security officer (FSO in the US, DSO in the UK)."

Security for aerospace and defence contractor executives, engineers, and facilities: state-sponsored IP theft, classified information handling, export control criminal risk, facility security standards, and personal protection.

6 May 2026

Written by James Whitfield

Speak to the Team

The aerospace and defence contracting sector operates at the intersection of high-value IP, government classified information, and persistent state-sponsored threat actors. Security for this sector extends across personnel security, facility security, information security, and personal protection for executives and cleared staff.

This guide addresses the security considerations for prime and sub-tier aerospace and defence contractors, their executives, cleared personnel, and facility security officers.

The State-Sponsored Threat Landscape

Defence contractor IP represents some of the highest-value intellectual property in the global economy. Advanced fighter jet designs, missile guidance systems, naval vessel architecture, satellite technology, and dual-use aerospace systems are priorities for foreign intelligence services who recognise that acquiring this technology through espionage is faster, cheaper, and more reliable than indigenous development.

PRC targeting. The US Department of Justice has published federal indictments against PRC-linked threat actors for intrusions into the networks of Boeing, Lockheed Martin, Raytheon, and Northrop Grumman, among others. The Hainan State Security Department-linked APT40 group has been publicly attributed by the US, UK, EU, Australia, and NATO to sustained campaigns against defence and aerospace targets. In the UK, the NCSC has attributed comparable campaigns to PRC-aligned actors targeting UK defence contractors.

Beyond digital intrusion, PRC collection operations targeting defence contractors include: targeted recruitment of cleared personnel (documented in multiple FBI and NCSC cases), placement of individuals in contractor roles at sub-tier suppliers, elicitation of cleared personnel at academic conferences and international events, and acquisition of defence-relevant companies or equity stakes to access technology legally.

Russian GRU and SVR. Russian military intelligence (GRU) and the foreign intelligence service (SVR) have conducted sustained campaigns against Western aerospace and defence contractors. The GRU cyberattack programme (publicly attributed in joint advisories by the US, UK, and NATO) has targeted defence contractors across the alliance. The Salisbury attack (GRU Unit 29155) demonstrates that Russian intelligence services will conduct lethal operations outside Russia against Western targets – a threat context relevant to senior executives at major contractors.

Iran and North Korea. Iranian threat actors (Charming Kitten/APT35) have targeted defence and aerospace contractors as part of broader economic and military espionage operations. North Korea’s Lazarus Group has targeted defence contractors for both financial theft (cryptocurrency) and technology acquisition.

ITAR and Export Control Criminal Risk

The International Traffic in Arms Regulations (ITAR, 22 CFR Parts 120-130) and the Export Administration Regulations (EAR, 15 CFR Parts 730-774) together regulate the export of US-origin defence articles, dual-use technology, and technical data. For individuals:

Personal criminal liability. ITAR violations by individuals who wilfully export or transfer controlled technical data without authorisation carry penalties of up to USD 1 million per violation and 20 years imprisonment under 22 U.S.C. 2778(c). The EAR similarly provides for individual criminal penalties. The “deemed export” rule under ITAR and EAR means that sharing controlled technical data with a foreign national inside the US (or within the company) is treated as an export to that individual’s country of nationality – a common compliance failure at companies with international workforces.

Pre-travel review. Before any international conference, technical briefing, or overseas business trip, executives and engineers with access to ITAR/EAR-controlled technology should confirm: whether any planned presentations or discussions involve controlled technical data, whether the destination country is subject to US arms embargo or sanctions (ITAR-prohibited countries include Cuba, Iran, North Korea, Russia, Syria, and others under Part 126.1), and whether any planned transfer of hardware, software, or technical data requires export licence authorisation.

Conference discipline. International defence exhibitions and conferences – Paris Air Show, DSEI (London), Euronaval (Paris), IDEX (Abu Dhabi), MSPO (Poland) – involve technical discussions in public or semi-public environments. The disclosure of controlled technical data in exhibition hall conversations is an ITAR risk. Pre-conference briefings for all attending staff on what can and cannot be discussed without prior authorisation are standard practice at ITAR-compliant contractors.

Personnel Security and Cleared Staff

The NISPOM (32 CFR Part 117) requires defence contractors holding government classified contracts to maintain an insider threat programme and to conduct personnel security vetting for all cleared staff. The insider threat profile for defence contractors combines the general insider threat typology with the specific risk of state-sponsored recruitment:

Foreign travel reporting. Cleared US personnel are typically required to report foreign travel and contacts with foreign nationals under the NISPOM and facility security officer (FSO) requirements. The reporting obligation exists because foreign travel creates contact opportunities with foreign intelligence services. The failure to report a foreign contact that subsequently proves to be an intelligence officer is both a security failure and a potential criminal matter under 18 U.S.C. 1001 (false statements to government investigators).

Counter-elicitation training. The standard approach by foreign intelligence services at conferences and social events is elicitation – drawing out controlled information through conversation rather than direct request. Cleared personnel should receive counter-elicitation training before attending international events. The signs of an elicitation approach include: excessive curiosity about specific technical programmes, repetitive questions on controlled topics framed as casual interest, flattery and appeals to professional pride, and gradual escalation of information requests across multiple meetings.

Honey-pot patterns. FBI and NCSC advisories document romantic and social honey-pot approaches targeting cleared defence personnel at conferences and online. LinkedIn approaches from individuals representing foreign academic or research institutions are a commonly documented pattern.

Facility Security Standards

NISPOM requirements. US defence contractors holding classified government contracts must comply with 32 CFR Part 117 (NISPOM). Physical security requirements include: SCIFs (Sensitive Compartmented Information Facilities) for classified programme work, meeting ICD 705 physical and technical standards; access control to classified areas with biometric or smart card systems; visitor control procedures; CCTV coverage of classified areas; and an insider threat programme with defined monitoring and reporting obligations.

UK standards. UK defence contractors operating with HMG classified information must comply with the HMG Security Policy Framework (SPF) and the relevant baseline technical and physical standards. Facility security officers (DSOs) in the UK apply the Government Functional Standard GovS 007: Security. The UK equivalent of a SCIF is a Protected Location, with standards set by CPNI.

Supply chain requirements. DFARS (Defense Federal Acquisition Regulation Supplement) in the US and the UK’s Cyber Essentials Plus requirement for classified contracts extend cybersecurity standards to the supply chain. Tier-2 and tier-3 suppliers are required to meet specified security standards as a contract condition.

Executive Personal Protection

Senior executives at major defence contractors have a personal threat profile that combines:

General high-net-worth executive risk (KFR, robbery, targeted crime)
Sector-specific risk from state-sponsored actors (surveillance, honey-pot, in extreme cases physical approach)
Conference and international travel risk (ITAR, counter-intelligence targeting)

The close protection methodology for defence executives applies the standard executive protection framework with specific additions: counter-surveillance to detect state-sponsored surveillance teams (which are typically more professional than commercial criminal surveillance), TSCM sweeps of accommodation and meeting rooms during sensitive travel, and device security that reflects the ITAR and classified information environment.

For the technical surveillance countermeasures applicable to hotel rooms and meeting venues during sensitive defence negotiations and executive travel, see our TSCM guide. For the executive digital security framework including the clean device protocol for international travel to high-surveillance markets, see our executive digital security guide. For semiconductor and cleanroom manufacturing facilities – where EUV lithography IP carries the same state-level collection value as defence contractor IP, BIS export controls create personal criminal liability for technical staff, and insider recruitment through academic and industry channels mirrors the defence contractor threat model – see our security for semiconductor and cleanroom manufacturing guide.

Summary

Key takeaways

ITAR creates personal criminal liability for executives: compliance failures are not purely a corporate matter

ITAR violations can result in 20 years imprisonment for individuals who wilfully transfer controlled technical data to unauthorised persons. The most common personal exposure is discussing controlled technology with foreign national colleagues or at international conferences without checking export licence requirements. A pre-travel ITAR briefing for any executive travelling to international events with technical presentations is the minimum standard.

PRC state-sponsored actors have been indicted for targeting major aerospace and defence contractors: this is a documented and persistent threat

Federal indictments of PRC-linked threat actors (APT10, APT41) for intrusions into Boeing, Lockheed Martin, Raytheon, and other contractors are public record. The threat is not hypothetical. The clean device protocol, secure communications for sensitive discussions, and counter-elicitation briefing before international events are proportionate responses to a documented and ongoing threat.

Honey-pot approaches at defence conferences are a documented counter-intelligence concern

The FBI and NCSC regularly brief cleared personnel on the pattern of foreign intelligence service approaches at defence and aerospace conferences (Paris Air Show, DSEI, Euronaval, IDEX). The pattern involves individuals presenting as buyers, academics, or business partners who establish personal relationships and progressively seek access to technical information. Counter-elicitation awareness training for technical staff attending international events is standard good practice.

Cleared personnel in close protection environments require advance planning on access controls

If a CPO will be in proximity to classified discussions, the principal's organisation must decide in advance how to manage that access -- either by clearing the CPO at the appropriate level or by managing their presence to exclude them from classified environments. Attempting to resolve this at the point of a classified meeting is not the right approach.

The supply chain is the weakest link in defence contractor security

Major prime contractors have extensive, multi-tier supply chains that include SMEs with lower security maturity. State-sponsored actors target tier-2 and tier-3 suppliers to access classified programme data they cannot reach directly at the prime. Supply chain security assurance -- requiring NISPOM-equivalent standards or Cyber Essentials Plus from all controlled-technology suppliers -- is increasingly a DDTC and UK DSP requirement, not just a voluntary measure.

FAQ

Frequently Asked Questions

Aerospace and defence IP is among the highest-priority targets for state-sponsored economic and military espionage. The NSA/CISA/FBI advisory framework identifies PRC, Russian, Iranian, and North Korean state-sponsored actors as the primary threats to defence contractors. PRC threat actors (APT10, APT41, and related groups) have been indicted in US federal court for infiltrating the networks of defence contractors including Lockheed Martin, Boeing, and Raytheon. The UK NCSC has similarly attributed sustained campaigns against UK aerospace contractors to PRC-aligned actors. Beyond digital intrusion, physical security risks include targeted recruitment of cleared personnel, honey-pot approaches at conferences, and in some cases deliberate placement of intelligence-collection assets within contractor supply chains. The FBI’s 2022 annual threat assessment notes that nearly 97% of counter-intelligence matters involve nation-states, with China identified as the most pervasive threat.

ITAR (International Traffic in Arms Regulations, administered by the US State Department under 22 CFR Parts 120-130) controls the export, transfer, and retransfer of defence articles, technical data, and defence services listed on the US Munitions List (USML). For executives and programme managers, the key personal criminal risk is: ITAR violations are federal criminal offences with personal liability – not just corporate liability. 22 U.S.C. 2778(c) provides penalties of up to USD 1 million per violation and up to 20 years imprisonment for individuals who wilfully violate ITAR. The most common executive-level ITAR risk involves: transferring technical data to foreign nationals without required authorisation (including within the company where foreign nationals are employed), discussing controlled technology at international conferences or with foreign partners without export licence, and making representations about ITAR compliance that turn out to be inaccurate. In 2024, the State Department’s Directorate of Defense Trade Controls (DDTC) continued a pattern of consent agreements with major contractors for ITAR violations, several of which included provisions relating to inadequate access controls for foreign national employees.

Aerospace and defence contractor executives visiting P1 cities face a combined threat profile: general P1 city security risks (KFR, robbery, organised crime) plus the specific risk of being identified as a high-value intelligence target by foreign services. The pre-travel protocol should include: clean device (travel-specific device with no access to controlled technical data or classified systems – NCSC/FBI guidance applies), briefing on approaches by individuals seeking classified or controlled information (honey-pot, elicitation at events), notification to the company security officer of the itinerary, travel to exhibition or conference venues with standard P1 city precautions (vetted transport, accommodation security review), and review of the specific country’s status under US export control and OFAC sanction regimes. Some P1 cities – specifically those in countries under comprehensive US sanctions or arms embargo – create additional ITAR/EAR compliance complexity for contractor travel.

Close protection officers assigned to defence contractor executives or cleared government personnel face specific considerations. Where the close protection officer will have access to classified information environments (secure facilities, classified discussions, classified documents), some clients require that the CPO holds a baseline security clearance. In the UK, the Baseline Personnel Security Standard (BPSS) is the minimum for access to official sensitive information, with SC (Security Check) and DV (Developed Vetting) for higher classifications. In the US, the equivalent minimum for access to Confidential/Secret information is the National Agency Check (NAC) or Secret clearance. A close protection officer operating in support of classified-environment principals should discuss clearance requirements with the security officer of the employing organisation before deployment. The reality in most commercial close protection operations is that CPOs do not hold clearances and their access is managed by restricting their presence during classified discussions.

Defence contractor facilities handling classified information or controlled hardware must comply with the physical security standards required by their government customers. In the US, the NISPOM (National Industrial Security Program Operating Manual, NISP Operating Manual 32 CFR Part 117, effective February 2021) sets the standards for contractor facilities holding classified government contracts. Specific requirements cover: secured compartmented information facilities (SCIFs) for classified systems work, access control standards, visitor management, personnel security vetting, and insider threat programme requirements. In the UK, the HMG Security Policy Framework (SPF) and the Cyber Essentials Plus requirements apply to classified government contract holders. Physical security standards typically require: alarmed perimeter with CCTV, access control with biometric or smart card entry to classified areas, a two-person rule for access to certain classified areas, and a cleared facility security officer (FSO in the US, DSO in the UK).

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.