Five frameworks. All active. All requiring evidence you cannot produce manually at audit speed.
DO-178C. ITAR. CMMC. EASA SC-VTOL-01. NASA-STD-8739.8. X-DLM™ produces evidence for all of them from one governed workflow.
Commercial aerospace software companies answer to more regulatory frameworks simultaneously than any other software sector. DO-178C governs flight software certification. ITAR governs export-controlled components. CMMC governs DoD supply chain. EASA SC-VTOL-01 governs eVTOL software. NASA-STD-8739.8 governs commercial space software assurance. Each requires evidence. None of them share a common evidence format.
X-DLM™ connects Black Duck and Siemens Polarion so evidence for all five builds from the same engineering workflow — continuously, not before each audit.
DO-178C. ITAR. CMMC. EASA. NASA. All active. All requiring simultaneous evidence.
Software Considerations in Airborne Systems and Equipment Certification. Governs flight software at DAL A through E based on failure condition severity. Every requirement, code decision, and test must be documented, traceable, and independently verified at higher assurance levels. Source: DO-178C / ED-12C.
International Traffic in Arms Regulations and Export Administration Regulations. Open-source components with cryptographic, guidance, propulsion, or space technology applicability require documented review before inclusion in export-controlled deliverables. Civil penalties reach $1.35M per violation. Source: 22 CFR §120–130, 15 CFR §730–774.
Cybersecurity Maturity Model Certification. Level 2 required for DoD contracts involving Controlled Unclassified Information. 110 practices across 14 domains. SBOM delivery required for supply chain risk management. Non-conformity produces contract disqualification. Source: 32 CFR Part 170.
Black Duck BDSA advisories surface critical vulnerabilities on average 100 days ahead of NVD — covering aerospace RTOS, cryptographic library, and embedded middleware CVEs. X-DLM™ routes each advisory into Polarion with DO-178C practice mapping before certification schedule impact. Source: Black Duck BDSA product documentation.
Sources: DO-178C / ED-12C. ITAR 22 CFR §120–130. CMMC 2.0 Final Rule 32 CFR Part 170. EASA SC-VTOL-01. NASA-STD-8739.8.
What each framework requires. What X-DLM™ produces for each.
- 01
DO-178C — Software lifecycle data from PSAC to SAS
Plan for Software Aspects of Certification, Software Development Plan, Software Verification Plan, Source Code, Test Cases, Test Results, Software Accomplishment Summary — 12 software lifecycle data items for DAL A, each requiring traceability, configuration control, and independence where required. X-DLM™ connects Black Duck supply chain findings to Siemens Polarion lifecycle records so every DO-178C data item builds continuously during development. Designated Engineering Representatives and certification authority reviewers see complete Polarion evidence trails — not manually assembled pre-SAS packages.
- 02
ITAR/EAR — Export control component review and documentation
ITAR §120.10 defines defense articles including software with cryptographic, guidance, propulsion, and space technology applicability. Black Duck identifies every open-source component with ITAR-relevant characteristics. X-DLM™ routes each flagged component into a Polarion approval workflow with owner assignment, review date, disposition, and approval chain — before any controlled build. The documented review trail that DoS Bureau of Political-Military Affairs and DoC Bureau of Industry and Security enforcement reviews require exists in Polarion before any audit.
- 03
CMMC 2.0 Level 2 — Supply chain risk management and SBOM
CMMC Level 2 includes 110 practices across domains including Incident Response (IR), Risk Assessment (RA), System and Communications Protection (SC), and Supply Chain Risk Management (SR). SBOM delivery in machine-readable format is a supply chain risk management requirement. Black Duck generates SPDX and CycloneDX SBOM. X-DLM™ links every SBOM component to Polarion release records and routes vulnerability advisories into governed response workflows with CMMC practice mapping.
- 04
EASA SC-VTOL-01 & NASA-STD-8739.8 — eVTOL and commercial space assurance
EASA SC-VTOL-01 governs eVTOL and advanced air mobility software at assurance levels analogous to DO-178C DAL, requiring equivalent software lifecycle evidence for airworthiness. NASA-STD-8739.8 governs software assurance for commercial space programs — independent verification and validation, configuration management, and anomaly resolution evidence. Both require software lifecycle governance that Siemens Polarion provides natively, with X-DLM™ connecting Black Duck supply chain findings into the same evidence trail.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
Aerospace and defense companies answer to more than one framework.
CMMC 2.0 is the floor, not the ceiling. DO-178C, NIST SSDF, ITAR/EAR, and IEC 62443 run simultaneously — each with its own evidence requirements, its own audit path, and its own consequence for non-conformity.
View CMMC, DO-178C & All Regulations →Turn software security proof into a sales advantage.
Download the brochure or book a discovery call to see how X-DLM™ connects Siemens Polarion and Black Duck for audit-ready software supply chain governance.