Aerospace industrial Wi-Fi network design
Ekahau predictive modeling and onsite AP-on-a-stick validation for hangar, MRO, and commercial integrator facilities supporting aerospace supply chains — Cisco Catalyst IW9167E Heavy Duty placement on sheet-metal structures, DFS-safe 5 GHz channel plans around Edwards AFB, Plant 42, and Vandenberg radar emitters, 802.11w PMF plus 802.11r/k/v roaming, and FIPS 140-2 / 140-3 validated firmware stacks delivered as a fixed-fee SOW.
Reviewed by the WiFi Hotshots engineering team — Ekahau ECSE certified, multi-CCIE bench, 25 years of enterprise networking leadership, minority-owned.
Ekahau ECSE
Multi-CCIE bench
Fixed-fee SOW
25-year California specialty
Aerospace industrial Wi-Fi from WiFi Hotshots is scoped for commercial integrators, MRO shops, component manufacturers, and supply-chain tenants operating in the Palmdale, Lancaster, Mojave, El Segundo, Long Beach, and Vandenberg aerospace corridors. We are RF engineers delivering enterprise wireless services inside hangar, clean-room, high-bay fabrication, and integrator office environments — the wireless infrastructure the tenant owns and operates on their own corporate network. We do not operate on classified prime-contractor networks, ITAR-controlled flight-test enclaves, or SCIFs; that work is scoped to the prime’s cleared integrators under a separate authority.
What we do handle is the commercial-network side every aerospace-adjacent tenant still needs: a defensible wireless site survey and design, AP placement drawings that survive a 45-foot high-bay catwalk install, a DFS-safe 5 GHz channel plan that respects the FCC’s TDWR exclusion math, 802.11w PMF with 802.11r/k/v roaming, and a FIPS 140-2 or 140-3 validated firmware posture that aligns to NIST SP 800-171 r3 and CMMC 2.0 Level 2 boundary controls. See the full services catalog or engineering credentials for context, then send the facility floor plans and high-bay elevation drawings to scope the work.
Aerospace-adjacent scope — commercial integrator, not prime contractor
WiFi Hotshots is a commercial wireless services firm. We design aerospace industrial Wi-Fi for tenant facilities inside the Southern California aerospace corridor — the commercial integrators, tier-2 and tier-3 suppliers, precision machining shops, composite fabricators, harness assemblers, avionics bench-test labs, and MRO hangars that feed parts and subassemblies upstream to the primes.
The networks we build sit on the tenant’s own corporate boundary, not on any prime’s classified enclave, and they carry the tenant’s own engineering, ERP, MES, CAD, PLM, and back-office traffic. That scope distinction matters: it sets the authority framework we work under and the controls the design has to satisfy.
For aerospace-adjacent commercial tenants, the governing framework is NIST SP 800-171 r3 layered with CMMC 2.0 Level 2, DFARS 252.204-7012, and — wherever Controlled Unclassified Information (CUI) or ITAR-controlled technical data traverses the wireless — the end-to-end FIPS encryption carve-out in 22 CFR § 120.54.
The wireless design has to be auditable against that framework even when the tenant is not itself a prime. A single non-FIPS cipher suite negotiated on one AP is enough to break the 800-171 03.13.08 transmission confidentiality control and, if technical data crossed that link, to turn a routine business meeting into an unlicensed export.
Geography sharpens the problem. Facilities operating near Plant 42 in Palmdale, Edwards AFB, Vandenberg SFB, Point Mugu NAS, and the Long Beach / El Segundo aerospace manufacturing belt sit inside the 35 km Terminal Doppler Weather Radar exclusion zones and share 5 GHz airspace with military and FAA primary radars.
The commercial wireless channel plan a generic integrator would hand you on a Meraki template is not the plan that survives a DFS hit at 4:17 PM on a Tuesday when a CNC cell was halfway through a titanium spar. Aerospace industrial Wi-Fi in this corridor is channel-plan work first, AP placement work second.
Heavy-duty AP selection — IW9167E, IW9167IH, directional high-bay
Hangar, high-bay, and fabrication environments punish consumer-grade and standard-enterprise APs. Ambient temperature swings from a cold December Mojave morning to a summer afternoon under a sun-baked sheet-metal roof, hydrocarbon and solvent vapor near paint and bonding cells, wash-down cycles on MRO floors, vibration from overhead cranes, and EMI from high-power machining make the Cisco Catalyst IW9167E Heavy Duty Series the default outdoor and semi-outdoor AP specification. The IW9167E is rated for IP67 ingress, a temperature range engineered for industrial install, and a hazardous-location variant available for operators who need Class I Div 2 adjacency without redesigning the entire wireless.
Inside the building envelope we specify the Catalyst IW9167IH indoor industrial AP for high-bay manufacturing, clean-room fabrication, and integrator shop floors. The IH variant carries the same industrial hardening, tri-radio 802.11ax Wi-Fi 6E, and Cisco IOS XE feature parity with the rest of the Catalyst family — which matters because the aerospace tenant’s contractor offices and engineering wings run standard Catalyst 9166 or 9136 APs, and mixing lines inside one Cisco Catalyst 9800 wireless controller is straightforward only when everything speaks the same AP software image and RRM policy.
High-bay ceiling heights — typical aerospace hangar bays run 40 to 60 feet clear at the column lines and can exceed 90 feet at the door peaks — force a choice between down-tilted omnidirectional ceiling-mount APs, side-mounted column APs, and directional external-antenna APs. We use Ekahau predictive modeling against the actual bay geometry, not a rectangular floor plate, to decide per bay.
Wherever the ceiling exceeds 35 feet we shift to directional external antennas (65° azimuth / 30° elevation patterns on Cisco Catalyst AIR-ANT2566D4M-R or equivalent) and down-tilt to hold -65 dBm at the hangar floor while clipping side-lobe leak into the adjacent bay’s channel plan. High-bay wireless is antenna pattern work, not just AP count.
For contractor office space, engineering pods, and front-of-house conference the baseline is the Catalyst 9166 (8×8 5 GHz, 4×4 6 GHz Wi-Fi 6E) in open office and 9136 in higher-density conference. Commercial integrator offices adjacent to manufacturing floors benefit from a consistent Catalyst stack end-to-end — every AP runs the same IOS XE image, the same Cisco Catalyst Center policy, the same RRM policy, and the same Umbrella DNS security posture so the boundary between office and industrial airspace is a VLAN and SSID boundary, not a vendor boundary.
Hangar density math — empty bay vs. occupied bay
Aerospace industrial Wi-Fi density is the single most commonly under-scoped line item in a hangar RFP. The empty-bay back-of-envelope is one AP per 3,500 to 4,000 square feet of open floor plate — that figure covers an empty hangar with no aircraft, no tooling, no work platforms, no stress pods, and no people.
The moment an aircraft rolls in, a maintenance stand goes up around an engine, a paint cell curtain drops, or a composite autoclave positions into a bay, the RF environment changes by 10 to 20 dB in large zones and the empty-bay density target is no longer sufficient.
We design to the AP-per-bay dense target for active operations: an AP pair above each maintenance position, directional coverage down the fuselage centerline, cross-bay APs staged to hold -65 dBm RSSI and 25 dB SNR at every work location, and a minimum-RSSI enforcement profile on the Cisco Catalyst 9800 wireless controller that forces a handheld scanner or torque tool off an AP before the signal degrades past the point a re-association recovers cleanly.
For hangar operators running AeroTrac, CORRIDOR, or TRAX maintenance software on Zebra TC52ax or Honeywell CT45 handhelds, the density target is driven by the handheld’s roaming threshold, not by the AP’s coverage footprint.
Engine test cells, composite layup areas, and integrator clean rooms are their own density class. Test cells are often acoustically and RF isolated with reinforced concrete walls or copper mesh on the test-cell ceilings; the Wi-Fi design for those spaces frequently requires dedicated APs inside the cell with hardened cabling penetration through the wall, not coverage leak from an adjacent bay. Composite layup rooms with carbon fiber inventory racks absorb 5 GHz and reflect 6 GHz unpredictably — we survey those as their own zones and run an AP-on-a-stick validation pass before finalizing the placement drawing.
Send the hangar drawings. We will quote the survey.
Send the facility floor plans, high-bay column grid, door elevation drawings, and current AP inventory — most aerospace industrial Wi-Fi engagements are quoted within three business days on a fixed-fee SOW, not an hourly estimate. We engage under a signed NDA before any drawings cross our network.
DFS radar adjacency — the 5600–5650 MHz prohibition and the TDWR 35 km rule
The Southern California aerospace corridor sits inside one of the highest-density radar emitter maps in the United States. Plant 42 in Palmdale, Edwards AFB test range, Vandenberg SFB, Point Mugu NAS, and the FAA’s Terminal Doppler Weather Radar sites at LAX, Ontario, and the San Bernardino terminal all radiate on 5 GHz bands that overlap the UNII-2 and UNII-2-Extended channels a commercial Wi-Fi designer would otherwise default to.
The FCC Part 15 DFS rules and the specific TDWR protection framework together constrain what channels aerospace industrial Wi-Fi can use, and the constraints bind hardest inside 35 kilometers of a TDWR site.
Two non-negotiable rules apply. First: the FCC prohibits unlicensed 5 GHz U-NII device operation in the entire 5600 to 5650 MHz band for outdoor equipment and in-hangar equipment radiating outdoors — no matter the DFS behavior, no matter how clean the CSA implementation, no matter the vendor.
That band is allocated to TDWR primary use and is closed to U-NII regardless of proximity. Second: within a 35 km radius of a TDWR site, FCC KDB 443999 requires a 30 MHz center-frequency separation between the Wi-Fi channel center and the TDWR operating frequency; this is on top of the 5600-5650 MHz prohibition and typically eliminates several otherwise-usable UNII-2-Extended channels inside that ring.
The practical consequence for a Palmdale, Lancaster, or Mojave tenant is a channel plan that looks materially narrower than the generic commercial plan a national VAR would ship.
Aerospace industrial Wi-Fi in this corridor defaults to UNII-1 (channels 36 to 48), carefully selected UNII-2A / UNII-2C channels that clear the 30 MHz TDWR separation, UNII-3 (149 to 165) where foreign-radar coexistence permits, and increasingly UNII-5 / UNII-7 Wi-Fi 6E on 6 GHz for interior-only coverage where AFC rules and indoor-LPI classifications apply. The channel plan deliverable is the DFS-safe plan with a specific exclusion list for TDWR-adjacent channels documented per site, not a default auto-RRM configuration.
We also specify Cisco Catalyst 9800 DFS CAC (Channel Availability Check) and in-service monitoring behavior so that when a radar strike does happen on a valid DFS channel the AP honors the 30-minute non-occupancy period cleanly and roams clients off before the CSA fires. The hand-off behavior is tuned in the 802.11h CSA configuration and verified during AP-on-a-stick validation with a spectrum capture on an Ekahau Sidekick 2, not by reading the vendor default documentation.
802.11k/v/r roaming and 802.11w PMF — mandatory, not optional
Handheld scanners, torque tools, tablet-based work instructions, Vocera-class badge radios, and voice handsets on the hangar or integrator floor all cross AP-to-AP coverage boundaries under load. The difference between a network that drops a packet in flight and one that holds a session across a roam is whether the wireless fabric supports the 802.11k neighbor report, 802.11v BSS transition management, and 802.11r Fast BSS Transition exchange end-to-end — and whether the client fleet actually uses them.
For aerospace industrial Wi-Fi we specify 802.11k/v/r on the Cisco Catalyst 9800 controller, validate client support on the specific tool models in the fleet before roll-out, and tune the controller’s minimum-RSSI and load-balancing thresholds against measured roaming behavior.
802.11w Protected Management Frames is mandatory, not a nice-to-have. WPA3-Enterprise requires PMF; WPA2-Enterprise in an aerospace-adjacent environment requires PMF to defend against deauthentication and disassociation forgery that would otherwise let an adjacent-parking-lot attacker knock a torque-tool session off the AP long enough to replay or inject. The 800-171 r3 control family 03.13.08 expects transmission confidentiality end-to-end; PMF closes the management-frame gap WPA2 left open. We configure PMF as required (not optional) on every SSID carrying employee, MES, or engineering traffic, and allow PMF-optional only on a separate guest SSID isolated at the VLAN and firewall boundary.
Minimum-RSSI enforcement is the single most-skipped tuning step on aerospace industrial Wi-Fi deployments. Without it, a Zebra TC52ax handheld will cling to a -78 dBm AP three bays over rather than roam to a healthy -55 dBm AP two meters above the work position — because sticky-client behavior is the scanner firmware default and it is optimized for battery, not roam quality.
The fix is a controller-side minimum-RSSI policy (typically -70 dBm for voice-grade, -72 to -75 dBm for data) combined with 802.11v BSS Transition Management hints. We validate the tuned behavior with a live walk using the actual handheld models and a packet capture on a laptop running Ekahau Capture.
FIPS 140-2 and 140-3 validated firmware on controller and APs
FIPS 140-2 / FIPS 140-3 cryptographic module validation is the hinge control for aerospace-adjacent wireless. The NIST SP 800-171 r3 control 03.13.11 (Cryptographic Protection) requires that cryptography used to protect CUI is implemented using mechanisms that comply with applicable federal standards — in practice, that means the module must be on the NIST Cryptographic Module Validation Program (CMVP) active certificate list under either FIPS 140-2 or FIPS 140-3. A deployment that ships with a non-validated or historical-status module does not satisfy 03.13.11, and downstream 800-171 controls that depend on it cascade into findings.
For a Cisco Catalyst deployment this means staging the 9800 wireless controller and the Catalyst 9166 / 9136 / IW9167 APs on a FIPS-enabled IOS XE image, enabling FIPS mode on the controller, and verifying the active FIPS 140-2 or 140-3 certificate number against the CMVP list at procurement time — module validation status moves (Active to Historical to Revoked), and the CMVP certificate number on a given IOS XE release tracks a specific crypto module build.
Our aerospace industrial Wi-Fi SOW includes the certificate number lookup per platform and an appendix in the design document that records the FIPS module build the operator is expected to stay on until the next planned validation refresh.
The controller-side enablement is only half the work. The wireless firmware has to refuse to negotiate non-FIPS cipher suites on every SSID that carries CUI or ITAR technical data — otherwise a client that offers a weaker suite can still downgrade the link.
We configure the Catalyst 9800 to require WPA3-Enterprise with PMF on the restricted SSIDs, explicitly disable legacy TKIP and WEP, and set the AAA / RADIUS transport to TLS 1.2 or TLS 1.3 with FIPS-approved cipher suites. The deliverable is a controller configuration backup plus a verification log showing the negotiated suites on each SSID during the validation walk.
NIST SP 800-171 r3 — wireless access and transmission confidentiality
NIST SP 800-171 r3 is the governing control set for non-federal systems that process, store, or transmit Controlled Unclassified Information. Four controls drive the wireless design. 03.01.16 Wireless Access requires that wireless access is authorized before connection and that wireless access to the system is protected using authentication and encryption. 03.01.17 Access Control for Mobile Devices extends the same logic to mobile endpoints. 03.13.01 Boundary Protection requires monitoring and controlling communications at external and key internal boundaries. 03.13.08 Transmission and Storage Confidentiality requires protection of the confidentiality of CUI during transmission and at rest.
For aerospace industrial Wi-Fi, the control-to-configuration translation is direct. 03.01.16 maps to WPA3-Enterprise 802.1X with certificate-based client auth (EAP-TLS) against a RADIUS server tied to the operator’s identity provider — not PSK, not EAP-PEAP with passwords, not an open SSID bolted behind a captive portal. 03.13.01 maps to a dedicated wireless VLAN with an explicit firewall policy between wireless and the rest of the corporate network, not a flat wireless subnet that lands on the same switch fabric as wired engineering. 03.13.08 maps to the FIPS-validated cipher suite negotiation described above. 03.05.03 (Multi-Factor Authentication) maps to MFA on any administrative access to the wireless controller, including over out-of-band management.
The audit deliverable the tenant’s assessor will ask for is not a configuration screenshot; it is a system security plan (SSP) narrative and a body of evidence that maps each control to the implemented behavior.
We produce a wireless-scope SSP contribution as part of the design document: control-by-control language, the specific configuration that implements each control, and the validation evidence (controller config, RADIUS log, walk capture) the assessor can pull. The goal is that when the CMMC Level 2 assessor lands on the wireless section of the SSP the narrative matches what the operator’s own wireless team shows them in the controller GUI.
ITAR end-to-end FIPS encryption — 22 CFR § 120.54 carve-out
ITAR is the sharpest of the aerospace-adjacent compliance edges. Under 22 CFR Part 120, technical data related to defense articles on the U.S. Munitions List is export-controlled; an “export” happens the moment that data is released to a foreign person, is transmitted outside the United States without authorization, or is stored on infrastructure accessible to a foreign person.
Wireless fits inside that definition because an unencrypted or under-encrypted wireless link is, for export-control purposes, a transmission. The 2020 revision to 22 CFR Part 120 added § 120.54, which carved out a specific safe harbor: data protected by end-to-end encryption using FIPS 140-2 or FIPS 140-3 compliant cryptographic modules, with the keys held by the sender and authorized recipient only, is not an “export” when transiting unauthorized jurisdictions.
What this means for aerospace industrial Wi-Fi at a commercial integrator: if any wireless segment of the network carries ITAR-controlled technical data — an engineering drawing on a CAD workstation, an MES instruction with dimensioned part geometry, an email with an attached export-controlled spec — every crypto module in the chain has to be FIPS-validated.
The Wi-Fi link, the wired transit across the campus, the VPN tunnel to the home office, the email gateway, and the cloud storage endpoint all have to be on validated modules. A single link that negotiates a non-FIPS cipher suite breaks the § 120.54 carve-out for that data, and the transmission is no longer covered.
The wireless design’s contribution is narrow but load-bearing: specify and document the FIPS 140-2 or 140-3 cipher suite negotiated on every SSID that can carry CUI or ITAR technical data, block downgrade paths, produce the validation log the operator’s ITAR compliance office can attach to its § 120.54 posture, and hand that evidence to the operator’s export compliance officer for their Technology Control Plan. We are not ITAR compliance counsel — the operator’s licensed export compliance function owns the interpretation — but we deliver the wireless evidence they need to support that interpretation.
CMMC 2.0 Level 2 — 110 controls and the wireless evidence set
CMMC 2.0 Level 2 (Advanced) requires the operator to demonstrate conformance with the 110 security requirements of NIST SP 800-171 and, at most certification scopes, to pass a triennial third-party C3PAO assessment. The program rule was codified in 32 CFR Part 170, published in the Federal Register in 2024 and ramping into DoD contract flow-down through the DFARS 252.204-7021 clause. For aerospace-adjacent commercial integrators, CMMC Level 2 is the threshold that determines whether a prime can award work — a supplier that cannot present a passing Level 2 conformance package is not in the running for the next RFP.
Of those 110 requirements, a specific subset is load-bearing on the wireless side: 03.01.16 (Wireless Access), 03.01.17 (Access Control for Mobile Devices), 03.05.03 (Multi-Factor Authentication), 03.13.01 (Boundary Protection), 03.13.08 (Transmission and Storage Confidentiality), and 03.13.11 (Cryptographic Protection).
Our aerospace industrial Wi-Fi deliverable maps each of those directly: the WPA3-Enterprise 802.1X configuration with EAP-TLS certificate auth, the dedicated management VLAN with MFA on admin access, the wireless-to-wired firewall boundary policy, the FIPS-validated cipher suite matrix, and the CMVP certificate number appendix. The wireless section of the operator’s SSP inherits those artifacts and the C3PAO assessor can trace each control to implemented configuration.
Adjacent verticals face parallel versions of this framework. See how we handle authentication and segmentation in the higher education campus Wi-Fi build for NIST 800-171 research environments with CUI, the government and finance wireless design stack for CJIS v6.0 and NY DFS § 500.12 scope, or the retail multi-site rollout pattern in our retail multi-site Wi-Fi work for PCI DSS 4.0.1 segmentation math. The control-family work is different per framework, but the engineering discipline — RF design first, cipher and segmentation second, evidence capture third — is the same.
We scope the SOW under NDA. You keep the design.
Every aerospace industrial Wi-Fi engagement runs on a fixed-fee SOW — no time-and-materials drift and no vendor lock-in on the design artifacts. The floor plans, the Ekahau project file, the AutoCAD placement drawing, and the FIPS module appendix are yours to keep.
Where we deliver aerospace industrial Wi-Fi
Our aerospace industrial Wi-Fi practice covers the Southern California aerospace corridor end-to-end. Commercial integrator and MRO facilities in Palmdale (Plant 42 adjacency), Lancaster, Mojave, and the high-desert Antelope Valley; El Segundo, Hawthorne, and the South Bay aerospace manufacturing belt; Long Beach and the Port adjacency; Santa Clarita industrial corridors; Ventura County and the Oxnard / Camarillo integrator cluster; Vandenberg SFB commercial tenant facilities; and Inland Empire distribution and component-manufacturing corridors feeding the primes.
For adjacent commercial verticals on the same engineering framework, see the hospitality guest Wi-Fi build for Passpoint / Hotspot 2.0 design work, or the cross-vertical engineering pattern on our main wireless services hub. Out-of-state commercial integrator work is handled case-by-case — the Southern California corridor is our primary specialty market and where the TDWR exclusion math gets sharpest.
We engage commercial tenants directly, through their facilities general contractor, and through the tenant’s structured cabling or low-voltage integrator on larger new-construction and tenant-improvement projects. The design is vendor-agnostic on the network layer — Cisco Catalyst is our default in aerospace-industrial because of the FIPS posture and Catalyst 9800 controller maturity, but Juniper Mist AI, Aruba HPE, and Ruckus are supported where the tenant’s existing investment points that way.
Credentials and engagement posture
WiFi Hotshots is engineer-led, vendor-agnostic, and minority-owned. Our leadership bench carries 25 years of enterprise networking experience across wireless, routing and switching, security, and voice. Every wireless engagement is staffed by an Ekahau ECSE (Ekahau Certified Survey Engineer) on the site-survey and validation side, and backed by a multi-CCIE bench on the controller, routing, and security integration side. The scope matching an inbound inquiry to a specific engineer is driven by project complexity — not by always fielding the highest-credentialed body regardless of fit.
We work on fixed-fee SOWs, not time-and-materials billing. The SOW names the deliverables (Ekahau predictive model, AP-on-a-stick validation pass, AutoCAD placement drawing, channel and power plan, controller configuration guide, FIPS module certificate appendix, SSP wireless-scope contribution), the acceptance criteria (measured -65 dBm at named locations, 25 dB SNR, roaming between specified AP pairs under load), and the fee. The tenant’s finance team gets a known number, the tenant’s assessor gets an auditable artifact set, and the tenant’s engineering team gets a design they can operate and extend without a vendor dependency on us.
NDA is standard on every aerospace-adjacent engagement. Drawings, parts data, tenant identity, and configuration artifacts stay inside the engagement — we do not publish client names or site-specific case studies. The only public references we give are by vertical and scale (“commercial integrator supporting a tier-1 prime supply chain”, “MRO facility operating under NIST SP 800-171 r3 and CMMC Level 2 scope”) — never by tenant identity. That is a deliberate posture and it is non-negotiable.
Frequently asked questions — aerospace industrial Wi-Fi
Does WiFi Hotshots work on classified prime-contractor networks or inside SCIFs?
No. Our scope is commercial integrator, MRO, and supply-chain tenant facilities operating on the tenant’s own corporate boundary. We do not hold the facility clearances, personnel clearances, or DD-254 authority to work on classified prime-contractor networks, ITAR-controlled flight-test enclaves, or SCIFs. That work is scoped to the prime’s cleared integrators under a separate authority framework.
What we do deliver is the commercial network infrastructure the tenant owns: the contractor offices, the engineering wing, the hangar, MRO shop, clean-room, and fabrication floor wireless, and the boundary controls that satisfy NIST SP 800-171 r3 and CMMC 2.0 Level 2 for Controlled Unclassified Information on that commercial network. If your scope requires classified-system wireless work, we will refer you to a cleared integrator and step out cleanly.
How do you handle the FCC TDWR 35 km exclusion math near Edwards AFB, Plant 42, and Vandenberg?
Two separate constraints apply. First, the entire 5600 to 5650 MHz band is closed to unlicensed U-NII device operation anywhere in the country for outdoor and radiating-outdoor equipment — that is a flat FCC rule with no distance dependency. Second, within a 35 kilometer radius of a Terminal Doppler Weather Radar site, FCC KDB 443999 requires a 30 MHz center-frequency separation between the Wi-Fi operating channel and the TDWR center frequency. We build the channel plan against both rules in parallel.
The practical output is a per-site channel exclusion list that documents which UNII-2 / UNII-2-Extended channels are eliminated by TDWR proximity, a default primary channel plan drawn from UNII-1, the remaining DFS-safe UNII-2 slots, and UNII-3, and a 6 GHz Wi-Fi 6E overlay for interior-only high-density coverage. The exclusion list is part of the design document appendix and is re-verified if a new TDWR site comes online within range.
Why is FIPS 140-2 or FIPS 140-3 validated firmware load-bearing on the wireless side?
NIST SP 800-171 r3 control 03.13.11 (Cryptographic Protection) requires that cryptography used to protect Controlled Unclassified Information is implemented using mechanisms that comply with applicable federal standards — in practice, modules on the NIST CMVP active certificate list under FIPS 140-2 or FIPS 140-3. A deployment on non-validated firmware fails 03.13.11, and a failure there cascades into 03.13.08 (Transmission Confidentiality) and a material CMMC Level 2 finding.
For ITAR-controlled technical data the stakes are higher. The 22 CFR § 120.54 end-to-end FIPS encryption carve-out only applies when every crypto module in the chain is FIPS-validated. A single non-validated cipher suite negotiated on one AP breaks the carve-out, and transmission of technical data over that link is no longer covered. Our deliverable includes the CMVP certificate number per platform and a negotiated-cipher verification log per SSID.
What is the realistic AP density target for an aerospace hangar?
The empty-bay back-of-envelope is one AP per 3,500 to 4,000 square feet of open floor plate. That target covers an empty hangar with no aircraft, no tooling, and no people — it is the baseline for a coverage-only deployment and almost never matches the operational load. Once an aircraft is present, work stands are in position, paint curtains drop, and handheld and IIoT device populations light up, the RF environment shifts by 10 to 20 dB across large zones and the empty-bay density target is no longer sufficient.
We design to the occupied-bay target: AP pairs above each maintenance position, directional coverage down the fuselage centerline, cross-bay APs staged to hold -65 dBm RSSI and 25 dB SNR at every work location, and minimum-RSSI enforcement tuned against the actual handheld and scanner models in the fleet. The Ekahau predictive model captures the empty-bay baseline; the AP-on-a-stick validation pass captures the occupied-bay behavior before the placement drawing is final.
Do you install the APs, pull the cabling, and do the electrical, or do you hand the design to a contractor?
Our primary deliverable is engineering — predictive modeling, channel and power plan, AP placement drawing in AutoCAD, controller configuration guide, validation pass, and the FIPS / 800-171 evidence package. We coordinate with the tenant’s approved structured-cabling and electrical contractors on the install rather than running the install ourselves, and we are on-site during the install cut-over to catch placement and mount deviations against the drawing.
Hazardous-location installations (Class I Div 2 paint cells, composite autoclaves, specific MRO areas) are always coordinated with the operator’s approved hazardous-location electrical contractor — we are RF engineers, not hazardous-location installers. For straight commercial mounts on high-bay steel, catwalk, or column-line structure the tenant’s cabling vendor runs the pathway, we mark and verify, and the AP-on-a-stick validation pass closes the drawing.
Is Wi-Fi 6E or Wi-Fi 7 appropriate for a hangar and MRO environment?
Wi-Fi 6E (6 GHz indoor LPI) is useful for interior-only high-density zones — integrator office floors, engineering pods, conference rooms, and a specific subset of clean-room fabrication where the operational device fleet supports 6 GHz client radios. Outdoor and radiating-outdoor hangar coverage stays on 5 GHz because AFC (Automated Frequency Coordination) standard-power 6 GHz operation in industrial outdoor adjacency is constrained and the operational device fleet is rarely 6 GHz-capable end-to-end.
Wi-Fi 7 is a new-construction and major-refresh conversation, not a forklift-upgrade driver for a working hangar. Where the tenant is building new space or refreshing an aging controller and AP fleet, we scope Wi-Fi 7 with Cisco Catalyst 9176 (or platform equivalents) on the baseline and carry the same FIPS, 802.11w PMF, and 802.11r/k/v roaming posture forward. For a live hangar on Cisco 9166 / IW9167E with a stable channel plan, a Wi-Fi 7 swap is rarely the right first move.
How do you handle engine test cells and composite autoclave bays that need dedicated RF?
Engine test cells are typically built with reinforced concrete and, in some configurations, copper mesh in the ceiling or walls for acoustic and RF isolation. We treat them as their own coverage zones with dedicated APs inside the cell, hardened cabling penetration through an engineered wall port, and a channel and power plan that keeps the cell RF inside the cell. Leak-from-adjacent-bay coverage is not a reliable design for a test cell and we do not scope it that way.
Composite layup rooms and autoclave bays absorb 5 GHz against the carbon fiber inventory and reflect 6 GHz unpredictably against tooling. Those spaces get AP-on-a-stick validation before the placement drawing is final, and the final drawing is tuned to the measured behavior rather than the predictive model alone. Hazardous-location zones adjacent to bonding cells or resin handling use the Cisco Catalyst IW9167E hazardous-location variant where required and are installed by the operator’s approved Class I Div 2 electrical contractor.
Will you sign an NDA and keep the engagement off your marketing?
Yes. NDA is standard on every aerospace-adjacent engagement and we sign before any floor plans, drawings, or tenant-specific information cross our network. Our public references are anonymized by vertical and scale (“commercial integrator supporting a tier-1 prime supply chain”, “MRO facility under NIST 800-171 and CMMC Level 2 scope”). We do not publish tenant identities, site-specific case studies, photographs of tenant facilities, or named-customer logos.
That posture is deliberate. Aerospace-adjacent tenants live downstream of prime-contractor relationships that do not tolerate supplier marketing of the engagement, and we have built the practice to respect that constraint. The deliverables, the design artifacts, and the evidence package are yours; the marketing value of the engagement stays yours too.