Your U.S. prime contract depends on a certification most of Mexico’s supply base isn’t ready for.
I help aerospace and defense manufacturers across Querétaro, Baja California, Chihuahua, Nuevo León, and Sonora prepare for CMMC Level 2 — before a flow-down clause takes the contract off the table.
Every subcontractor in the chain carries the requirement. A prime’s CMMC obligation flows down to every supplier touching Controlled Unclassified Information — including manufacturers based outside the United States.
Phase 2 of the CMMC rollout begins November 10, 2026.
From that date, new DoD solicitations start requiring CMMC Level 2 certification as a condition of award — and that requirement passes down through every tier of the supply chain.
The exposure
A purchase order can’t outrun a compliance clause.
Mexican aerospace manufacturers have spent years earning their place in the DoD supply chain on quality and cost. CMMC changes the qualifying question from “can you build the part” to “can you protect the data that comes with it.”
Flow-down clauses are already in new contracts
Primes are inserting CMMC requirements into subcontracts ahead of the mandate, using them to pre-qualify who stays in the bidding pool.
NIST SP 800-171 wasn’t built with a shop floor in mind
110 controls written for IT environments have to be translated into a manufacturing plant’s network, machines, and file-sharing practices.
Readiness work takes months, not weeks
Gap closure, policy development, and evidence collection are sequential. Starting after a prime asks for proof of compliance is starting too late.
Who this is built for
Manufacturers already inside the U.S. defense supply chain — not new entrants to it.
This engagement is designed for Tier 2 and Tier 3 suppliers to U.S. DoD prime contractors, concentrated in Mexico’s aerospace manufacturing corridor.
What readiness looks like
A structured path from current-state to audit-ready.
Every engagement is scoped against your actual CUI footprint — not a generic checklist.
CMMC Level 2 gap assessment
A control-by-control evaluation against the 110 NIST SP 800-171 practices, scoped to where Controlled Unclassified Information actually moves through your operation.
System Security Plan and POA&M
The core documentation an assessor expects to see — built to reflect how your plant, network, and vendors actually operate.
Policy development and evidence collection
Written policies mapped to each control, plus a practical system for capturing the evidence an assessment will ask for.
Remediation roadmap, prioritized by contract risk
A sequenced plan for closing gaps — ordered by what puts your current contracts at risk first, not by control number.
How this engagement fits into your certification path
I work with your organization as a CMMC readiness and advisory consultant. That work is backed by CISSP certification and eight-plus years leading enterprise information security programs — including banking-grade and telecom audit readiness under ISO 27001. My role is to prepare your systems, documentation, and evidence ahead of a formal assessment: closing gaps, building your SSP and POA&M, and getting your team ready to walk into an audit with confidence.
Formal CMMC Level 2 certification is issued only by an accredited C3PAO through an official assessment, conducted by a Lead Assessor under U.S. citizenship requirements. I do not perform that assessment or certify your organization — I get you ready for the firm that does, and can help coordinate that engagement when the time comes.
Find out where your gaps are before a prime does.
A 30-minute call is enough to map your current CUI exposure against the CMMC Level 2 requirement and tell you honestly how much runway you have before November 2026.