A bundled aerospace-compliance consulting practice covering CMMC, AS9100, and ITAR — serving the 200- to 500-establishment Bluegrass-corridor small-manufacturer bench around Parker-Meggitt's Danville plant.

The bundle is three credentials inside one practice. Cybersecurity Maturity Model Certification (CMMC) operates under DoD 32 CFR Part 170 — the final rule landed October 2024, effective December 2024 — with Level 1 self-attestation, Level 2 third-party assessor, and Level 3 government-led tiers. The founder delivers readiness consulting as a Registered Practitioner Organization (RPO) or Certified CMMC Professional (CCP), not third-party assessment (the C3PAO function carries a $500,000-plus capital floor). AS9100 is the aerospace QMS published by SAE International on a three-year recertification cycle with annual surveillance audits. The International Traffic in Arms Regulations (ITAR) under 22 CFR 120-130, administered by the State Department Directorate of Defense Trade Controls (DDTC), cover U.S. Munitions List Category VIII military-aircraft technical data — Parker-Meggitt's defense-aviation scope. Any Tier-2 manufacturer pursuing Department of Defense aerospace supply needs all three credentials. That is why the practice moves as one bundled lane rather than three.

CMMC enforcement phases in across FY26 to FY28 against the DoD 32 CFR Part 170 implementation calendar. Every Bluegrass-region small manufacturer holding or seeking Department of Defense sub-contract work — direct to Parker-Meggitt, to a Tier-1 in the Parker-Meggitt vendor chain, to Lockheed Martin Missiles and Fire Control in Lexington, or to any prime flowing DFARS clauses — faces a CMMC gate in that window. AS9100 demand recurs across the three-year recertification cycle with annual surveillance audits between initial-implementation engagements. ITAR registration is annual at a $2,250 base fee to DDTC; technology-control plans and jurisdiction-and-classification systems require periodic refresh as customer scope changes. For Tier-2 suppliers handling Category VIII aircraft technical data, ITAR readiness is a precondition for any defense supply.

Other Bluegrass-region anchors in the same labor shed include Lockheed Martin Missiles and Fire Control in Lexington (radar and missile defense, distinct NAICS from aircraft components), Belcan LLC engineering services with a regional footprint, Honeywell regional sites, and GE Aerospace through the Cincinnati cross-border supplier flow. The credentialed-worker base across the Bluegrass corridor runs roughly 4,000 to 8,000. The small-manufacturer establishment count is the addressable consulting customer set at 200 to 500.

Bluegrass Community and Technical College's Danville Campus at 59 Corporate Drive sits next door to Parker-Meggitt at 120 Corporate Drive and operates as a feeder for aerospace workforce training. The Aerospace Tech program is a referral channel rather than a direct customer.

Per-engagement scope sizing runs in industry-typical ranges. CMMC readiness — assessment, gap analysis, System Security Plan documentation, and Plan of Action and Milestones — is $5,000 to $30,000 initial engagement plus $1,500 to $6,000 per month retainer through Level 2 readiness. AS9100 implementation runs $10,000 to $40,000 initial plus $4,000 to $12,000 annual surveillance across the three-year cycle. ITAR registration support — DDTC filing assistance, technology-control-plan documentation, and Commodity Jurisdiction determinations — runs $5,000 to $20,000 initial plus $4,000 to $15,000 annual retainer. A Tier-2 customer carrying all three credentials runs roughly $25,000 to $60,000 per year blended.

Bundle discipline matters. Single-credential positioning — CMMC only, AS9100 only, ITAR only — flags as thin demand. National consolidators — Booz Allen, Coalfire, Schellman, Optiv, KPMG, Deloitte — carry all three but serve primes and large Tier-1s; the small-manufacturer retainer rate at $1,500 to $6,000 per month sits below their cost-to-serve floor. Single-credential local consultants compete on price for individual engagements but cannot capture the within-customer cross-sell that makes the bundle work. The bundled practice plus Bluegrass-corridor residency are the two moats.

Per-engagement revenue mix. CMMC readiness assessment plus gap analysis plus SSP documentation plus POA&M at $5K-$30K initial engagement plus $1.5K-$6K per month retainer through Level 2 readiness. AS9100 implementation at $10K-$40K initial engagement plus $4K-$12K annual-surveillance support across the 3-year cycle. ITAR registration support at $5K-$20K initial engagement plus $4K-$15K per year retainer for ongoing control-plan maintenance and CJ-determination support. Bundled retainer on a typical Tier-2 customer carrying all three credentials runs roughly $25K-$60K per year blended.

Year 1 (founder-only; 3-5 active client engagements plus 1-2 readiness retainers): revenue base $180K-$320K; take-home $80K-$140K. Year 1 priority is closing the initial 3-5 engagements while completing the credentialing arc (CCP + AS9100 internal-auditor + ECoP) in 6-9 months for a credentialed founder or 12-18 months for a career-changer.

Year 3 (founder plus potential 1-staff addition; 6-10 active engagements with a maturing surveillance plus recertification base): revenue $350K-$550K; take-home $150K-$220K. The Year 3 step-up comes from AS9100 surveillance plus CMMC retainer base building out across Years 2-3 and ITAR retainer maintenance compounding on the customer roster.

Mature (owner-operator at scale; 1 part-time admin or 1 junior consultant on retainer): revenue $400K-$700K; take-home $200K-$280K. The ceiling is the founder's billable-hour capacity blended with retainer revenue.

Capital stack $80K-$150K start-up. Laptop plus encrypted secondary device plus secure cloud workspace (GCC High M365 or equivalent for CUI / ITAR-controlled documentation) $4K-$10K. CMMC training and credentialing (Cyber-AB CCP / CCA pathway plus NIST SP 800-171 self-study plus RPO registration) $8K-$20K. AS9100 internal-auditor or lead-auditor training (Exemplar Global or IRCA pathway through a registrar-affiliated training provider) $4K-$12K. ITAR / ECoP training (SIA ECoP pathway plus DDTC materials) $3K-$8K. Workers compensation plus professional E&O (CUI / ITAR-controlled scope runs higher than generalist E&O) plus general liability $8K-$18K per year. Vehicle for client travel across the Bluegrass corridor (30-50 percent travel realistic) $20K-$45K used or leased. Working capital reserve for 9-12-month founder runway during initial credentialing arc $40K-$70K.

Founder-only Year 1 viability holds because the credentialing arc overlaps with first-client onboarding (typical Tier-2 manufacturer takes 6-12 months from first conversation to retained engagement), and revenue from Year 1 readiness retainers covers operating cost before AS9100 surveillance plus CMMC retainer base builds out in Years 2-3. No C3PAO accreditation, no NADCAP process accreditation, no AS9100 registrar buildout — the practice stays at the readiness-consulting tier, not the third-party-assessment tier.

• Parker-Meggitt Aircraft Braking Systems Kentucky Corporation

  Aircraft wheels and brakes manufacturer — regulatory-pressure source and referral surface

  Active in market

  120 Corporate Drive, Danville. Parker Hannifin Aerospace Systems segment after the September 2022 acquisition of Meggitt PLC for roughly $8.8 billion. The two recipient registrations combine to $138.4 million across 1,308 federal awards on a three-year window. The plant is the regulatory-pressure source for the small-manufacturer bench, not the founder's direct customer.
• Bluegrass-corridor small-manufacturer bench

  Addressable consulting customer set across nine counties

  Out-of-county

  Roughly 200 to 500 establishments across Boyle, Lincoln, Garrard, Mercer, Casey, Washington, Marion, Anderson, and the Fayette industrial corridor. Holds or seeks Department of Defense or aerospace-defense sub-contract work.
• Lockheed Martin Missiles and Fire Control, Belcan, Honeywell, and GE Aerospace

  Regional aerospace-defense primes and Tier-1 employer base

  Out-of-county

  Lockheed sits in Lexington. GE Aerospace reaches through the Cincinnati cross-border supplier flow. Tier-2 supplier-development at each is procedural-introduction-gated.
• Cyber Accreditation Body (Cyber-AB) and the DoD 32 CFR Part 170 framework

  CMMC accreditation and credentialing pathway

  Out-of-county

  Cyber-AB administers Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), and Registered Practitioner Organization (RPO) credentials. The DoD 32 CFR Part 170 final rule landed October 2024 and is effective December 2024.
• SAE International and the AS9100 registrar pool

  Aerospace QMS standard-setter and accredited registrars

  Out-of-county

  Registrars include Lloyd's Register Quality Assurance, DEKRA, BSI, DNV, NQA, SAI Global, TÜV SÜD, and TÜV Rheinland. ANAB and UKAS accredit the registrars. The founder stays registrar-neutral; cross-registrar pre-audit familiarity is the moat.
• State Department Directorate of Defense Trade Controls (DDTC) and the Society for International Affairs (SIA)

  ITAR registration and export-compliance credentialing

  Out-of-county

  DDTC administers ITAR registration ($2,250 per year base fee), Commodity Jurisdiction determinations, and export licensing under 22 CFR 120-130. SIA awards the Export Compliance Professional credential.
• Advantage Kentucky Alliance (AKA-MEP) and the Kentucky Association of Manufacturers (KAM)

  Regional manufacturer-support institutions

  Institution

  AKA-MEP is the NIST Manufacturing Extension Partnership affiliate hosted at the University of Kentucky, operating on federal cost-share and offering CMMC, AS9100, and lean-manufacturing programming. KAM operates regional programming and a member roster.
• BCTC Danville Campus Aerospace Tech program and the Kentucky APEX Accelerator network

  Workforce pipeline and federal-procurement counseling

  Institution

  59 Corporate Drive, Danville, next door to Parker-Meggitt. APEX Accelerators (formerly PTACs) provide federal-procurement counseling and bid-match services to the small-manufacturer customer base.

Two viable founder profiles. (1) Mid-career IT security professional with DoD-supplier exposure — former DCMA quality, former aerospace-prime supplier-quality engineer, former military cyber — shortcuts the 12-18-month credentialing arc to 6-9 months and enters Year 1 with 1-2 named relationships inside the Bluegrass-corridor Tier-2 bench. (2) Returning-home aerospace-quality engineer or compliance manager with 5+ years prior Parker Hannifin, Lockheed, Belcan, Honeywell, or GE Aerospace tenure plus AS9100 internal-auditor or lead-auditor history; the founder retains a junior CMMC consultant or ITAR compliance contractor at launch and operates the customer-facing layer plus the AS9100 line directly. A first-time founder without prior aerospace-defense compliance or DoD-supplier tenure cannot enter this lane cold — the credentialing arc plus the customer-relationship acquisition cycle plus the working-capital float require operator fluency that only prior tenure establishes.

Relationship-portfolio target at launch: documented working relationships with the AKA-MEP (Advantage Kentucky Alliance) regional team at the University of Kentucky (the most-probable subsidized-pricing competitor plus potential subcontractor channel); Kentucky Association of Manufacturers (KAM) leadership; BCTC Danville Campus Aerospace Tech program coordinator; the Eastern KY APEX Accelerator at Morehead State plus the KY APEX Accelerator network; Parker Hannifin Aerospace Systems supplier-development office plus Lockheed Martin Missiles and Fire Control Lexington supplier-development office (procedural-introduction channels — both primes operate Tier-2 supplier-onboarding processes that flow DFARS / AS9100 / ITAR clauses down). Eight to twelve named contacts plus the Cyber-AB Marketplace listing plus the IAQG OASIS visibility by end of Year 1.

Credentialing posture. Cyber-AB CCP or CCA credential plus Registered Practitioner Organization registration for the CMMC line. AS9100 internal-auditor or lead-auditor certification through Exemplar Global or IRCA via a registrar-affiliated training provider for the AS9100 line. Society for International Affairs ECoP credential plus DDTC ITAR registration familiarity for the ITAR line. Founder must budget 60-100 hours per year on credential maintenance plus $4K-$10K per year in CPE and recertification fees across the three credentials. Cyber-insurance baseline plus E&O at the elevated CUI / ITAR-scope tier plus workers compensation in place at policy inception.

Year 1 books 3-5 active engagements plus 1-2 readiness retainers across the Tier-2/3 small-manufacturer bench. Year 2-3 builds the AS9100 surveillance plus CMMC retainer base plus the ITAR-controlled-technology customer roster. Mature run-rate stabilizes around 6-10 active engagements with a rolling surveillance plus recertification base; the lane is structurally founder-of-record on the buyer relationships and does not translate to a platform-rollup acquirer template at this scope.

• — The exact CMMC phase-in schedule under DoD 32 CFR Part 170 for Level 2 contract-clause incorporation across FY26 to FY28.
• — Parker-Meggitt's current employment level (working range 70 to 185).
• — Whether Parker Hannifin corporate handles all Tier-2 compliance flowdown centrally or whether Danville-plant-level regional sub-supplier pressure exists. Critical for demand-shape verification.
• — The Parker-Meggitt regional Tier-2 sub-supplier roster — likely confidential.
• — BCTC Danville Campus Aerospace Tech program enrollment and placement.
• — Whether a Bluegrass-corridor industry council comparable to the Northern Kentucky Aerospace Industry Council exists.
• — Kentucky-resident counts for CMMC RPOs, C3PAOs, AS9100 lead auditors, and Society for International Affairs Export Compliance Professionals.
• — AKA-MEP's regional CMMC, AS9100, and ITAR programming roster and pricing posture.
• — Kentucky Association of Manufacturers regional programming and member roster.
• — Bluegrass-region small-manufacturer establishment count and AS9100-certified count.
• — Supplier-development office contacts at Lockheed Martin, Belcan, Honeywell, GE Aerospace, and Parker Hannifin Aerospace Systems.
• — The total Bluegrass-corridor aerospace credentialed-worker bench (working assumption 4,000 to 8,000).
• — APEX Accelerator coverage for Bluegrass-corridor small-manufacturer federal-procurement counseling capacity.
• — Operator P&Ls. The math above is industry-benchmarked, not measured.

Tonight, this week, this month — in that order. Each step produces a yes/no or a number, not a deeper understanding.