I hear it all the time from owners and ops leads: “We’re too small for CMMC.” It sounds reasonable, like saying a corner shop doesn’t need a lock because it’s not a big-box store. But CMMC compliance isn’t based on headcount, it’s based on whether Federal data touches your business.
For small DoD contractors and subs, that belief can quietly turn into lost bids, slow onboarding, and expensive last-minute fixes. CMMC 2.0 is already in a phased rollout that started Nov 2025, and the timeline that matters most is what shows up in your solicitations, awards, and option years.
Two quick definitions in plain language: FCI (Federal Contract Information) is contract-related info the government gives you that isn’t meant for the public. CUI (Controlled Unclassified Information) is sensitive data that still isn’t classified, but has rules for how it must be handled.
CMMC compliance follows the data, not your company size
CMMC 2.0 is the DoD’s way of confirming contractors protect FCI and CUI with consistent security controls. If my business touches the data, my business inherits the responsibility, even if it’s a five-person shop.
At a high level, there are three levels:
- Level 1 is for FCI and basic cyber hygiene.
- Level 2 is for CUI and maps to NIST SP 800-171 requirements.
- Level 3 is for the highest-risk work and adds advanced protections.
Assessments depend on the level and risk. Some work allows a self-assessment, some requires a third-party assessment by a C3PAO, and the most sensitive work can involve a DoD-led assessment. For contracts that require it, results and affirmations get recorded in SPRS, which is the government system used to track supplier cyber reporting (see the SPRS Cyber Reports page at https://www.sprs.csd.disa.mil/nistsp.htm).
If you want the official DoD overview, I point people to the DoD CIO’s CMMC program “About” page (https://dodcio.defense.gov/cmmc/About/) and the Model Overview document (https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf). They’re dense, but they settle arguments fast.
CMMC 2.0 Levels 1 to 3, mapped to FCI and CUI
Level 1 (FCI) aligns to 17 basic practices commonly tied to FAR 52.204-21. Think “quotes, schedules, delivery dates, and routine contract emails.” If that’s the only type of Federal info I handle, Level 1 may be my lane.
Level 2 (CUI) aligns to the 110 requirements in NIST SP 800-171. This is where “drawings, specs, test results, and controlled program docs” show up. Most small subs run into CUI without realizing it, because it arrives through the prime’s portal, email threads, or shared files.
Level 3 is reserved for select high-risk programs. It builds on Level 2 and brings in added concepts aligned to NIST SP 800-172, with assessment handled by the government.
How the rollout works in 2026 and why contract language matters
CMMC 2.0 rollout began Nov 10, 2025 and runs in phases through 2028. In Phase 1 (Nov 2025 to Nov 2026), the DoD can include Level 1 or Level 2 self-assessment and SPRS affirmation requirements in selected contracts. Starting in later phases, more Level 2 third-party certification requirements show up.
The practical truth is simple: the requirement becomes real when it appears in your solicitation, award, mod, or option year. Primes can also treat it like a gate for suppliers, because they want low-risk subs. Your exact requirements vary by contract language and program needs.
Why “we’re too small” becomes expensive fast: the misconceptions that block revenue
When I talk with small firms about IT strategy for SMBs, I try to keep it grounded in dollars and time. Waiting on CMMC often feels cheaper, until it isn’t. Three misconceptions show up again and again.
Misconception: “I’m just a subcontractor, the prime handles security”
Flow-down is normal. If I touch FCI or CUI in my environment, I don’t get a pass because a prime is in the middle. Many primes now ask for proof before they share anything meaningful, sometimes before they even add me to a team.
Scenario: a two-person machining shop gets invited onto a bid team. The prime asks, “Where will you store CUI drawings?” The shop answers, “We’ll figure it out later.” The prime chooses a different vendor who can show a plan today.
Misconception: “We don’t have CUI, we only use email and cloud tools”
That’s exactly how CUI sneaks in.
I see CUI land in inboxes, Teams chats, SharePoint folders, file shares, laptop downloads, backups, and vendor portals. An Office 365 Migration can either tighten control (good identity, better logging, clearer sharing rules) or spread data everywhere if it’s done without scoping.
This is where Cloud Infrastructure, Cloud Management, and Secure Cloud Architecture matter. If I don’t control where CUI lives, I can’t control who accesses it, or prove it later.
Misconception: “We’ll deal with it when a contract requires it”
Waiting creates a time trap. Even a “simple” readiness push takes months because evidence takes time to generate.
Scenario: a small engineering shop goes after a subcontract. The buyer asks for an SSP and a credible POA&M, plus an SPRS posture. The shop has decent security, but no documentation, no asset list, and no consistent patch reporting. The award slips, then disappears.
Here’s how I explain the cost difference:
| Category | Cost of compliance | Cost of noncompliance |
|---|---|---|
| Bidding and awards | Budgeted project work, planned timing | Lost bids, delayed awards, blocked option years |
| Prime onboarding | Faster onboarding with fewer questions | Stalled onboarding, removal from a team |
| Security events | Reduced impact with tested controls | Breach response costs, downtime, customer notice work |
| Brand and trust | Stronger reputation with primes | Reputational harm that sticks for years |
Primes want subs who don’t create surprises. Even when they like my pricing, they won’t risk their program for it.
A right-sized CMMC readiness roadmap for small businesses (without overbuilding IT)
I’m a big believer in right-sizing. I support companies with Managed IT for Small Business, and I also support restaurants with Restaurant POS Support and Kitchen Technology Solutions. Different worlds, same lesson: build what you need, prove what you built, and keep the footprint small.
Start with scope: where FCI and CUI touch my people, devices, and cloud
If I do one thing first, it’s scoping:
- Map FCI and CUI flows (who sends it, who receives it, where it’s stored).
- Define the system boundary (what’s in scope, what’s out).
- Identify who needs access and remove everyone else.
- List apps and storage locations that can hold files.
- List endpoints that access the data (laptops, VDI, mobiles).
- Identify vendors in the path (email security, backup, MSP tools).
When cost is a concern, I look at a smaller “CUI enclave” so only a limited set of users, devices, and cloud resources fall under Level 2 controls. That reduces audit effort and evidence burden.
Build the core evidence set: SSP, POA&M, policies, and proof of controls
An SSP (System Security Plan) describes my environment and how controls are met. A POA&M (Plan of Action and Milestones) lists what’s not done yet, who owns it, and when it will be fixed.
Evidence is where many small teams stumble. I keep it practical:
- MFA enabled and enforced for admin and user accounts
- Asset inventory that matches reality
- Patch reports and update compliance
- Endpoint Security status and alerts
- Device Hardening baselines for laptops and servers
- Backups tested (this is where Data Center Technology and backup design matter)
- Logs retained and review process defined
- Training records, access reviews, and an incident response plan
- Notes from Infrastructure Optimization work (segmentation, monitoring, least privilege)
This is the backbone of strong Cybersecurity Services that survive an assessment.
30/60/90-day plan that fits a small team
I use a simple timeline so owners can keep running the business:
- 30 days: Confirm whether I handle FCI, CUI, or both. Pick the target level. Set scope. Quick wins: MFA, reduce admin accounts, backups verified, baseline device settings.
- 60 days: Run a gap review against Level 1 or NIST SP 800-171 for Level 2. Draft SSP. Start POA&M. Improve endpoint controls, basic logging, and access control.
- 90 days: Close the highest-risk gaps. Run a tabletop incident drill. Collect evidence. Prepare for SPRS submission or third-party readiness based on contract needs.
Quick CTA: If I’m unsure where the data is, I start with a one-page scope map and a list of systems. That alone clears up weeks of confusion.
Conclusion
Being small doesn’t remove CMMC compliance obligations when my business handles FCI or CUI. In practice, readiness reduces deal-breakers with primes, speeds up onboarding, and prevents the “we need this next week” fire drill when a bid drops.
My next step is straightforward: confirm whether I touch FCI or CUI, reduce scope to the smallest workable boundary, then commit to a 30/60/90-day readiness plan. Requirements vary by contract and solicitation language, so I always validate expectations with the prime and the specific contract documents. The businesses that act early get more shots on goal, and fewer unpleasant surprises.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.