Tell us your phase, data type, and timeline.Get matched →
CMMC Compliance for SBIR Companies: What Level You Need, What It Costs, and What to Do First
If a CMMC clause just appeared in your SBIR solicitation — or a contracting officer asked for your SPRS score and you froze — start here.
CMMC compliance for SBIR companies applies whenever a DoD solicitation, contract, subcontract, or prime flow-down requires you to process, store, or transmit FCI or CUI on your own information systems — which covers nearly every DoD SBIR or STTR award, because almost all of them involve at least Federal Contract Information (FCI). If your work only touches FCI, the likely path is CMMC Level 1: a 15-requirement annual self-assessment. If it touches Controlled Unclassified Information (CUI), the likely path is Level 2: a full 110-requirement NIST SP 800-171 Rev. 2 program.
The SBIR CMMC decision map (start here, before you spend a dollar)
| If your SBIR situation is… | Likely data trigger | Likely CMMC path (estimate — your contract governs) | Evidence to gather before buying help | Provider category to consider first | What NOT to buy yet |
|---|---|---|---|---|---|
| Proposal only, no award yet | Public info or unknown | Possibly none required yet — verify the solicitation | Solicitation clauses, topic instructions, agency cyber notes | DIY checklist / neutral readiness triage | A C3PAO assessment (no scope exists) |
| Phase I, DoD, FCI only | Contract info not for public release | Level 1 (Self) likely | FAR 52.204-21 safeguards, FCI system boundary, SPRS/affirmation plan | Small-business MSP or readiness consultant (RPO) | Level 2 tooling, unless CUI is actually present |
| Phase I/II with DFARS 252.204-7012 in the contract | Covered defense info / CUI / CTI | Level 2 likely; self vs C3PAO per contract | SSP, CAGE code, NIST 800-171 score, CUI data-flow map | RPO / readiness consultant / vCISO; then an MSP | A C3PAO until your SSP and scope are credible |
| A prime or CO asks for your SPRS score | NIST SP 800-171 applies | A current assessment score may be required now | Current assessment, score, system architecture, CAGE | Readiness consultant / GRC evidence support | A guessed or inflated score |
| Prime flow-down says 'Level 2 by [date]' | Subcontract includes CUI | At least Level 2 (Self); Level 2 (C3PAO) if the prime's obligation requires it | The exact flow-down clause, CUI package, required assessment type | Readiness + architecture first; C3PAO only when ready | A vendor's vague 'CMMC-ready' claim with no assessment type |
| Only a few people touch CUI | Narrow CUI footprint | Level 2, but scope may shrink with an enclave | Asset inventory, CUI users, data flow, cloud/ESP list | CUI enclave / secure collaboration / GCC High | A company-wide migration before scoping |
| Assessment-ready and contract requires it | Solicitation requires Level 2 (C3PAO) | Level 2 (C3PAO), every 3 years + annual affirmation | Final scope, complete SSP, evidence, C3PAO conflict check | An authorized C3PAO (separate from your implementer) | A C3PAO that also did your remediation (conflict rules) |
| Rare, highly sensitive program | Higher-level CUI / APT concern | Level 3 after a Final Level 2 (C3PAO) | Program requirement, Final L2 status, L3 scope | Specialized readiness + DIBCAC path planning | Marketing Level 3 as a normal SBIR default |
Find your SBIR CMMC path before you buy the wrong thing
Find your SBIR CMMC path →What we actually verified for this guide
Does CMMC compliance apply to SBIR companies?
Yes. CMMC applies to SBIR and STTR companies whenever a DoD contract or subcontract requires you to process, store, or transmit FCI or CUI on your own information systems. “SBIR” is not an exemption — CMMC follows the information and the contract requirement, not the funding label. Under 32 CFR §170.3, CMMC Program requirements generally don’t apply to acquisitions solely for commercial off-the-shelf (COTS) items, and applicability is shaped by the phase-in schedule and the specific clauses in each solicitation.
This trips people up because SBIR feelslike a grant. Contractually, a DoD SBIR/STTR award makes you a defense contractor, with the same cybersecurity obligations as any other supplier handling the same data. Almost every DoD awardee handles FCI and needs at least Level 1 — and firms handling CUI need Level 2.
What makes SBIR different (and riskier)
The SBIR contract trigger checklist
| Where to look | What you’re looking for | What it signals | What to capture |
|---|---|---|---|
| Solicitation (DFARS 252.204-7025) | The stated CMMC level + assessment type | Your required level before award | Screenshot the provision and the stated level |
| Awarded contract (DFARS 252.204-7021) | The CMMC-status obligation + flow-down | You must maintain status during performance | Screenshot the clause |
| Contract (DFARS 252.204-7012) | 'Covered defense information' / safeguarding language | CUI is likely in scope → Level 2 territory | Screenshot the clause |
| Data you receive or produce | CUI markings; Distribution Statements B–F | Controlled technical information (CUI) | Photo or scan of the marking |
| SPRS | A NIST SP 800-171 score requirement (DFARS 252.204-7019) | A current score may be required now | Screenshot your SPRS status |
What CMMC level do SBIR companies usually need?
FCI-only SBIR work generally points to CMMC Level 1; CUI generally points to Level 2; Level 3 is rare and reserved for the most sensitive programs facing advanced persistent threats. Level 2 currently maps to the 110 security requirements in NIST SP 800-171 Revision 2 — organized into 14 control families — not Revision 3, unless DoD changes the rule. Your specific level is stated in the solicitation; you don’t choose it.
Level 1 — for FCI only
Level 2 — for CUI, covered defense information, and controlled technical information
Level 3 — uncommon for SBIR
| Information you handle | Likely level | Assessment type | What it means in practice |
|---|---|---|---|
| Public information only | Possibly none yet | Verify the solicitation | Prepare, but don't overbuy |
| FCI only | Level 1 | Annual self-assessment | 15 safeguards + annual affirmation; no POA&M |
| CUI / CDI / CTI | Level 2 | Self or C3PAO (per contract) | Full 110-requirement NIST 800-171 Rev. 2 program |
| Prime requires Level 2 (C3PAO) | Level 2 (C3PAO) | Third-party | Assessment-ready evidence required |
| Highly sensitive CUI / APT | Level 3 | DIBCAC (government) | Rare; program-specific |
Want the control-by-control breakdown? See our deeper references on CMMC Level 1 requirements and CMMC Level 2 requirements.
How do SBIR companies know if their work creates or receives CUI?
You determine CUI from the contract, the markings, the distribution statements, the technical data package, and the language of DFARS 252.204-7012. That clause defines controlled technical information (CTI) as technical information with military or space application subject to controls on access, use, release, or dissemination. When in doubt, the distribution statement on the data is your strongest signal.
Don’t confuse SBIR data rights with CUI safeguarding
| SBIR/STTR data rights | CUI safeguarding (CMMC / NIST 800-171) | |
|---|---|---|
| What it controls | Who may use or disclose your technical data | How the data must be protected on your systems |
| Who it benefits | Your company (commercial protection) | The government (information security) |
| Where it shows up | SBIR data-rights clauses and markings | DFARS 252.204-7012; 32 CFR Part 170 |
| Why it matters for CMMC | Owning rights does not remove safeguarding duties | If it's CUI, you must protect it — regardless of who owns the rights |
Common signals that SBIR work involves CUI/CTI
Questions to put in writing to your TPOC or contracting officer:
Want the plain-English version of what counts as CUI, with examples? See What is CUI?
When does CMMC actually become a condition of your SBIR award?
CMMC requirements began appearing in DoD solicitations on November 10, 2025 — the effective date of the DFARS acquisition rule. Through Phase 1, the focus is Level 1 and Level 2 self-assessments as conditions of award, though DoD may require a Level 2 (C3PAO) certification in selected procurements. Phase 2 begins November 10, 2026 and adds Level 2 (C3PAO) requirements for applicable solicitations and contracts. That Phase 2 date is the one to circle.
| Phase | Starts | What it adds |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Level 1 (Self) or Level 2 (Self) as a condition of award; DoD may require Level 2 (C3PAO) at its discretion |
| Phase 2 | Nov 10, 2026 | Level 2 (C3PAO) for applicable solicitations/contracts; DoD may delay that requirement to an option period rather than a condition of initial award |
| Phase 3 | Nov 10, 2027 | Level 2 (C3PAO) for all applicable solicitations/contracts (award and option periods); Level 3 (DIBCAC) added for applicable solicitations/contracts |
| Phase 4 | Nov 10, 2028 | Full implementation across applicable contracts |
As of mid-2026, the Cyber AB reported roughly 103 authorized C3PAOs and about 1,074 cumulative Level 2 certificationsat its March 2026 Town Hall — while the DoD’s own final-rule analysis estimated that around 8,350 medium and large entities will ultimately need a Level 2 (C3PAO) assessment. Thousands of companies, a few dozen assessors, a hard date. Assessment slots are a scarce resource.
What to do by phase:
What evidence should an SBIR company build before chasing certification?
Build the evidence package before you chase a certificate: a contract-clause inventory, an FCI/CUI data map, a defined CMMC scope, a System Security Plan (SSP), an asset inventory and network diagram, a current NIST SP 800-171 score in SPRS where applicable, a POA&M where permitted, a list of your cloud and external service providers, and a named Affirming Official.
The minimum evidence checklist:
Open the SBIR CMMC readiness checklist. We maintain a free, control-mapped CMMC Readiness Checklist built around the 14 NIST 800-171 Rev. 2 families. If you’re not ready to talk to anyone yet, that’s the self-serve next step — no conversation required.
Why your SPRS score has to match a real system
Case study — why “just submit a score” is dangerous
On September 30, 2025, the U.S. Department of Justice announced that Georgia Tech Research Corporation agreed to pay $875,000 to resolve False Claims Act allegations tied to cybersecurity requirements on certain Air Force and DARPA contracts. The case began as a whistleblower suit in 2022. Among the allegations: that a relevant lab operated without a required System Security Plan for years, that required antivirus tools weren’t in place, and that a false campus-wide, “virtual” summary-level cybersecurity score was submitted to the DoD rather than a score reflecting the actual covered system. DOJ noted these were allegations only, with no determination of liability. (Source: U.S. Department of Justice, Sept. 30, 2025.)
The lesson for an SBIR founder: a senior official will personally affirm your score in SPRS. DOJ’s Civil Cyber-Fraud Initiative has repeatedly shown that no data breach is required for a false-score allegation to create real liability. The cheapest insurance is a score that honestly reflects a real system.
Do SBIR companies need an SPRS score before award?
If DFARS 252.204-7019 applies to your contract, a current NIST SP 800-171 DoD Assessment score is required in SPRS for your covered contractor information systems. And if your solicitation includes DFARS 252.204-7025, you also need the required current CMMC status and affirmation in SPRS for each in-scope system to be eligible for that award. These two requirements are related but separate, and SBIR solicitations increasingly invoke both.
The NIST score (under -7019) has been a baseline expectation since 2020, and the CMMC status (under -7025/-7021) is the newer layer phasing in now. If a solicitation requires a CMMC status and you lack a current status and affirmation in SPRS for the relevant system, you are not eligible for that award.
See our SPRS score guide for how to conduct the assessment, calculate the score, and post it.
Separate the get-ready work from the get-assessed work
Get matched with source-checked provider options →Do SBIR companies need a C3PAO, or can they self-assess?
It depends on your contract. CMMC Level 1 is always an annual self-assessment. Level 2 can be either a self-assessment or a C3PAO certification assessment (conducted every three years), as specified in the solicitation, contract, or prime flow-down. Level 3 is assessed by the government’s DIBCAC. Through Phase 1, many Level 2 SBIR awards permit self-assessment; from Phase 2 onward, the rule adds Level 2 (C3PAO) requirements for applicable CUI contracts.
When a self-assessment may be enough
When a C3PAO becomes necessary
The single most expensive mistake: buying the assessor first
Most SBIR companies should notmake a C3PAO their first purchase. If your scope, CUI boundary, SSP, evidence, and SPRS status aren’t right, a formal assessment becomes an expensive way to learn you weren’t ready — and you’ll pay again to come back. Readiness comes first, unless you’re already prepared.
The independence rule that makes “one vendor does it all” impossible
Match to the right path — readiness or assessment
Get matched with source-checked provider options →Can SBIR or TABA funds help pay for CMMC compliance?
Yes — and this is the angle most SBIR founders miss. Technical and Business Assistance (TABA) lets SBIR/STTR awardees request supplemental funds — up to $6,500 per Phase I project and $50,000 per Phase II project, across all years — and as of the April 13, 2026 reauthorization (Pub. L. 119-83), “cybersecurity assistance” is an explicitly eligible TABA use. TABA can fund the highest-leverage readiness work — scoping, a gap assessment, your SSP, remediation planning. What it generally won’tfund is the audit itself: NIH’s implementing notice expressly excludes audit services.
What changed in April 2026, and what it means for you
| What the law (Pub. L. 119-83) states | What it means for an SBIR firm doing CMMC |
|---|---|
| TABA codified at $6,500/Phase I and $50,000/Phase II per project | A budget line you can request, often on top of your award (agency discretion) |
| Eligible uses now explicitly include 'cybersecurity assistance' | Gap assessments, scoping, SSP/POA&M support, and remediation planning are fundable |
| Recipients may choose their own vendor or hire/train staff directly | You're no longer locked to an agency vendor list |
| Agencies must weigh cybersecurity practices in pre-award due diligence | A weak posture can now hurt your award odds, not just post-award compliance |
| Programs reauthorized through Sept. 30, 2031 | The DoD SBIR pipeline — and its CMMC strings — are here to stay |
TABA by agency (verified)
| Source | Phase I cap | Phase II cap | Cybersecurity eligible? | Key limits |
|---|---|---|---|---|
| Statute (Pub. L. 119-83) | $6,500/project | $50,000/project | Yes — added by 2026 reauthorization | May choose own vendor or hire/train staff |
| NIH (NOT-OD-26-075) | $6,500/project | $50,000/project | Yes | Excludes audit services, bookkeeping, fee contributions, patent costs; provider can't be your company, an affiliate/investor, or a required subcontractor |
| Army / DoD SBIR | $6,500/project | $50,000/project | Yes — CMMC services cited in the Army BAA | FedTech is Army's preferred Phase II vendor; firm-selected vendors allowed with conflict-of-interest statement |
The funding-sequence move that actually works
Request Phase I TABA ($6,500) for eligible early work — scoping, a gap assessment, and NIST SP 800-171 assessment support. Then request Phase II TABA ($50,000) for eligible remediation planning and SSP/POA&M documentation support. Companies that fold CMMC into the award from Phase I arrive at Phase III conversations with their posture already in place.
Price the compliance work before the quote shocks you
Get matched with source-checked provider options →How much does CMMC compliance cost for SBIR companies?
The honest answer: SBIR CMMC cost depends more on scope than on company size. The drivers are how many people touch CUI, how many systems are in scope, your cloud architecture, your documentation maturity, your remediation gaps, and whether a Level 2 (C3PAO) assessment is required.
DoD’s published estimates (the regulatory anchor)
Market reality
| Path | Market-published range | What drives it |
|---|---|---|
| Level 1 self / FCI-only | ~$5,000–$20,000 | Your existing IT and documentation |
| Level 2 self-assessment readiness | ~$30,000–$150,000+ | Scope and remediation |
| Level 2 (C3PAO) assessment fee alone | ~$30,000–$80,000+ commonly cited | Not your full readiness cost |
| Level 2 total first cycle | ~$75,000–$300,000+ in many estimates | Starting maturity, scope, CUI footprint |
| Level 3 | $300,000+ to $500,000+ | Rare for SBIR; program-specific |
| Source | What it estimates | Published figure | Note |
|---|---|---|---|
| DoD Regulatory Impact Analysis (32 CFR Part 170) | Assessment + affirmations only | L1 ~$4,000–$6,000/yr; L2 self ~$37,000–$49,000 (3-yr); L2 C3PAO $104,670 small / ~$118,000 other (3-yr) | Excludes implementation; assumes NIST 800-171 already met |
| PreVeil (2026) | Total CMMC cost incl. implementation | Gap assessment $3,500–$20,000+; remediation $10,000–$250,000+ | Company-stated |
| Secureframe (2026) | Small-business Level 2 prep | Consulting/prep $20,000–$100,000; complex $200,000–$300,000+ | Company-stated |
| Huntress (2026) | Level 2 (C3PAO) totals | C3PAO direct fees ~$40,000–$80,000+; total ~$40,000–$150,000+ | Company-stated |
| Paramify (2026) | Level 2 remediation | $20,000–$150,000 | Company-stated |
Now subtract the TABA offset
Stack the TABA offset against the cost above: up to $6,500 in Phase I and $50,000 in Phase II of award-funded readiness assistance, applied to scoping, gap assessment, SSP, and remediation planning. For a firm starting from a reasonable baseline, that can cover the entire “figure out what we actually need and document it” stage. (The audit fee generally isn’t TABA-eligible — but the work that gets you ready for it is.)
Why SBIR teams overpay (and how to not)
See GCC High vs. a CUI enclave for how the categories differ — it’s often a dramatically cheaper answer.
What type of CMMC provider should an SBIR company talk to first?
Most SBIR companies should talk to readiness and scoping help before formal assessment — unless they’re already assessment-ready. The right category depends on your actual problem: level confusion, CUI scoping, implementation, ongoing managed security, evidence workflow, enclave architecture, or formal C3PAO assessment. The conflict-of-interest rule means the firm that prepares you can’t be the one that assesses you.
| Your real problem | First provider category | Why |
|---|---|---|
| 'Do we need Level 1 or Level 2?' | RPO / readiness consultant / vCISO | Clarifies level, clauses, and scope |
| 'We have CUI but a tiny team' | CUI enclave / GCC High / secure collaboration | May shrink scope and operational burden |
| 'We need controls implemented and run' | CMMC-focused MSP / MSSP | Implements and operates the controls |
| 'We need SSP / POA&M / evidence organized' | GRC / evidence-workflow software (a supporting layer) | Keeps artifacts assessment-ready — but software alone doesn't satisfy CMMC |
| 'We're ready for formal Level 2' | Authorized C3PAO | Independent assessment, separate from your implementer |
| 'A prime gave us a hard deadline' | Readiness + contract review + provider match | You need the flow-down interpreted, then the right category |
Compare provider categories before you compare providers
Get matched with source-checked provider options →What mistakes make SBIR CMMC more expensive or riskier than it needs to be?
The biggest SBIR CMMC mistakes are buying in the wrong order, misclassifying CUI, submitting weak or inflated evidence, assuming TABA covers everything, and confusing readiness help with formal assessment.
- Buying a C3PAO assessment first. Readiness comes before assessment unless you're already prepared. Otherwise the audit just tells you — expensively — that you weren't ready.
- Treating SBIR data rights as CUI guidance. They overlap operationally but answer different questions. Ownership/disclosure ≠ protection obligation.
- Submitting an SPRS score that doesn't match a real system. See the Georgia Tech settlement above. A score must reflect the actual covered environment.
- Assuming TABA covers everything. It funds eligible readiness assistance, not the audit, and not R&D the award already pays for.
- Assuming every system needs GCC High. Sometimes a clean CUI enclave is cheaper and simpler. Scope first; migrate second.
- Ignoring subcontractors. Primes must flow down appropriate CMMC requirements, and subcontractors that process, store, or transmit FCI/CUI are covered under 32 CFR §170.23.
- Relying on a POA&M for things that can't be deferred. See the precise rule below.
The POA&M rule, precisely:
What’s the safest 30/60/90-day CMMC plan for an SBIR company?
The safest sequence is scope first, evidence second, remediation third, assessment last.
First 30 days — confirm scope
Days 31–60 — build the evidence baseline
Days 61–90 — remediate and choose your path
If you’d rather start with a structured worksheet, our CMMC Readiness Checklist maps these steps to the 14 NIST 800-171 families. Work it at your own pace; come find us when you want a provider match.
A free resource most SBIR founders don’t know exists
The DoD’s Blue Cyber Initiative is free and open to the public. The DAF/DON Blue Cyber education series has published small-business cybersecurity office hours, weekly “Ask Me Anything” sessions, boot camps, and walkthroughs of the 15 FAR 52.204-21 / CMMC Level 1 safeguards. Register for sessions at sbir.gov/events.
CMMC for SBIR companies: frequently asked questions
Does every SBIR company need CMMC?
Does SBIR Phase I require CMMC Level 2?
Does SBIR Phase II usually involve CUI?
What's the difference between FCI and CUI for SBIR?
What is SPRS, and do I need a score now?
Can I pass CMMC with a POA&M?
Should I buy GCC High immediately?
Can the same company prepare me and assess me for CMMC?
Can TABA pay for CMMC compliance?
What should a two-person SBIR company do first about CMMC?
CMMC compliance for SBIR companies: the bottom line
CMMC compliance for SBIR companies is confusing, but it follows a sane sequence: confirm whether you handle FCI or CUI, read the level your contract states, build your evidence and SPRS score, fund the eligible readiness work with TABA, and choose the right provider category — in that order, assessment last. The deadline pressure is real (Phase 2’s Level 2 (C3PAO) requirement for applicable CUI work begins November 10, 2026, against a limited pool of assessors), the cost is more about scope than size, and a meaningful slice of the readiness work is now fundable with award dollars. You don’t have to overbuy to be safe. You have to scope honestly and move in the right order.
Need help deciding what type of CMMC provider you need?
Find your SBIR CMMC path →Related guides
- What Is CMMC 2.0: Levels, Requirements, and How It Works
- CMMC Level 1 Requirements: The 15 Safeguards Explained
- CMMC Level 2 Requirements: Full NIST 800-171 Control Breakdown
- What Is CUI? Plain-English Guide for Defense Contractors
- CMMC Level 2 Self-Assessment vs. C3PAO: Which Path Is Yours?
- SPRS Score Guide: What It Is and How to Post It
- CMMC Provider Categories: Who to Hire First
- Authorized C3PAO Directory: CMMC Level 2 Assessors
- CMMC Readiness Checklist
- CMMC Flow Down Requirements for Prime Contractor Supply Chains