Not at Level 1. For Level 2, POA&Ms are limited, generally to the lowest-weighted requirements and never for a defined barred set, and Conditional status must be closed out within 180 days (32 CFR 170.21).

Find my CMMC path
Non-sensitive questions onlyStart →

CMMC Compliance for Small Defense Contractors

Q: Should I hire a C3PAO first?

Usually no, unless you are genuinely assessment-ready and your contract requires Level 2 (C3PAO). For most small contractors, scope, readiness, and evidence come before formal assessment.

Q: Can the same company prepare us and assess us?

Do not assume so. The Cyber AB separates consulting and implementation from assessment, and individuals who helped implement your controls may not serve on the assessment team for that same engagement where independence rules apply.

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.
Last verified: June 8, 2026. Not affiliated with the Department of Defense, the Cyber AB, DCMA DIBCAC, NIST, or any U.S. government agency. Educational content only — not legal, contractual, or compliance advice.

CMMC compliance for small defense contractors almost always comes down to one question: do you handle only Federal Contract Information (FCI), or does Controlled Unclassified Information (CUI) touch your systems? FCI-only work points to Level 1— 15 basic safeguards, self-assessed once a year. CUI work points to Level 2— all 110 requirements in NIST SP 800-171 Revision 2 — and your contract decides whether that’s a self-assessment or a third-party assessment by a C3PAO.

Here’s the part that saves you money: the order of operations. We read the rules so you can skip the panic and go straight to the decision. Primary sources: 32 CFR Part 170, DoD CMMC level summary, and DFARS 252.204-7021.

Find your row before you read another word

If this is you	Your likely path	Assessment route	Your first move
FCI only, no CUI	Level 1	Annual self-assessment + affirmation	Confirm you really have no CUI; map the 15 FAR safeguards
CUI exists; clause says Level 2 (Self)	Level 2 (Self)	Triennial self-assessment + annual affirmation	Build the SSP, score yourself, post to SPRS
CUI exists; clause says Level 2 (C3PAO)	Level 2 (C3PAO)	Third-party assessment every 3 years	Lock scope, get evidence real, then book the assessor
A prime says "CMMC is coming" but no clause yet	Unknown until clarified	Depends on the flow-down	Ask the prime what level, which systems, what CUI
Your prime contract is Level 3 and you handle CUI	Level 2 (C3PAO) is your minimum — not Level 3	Third-party assessment	Confirm with the prime; Level 3 applies to you only if specifically required

Not sure which row is yours?

Answer a handful of non-sensitive questions about your data, your clause, and your timeline and get your likely level, assessment path, realistic cost band, and the provider category to compare first.

Small-Contractor CMMC Path Finder →

Please don’t enter CUI, contract numbers, system diagrams, or any sensitive security details into the tool.

What we actually verified for this guide

For this page we read the rule text at 32 CFR Part 170 on the eCFR, the DFARS final rule in the Federal Register, the contract clause at DFARS 252.204-7021 on Acquisition.gov, the Department of Defense CMMC level summary, NIST SP 800-171 Revision 2, and SPRS documentation. The cost numbers are pulled directly from the CMMC Program Rule’s regulatory analysis (89 FR 83092).

What we checked	Primary source	Why it matters
The CMMC program structure and levels	32 CFR Part 170; DoD CIO CMMC page	Stops Level 1/2/3 confusion
When CMMC enters contracts	DFARS final rule (effective Nov 10, 2025)	Explains the pressure you're feeling now
The 110-control basis for Level 2	NIST SP 800-171 Revision 2	Prevents the Rev. 2 / Rev. 3 mix-up
Per-entity cost estimates	89 FR 83092 regulatory analysis	Separates the DoD's “floor” from your real budget
Scoring, self vs C3PAO, POA&M limits	32 CFR §§170.15–170.24	Prevents the most expensive sequencing mistake
Subcontractor flow-down levels	32 CFR §170.23	Stops small subs from over-buying their level
Readiness vs assessment independence	Cyber AB ecosystem rules	Keeps you out of a conflict that can disqualify an assessor

Does CMMC apply to small defense contractors?

Yes — CMMC applies to a small contractor or subcontractor when the solicitation, contract, or flow-down requires a CMMC status for systems that process, store, or transmit FCI or CUI, on contracts above the micro-purchase threshold. There is no blanket small-business exemption in the level structure. Contracts solely for commercially available off-the-shelf (COTS) items are excepted, and your actual contract language controls the outcome.

Small does not mean exempt, and CMMC does not scale down by company size.

A five-person machine shop that touches CUI faces the same 110 NIST SP 800-171 Revision 2 requirements as a 5,000-person prime (32 CFR Part 170). The Cybersecurity Maturity Model Certification was written around the information being protected, not the size of the entity holding it.

Now the hopeful part, and it’s real: what scales is your scope. The contractors who spend the least aren’t the ones who found a loophole. They’re the ones who shrank where CUI livesbefore they spent a dollar on tools or assessors. That single decision — a tight, documented boundary around CUI instead of treating the whole company as in-scope — is where the money is made or lost.

A few things that genuinely change the analysis: COTS-only work (excepted under DFARS 252.204-7021), the micro-purchase threshold (very small buys may fall outside), and FCI vs CUI distinction (CUI presence is what pushes you toward Level 2).

Which CMMC level does a small defense contractor need?

A small contractor’s CMMC level is set by the information handled and the contract requirement — not by size or preference. Level 1 covers FCI only (15 safeguards, annual self-assessment). Level 2 covers CUI and maps to 110 NIST SP 800-171 Revision 2 requirements. Level 3 applies to a small set of CUI programs requiring enhanced protection against advanced persistent threats, and requires you to reach Final Level 2 first. The DoD’s official summary lays out exactly this structure.

Level	Data trigger	Requirement set	Assessment type	The small-contractor reality
Level 1	FCI only	15 safeguards from FAR 52.204-21	Annual self-assessment + annual affirmation	Often manageable in-house if your IT hygiene is genuinely solid
Level 2 (Self)	CUI, lower-risk contract path	110 NIST SP 800-171 Rev. 2 requirements	Triennial self-assessment + annual affirmation	Serious work — this is not “Level 2 lite”
Level 2 (C3PAO)	CUI, third-party path	The same 110 requirements	Authorized C3PAO every 3 years + affirmation	Readiness and assessment must be sequenced, not stacked
Level 3	CUI needing protection against APTs	Final Level 2 plus 24 selected NIST SP 800-172 requirements	DCMA DIBCAC	Rare for small firms; expensive; never a DIY project

About that “15 vs 17” confusion you’ve probably seen

If you’ve read three CMMC articles, you’ve seen Level 1 described as 15 controls and as 17 controls. Neither is wrong. They’re describing the same thing at two layers:

15 is the count of security requirements in FAR 52.204-21(b)(1)(i)–(xv) — the foundation of Level 1.
17 is what those 15 become when mapped to NIST SP 800-171 Revision 2. NIST splits one of the FAR requirements into three parts; the other 14 line up one-to-one. That mapping is published in Table 1 to 32 CFR §170.15(c)(1)(ii).
59 is the number of NIST SP 800-171A assessment objectives those requirements break into when you actually score yourself.

Practical takeaway: Level 1 has no POA&Ms; you must meet all of it.

The mistake that costs small contractors the most

The expensive error isn’t choosing Level 2 — it’s assuming Level 1because the work “doesn’t feel sensitive.” If CUI is moving through your email, file shares, CAD files, or a supplier portal, you’re likely a Level 2 organization whether it feels like it or not.

NIST SP 800-171 Revision 3 does not currently change what CMMC Level 2 requires. Revision 3 exists, but 32 CFR Part 170 incorporates Revision 2, and Level 2 maps to Rev. 2 unless and until the DoD amends the rule (32 CFR §170.2). Don’t let a well-meaning consultant prepare you to the wrong revision.

Pin down your level before you spend a dime.

The Path Finder reads your data type, your role, and your clause language and tells you the level you’re most likely on — and the path that follows.

Find my CMMC path →

Can a small contractor self-assess, or do you need a C3PAO?

Some small contractors can self-assess — but only when the contract path allows it. Level 1 is always self-assessed annually. Level 2 is either self-assessed or assessed by a C3PAO, and the contract decides which.A Level 2 self-assessment does not satisfy a Level 2 (C3PAO) requirement. You don’t get to pick the cheaper path; the solicitation picks it for you.

Your contract says	What you do	Where results go	Who performs it
Level 1 (Self)	Level 1 self-assessment	SPRS	You
Level 2 (Self)	Level 2 self-assessment	SPRS	You
Level 2 (C3PAO)	C3PAO certification assessment	CMMC eMASS → SPRS	An authorized C3PAO
Level 3 (DIBCAC)	Level 3 assessment, after Final Level 2	CMMC workflow → SPRS	DCMA DIBCAC

Phase 2 begins November 10, 2026, when DoD intends to add Level 2 (C3PAO) requirements to applicable solicitations and contracts. Level 2 (Self) remains available where the solicitation specifies that path (32 CFR §170.3(e)).

Conditional vs. Final — and the 180-day clock

For Level 2 you score against 110 requirements using the DoD’s methodology. Your SPRS score starts at 110 and subtracts 1, 3, or 5 points per unmet requirement — and it can run as low as −203.Findings are binary at the objective level — Met, Not Met, or Not Applicable — and the scoring methodology gives only narrow, specifically defined partial credit (32 CFR §170.24).

A score of 110 earns Final status.
A score of 88 or higher (80%) can earn Conditional status — if every remaining gap is eligible for a POA&M.
POA&Ms are tightly limited: generally only the lowest-weighted (1-point) requirements can sit on one; a defined set is barred from POA&Ms entirely. Level 1 allows no POA&Ms at all (32 CFR §170.21).
Conditional status comes with a 180-day clock. Close the POA&M items and pass a closeout, or the status lapses.

The honest risk on the self-assessment path

Self-assessment is real work, and the affirmation you post to SPRS is signed by a senior official vouching for it. Misrepresenting your posture in SPRS carries real False Claims Act exposure. In September 2025, Georgia Tech Research Corporation agreed to an $875,000settlement to resolve U.S. Department of Justice allegations that it submitted an inflated NIST SP 800-171 assessment score to DoD under DFARS 252.204-7019/-7020 — part of DOJ’s Civil Cyber-Fraud Initiative (DOJ, September 30, 2025). The matter settled with no finding of liability, but the message to the DIB was unmistakable: an inflated score is the kind of shortcut that looks free and isn’t.

If you’d rather not carry that judgment alone, that’s a legitimate reason to bring in help.

Compare readiness provider categories →

How much does CMMC actually cost a small defense contractor?

CMMC cost depends on your level, your scope, your starting maturity, and whether your contract requires self-assessment or a C3PAO. The DoD’s published small-entity estimates are a useful assessment-and-affirmation floor— but they explicitly assume you’ve already implemented the controls, so they are not the price to get ready from scratch.

Here are the DoD’s own per-entity estimates for a small entity, pulled from the CMMC Program Rule’s regulatory analysis (89 FR 83092, October 15, 2024):

CMMC path	DoD small-entity estimate	What the estimate covers	What it does not cover
Level 1 (Self)	~$5,977 / year	The self-assessment and affirmation	Any real security cleanup, tooling, or documentation maturity
Level 2 (Self)	~$34,277 initial; ~$37,196 over three years	The self-assessment and affirmation	Implementing all 110 controls if you’re not already there
Level 2 (C3PAO)	~$101,752 initial; ~$104,670 over three years	The certification assessment and affirmation (incl. modeled C3PAO fee)	Readiness, remediation, architecture, software, managed services, evidence operations
Level 3 (DIBCAC)	Materially higher; reserved for a small number of programs	Enhanced NIST SP 800-172 requirements + government assessment	The prerequisite Level 2 (C3PAO) path and the full operational lift

Clarification that makes those numbers honest

The DoD’s figures cover the assessment, not the journey. The Program Rule’s cost model states plainly that the Level 2 estimates assume the contractor has already implemented NIST SP 800-171 Revision 2 (89 FR 83092). Once you add gap remediation (MFA, encryption, logging, endpoint protection, documentation, and often a CUI enclave), industry estimates commonly put first-cycle Level 2 readiness somewhere in the $50,000 to $200,000+ range, depending heavily on scope and starting maturity.

What moves the number: scope(by far the biggest lever — fewer systems in the boundary means less to implement and prove), starting maturity(if MFA, encryption, and logging are already real and documented, you’re paying to demonstrate, not to build), and tool sprawl (small teams that consolidate from eight scattered point solutions to two or three integrated ones spend less and prove faster).

CMMC cost breakdown for small contractors →Get matched with provider options that scope to my budget →

How can a small contractor reduce CMMC scope without cutting corners?

You can usually cut CMMC cost by reducing where CUI is processed, stored, or transmitted — not by pretending CUI isn’t there. The real question is whether CUI can be isolated into a smaller, controlled environment with documented asset categories, an accurate System Security Plan, real access controls, and evidence. The CMMC scoping rules assess the assets that handle or protect CUI and FCI, so shrinking that footprint directly shrinks the work (32 CFR §170.19).

A pattern we see constantly: a company with 100 employees where only five people ever touch CUI. Treating the whole company as in-scope is a six-figure mistake. Carving those five users and their workflow into a defined enclave can turn an enterprise-wide project into a contained one.

Your CUI pattern	The smart move	The trap to avoid
CUI flows through one workflow	Consider an enclave or secure collaboration boundary	Leakage back into normal email and file shares
CUI is everywhere	Enterprise remediation may actually be cleaner	Underestimating the timeline and cost
CUI arrives via a supplier portal	Verify whether users download and store local copies	“We don’t store it” — when they quietly do
CUI lives on CAD/CAM shop-floor systems	Segment engineering and production systems	Dragging operational technology into scope
Your MSP touches your security data	Document the external service provider’s responsibilities	The MSP itself becoming in-scope by surprise

A word of caution:an enclave only helps if it’s honest. If your people keep emailing drawings around the enclave or saving CUI to unmanaged laptops, you haven’t reduced scope — you’ve created a paper boundary that an assessor will walk right through. Scope reduction is an architecture decision, not a wish.

Map the boundary before you buy the platform. Compare the scoping and enclave provider categories built for small DIB environments.

Compare enclave and scoping options →

What goes into SPRS, your SSP, POA&Ms, and the annual affirmation?

For a small contractor, these four artifacts are the evidence backbone of CMMC — not paperwork to bolt on at the end.Get these wrong and you can be technically “compliant” and still ineligible.

SPRS (Supplier Performance Risk System)

The DoD system where your assessment information lives. Its NIST SP 800-171 module stores your assessment date, score, scope, POA&M completion date, CAGE codes, and the name, version, and date of your SSP, along with a confidence level. SPRS stores results — it does not perform the assessment. Contracting officers check it before award, which is why an out-of-date or missing score quietly kills bids.

The SSP (System Security Plan)

The anchor document. It explains, system by system, how you implement the applicable requirements — what’s in place, what’s planned, who owns it, and where the evidence is. A generic template that doesn’t match your real environment is worse than nothing; it’s the first thing an assessor compares against reality.

POA&Ms (Plans of Action and Milestones)

Your documented plan to close specific not-met requirements. Restricted: limited to the lowest-weighted requirements, barred for a defined critical set, off the table entirely at Level 1, and bound by the 180-day closeout clock for Conditional status (32 CFR §170.21).

The annual affirmation

A senior official affirms continuing compliance — annually, on the record. Before anyone signs, they should understand what the signature actually asserts and what evidence stands behind it. (See the Georgia Tech settlement above for why that signature carries weight.)

If your SSP, score, and POA&M aren’t real yet, you’re not ready for an assessor — and booking one early just burns money and a calendar slot.

See what a Level 2 readiness program actually involves →

Which provider category should you use first — and which to avoid for now?

Most small contractors should not start with a C3PAO. The usual order is scope and readiness first, technical implementation second, evidence operations third, and formal assessment last — and only if your contract requires it. Hiring in the wrong order is how small firms burn budget before they even have a boundary.

Your situation	Use this category first	Why	Don’t start here
FCI only, Level 1	Internal owner (light RPO if needed)	It’s a 15-safeguard self-assessment	A C3PAO
CUI, but no SSP yet	RPO / readiness consultant	You need scope, an SSP, and a gap map	A C3PAO
CUI spread across systems	CMMC-capable MSP / MSSP + readiness	You need technical controls and evidence ownership	A pure policy writer
Only a few users touch CUI	Enclave / scoping specialist + readiness	Shrink the boundary before you build	A full enterprise migration
Drowning in evidence	GRC / compliance software (as a layer)	Organize artifacts and ownership	A C3PAO before evidence exists
Genuinely assessment-ready, Level 2 (C3PAO)	An authorized C3PAO	Time for the formal assessment	The same firm that did your remediation
Level 3 signals	Advanced readiness + counsel	High-consequence, DIBCAC path	A generic Level 2-only vendor

Categories defined: an RPO (Registered Provider Organization) provides readiness/implementation consulting; RPOs do not perform certified assessments. An MSP/MSSP manages your IT/security. A C3PAO performs the formal Level 2 certification assessment. A GRC platformorganizes evidence and workflow — it supports compliance; it does not, by itself, make you compliant.

The independence rule that can sink your assessment plan

The firm that helps you implement generally cannot also be your independent assessor for that same engagement. The Cyber AB’s ecosystem rules separate consulting and implementation from assessment — individuals who help an organization implement its controls may not serve on the assessment team for that same organization where independence rules apply. A provider promising to “get you ready andcertify you” in one breath is describing a conflict, not a convenience.

What to verify before you hire anyone

✓If they claim C3PAO status, confirm it on the Cyber AB Marketplace. It’s the authoritative registry; an assessment by an unlisted “assessor” doesn’t count.
✓Ask whether they implement, assess, or both — and how they keep those roles separate.
✓Ask for a Customer Responsibility Matrix. You need to know which controls you own versus which they cover.
✓Ask how they handle evidence, subcontractor flow-down, and what happens if you’re not ready.
✓Ask what they won’t do. The honest ones have a clear answer.

If you’re not sure which category fits, don’t take vendor calls yet. Tell us your level, scope, and timeline and we’ll point you at the category to compare — with the questions to ask in hand.

Get matched with source-checked provider options →

What if your prime flows down CMMC before your contract does?

A prime contractor’s flow-down can put real pressure on you before you fully understand the regulatory path — that’s normal, because the supply chain moves faster than the rulebook. Your first step is to get specifics: which CMMC status the prime requires, which systems and CAGE codes are in scope, what CUI is actually being shared, and whether it’s Level 2 (Self) or Level 2 (C3PAO). The prime must confirm your status before awarding your subcontract (32 CFR §170.23).

“The prime covers us” is usually false. You comply at your own assigned level, and you flow requirements further down to your own vendors.

What you (the sub) handle	Prime contract’s level	Your minimum CMMC status
FCI only (no CUI)	Any level	Level 1 (Self)
CUI	Level 2 (Self)	Level 2 (Self)
CUI	Level 2 (C3PAO)	Level 2 (C3PAO)
CUI	Level 3 (DIBCAC)	Level 2 (C3PAO) — not Level 3

That last row matters: if your prime’s contract is Level 3 and you handle CUI, your minimum is Level 2 (C3PAO), not Level 3— unless DoD provides specific guidance otherwise (32 CFR §170.23). Plenty of small subs have nearly talked themselves into a DIBCAC assessment they don’t need. Confirm the requirement with your prime before you plan around the most expensive path.

When a flow-down lands, ask the prime:

Can we see the clause or the exact flow-down language?
Is CUI actually being shared with us, or only FCI?
Do you require Level 2 (Self) or Level 2 (C3PAO)?
Which date governs — bid, award, option, or onboarding?
How do you want our status and evidence shared?

There’s no automated way for a prime to look up your CMMC status — the DFARS final rule notes that subcontractors generally share their own SPRS status or affirmation information (a printout or screenshot), or provide a copy of their Level 2 (C3PAO) or Level 3 (DIBCAC) certificate, as they determine appropriate (DFARS Case 2019-D041). Share what’s required, through a controlled channel.

Facing a flow-down and not sure what it triggers? Start with a non-sensitive scope-and-clause check so you know whether you need readiness, an enclave, an MSP/MSSP, or a C3PAO — before the clock runs.

Run the scope-and-clause check →

Non-sensitive questions only.

Do you actually need GCC High, AWS GovCloud, or an enclave?

Not automatically. CMMC doesn’t order every small contractor into Microsoft GCC High or AWS GovCloud — but any cloud or external service provider that touches your CUI has to support the applicable CMMC and DFARS requirements. Buying a government-cloud tenant is not the same as being compliant.

Platform choice ≠ compliance.GCC High can be appropriate — especially if you handle CUI with export-control sensitivity (ITAR) or a customer requires it — but standing up the tenant doesn’t implement or prove a single control by itself.
FedRAMP equivalency applies to your CUI in the cloud.For cloud services that store, process, or transmit covered defense information or CUI, DFARS 252.204-7012 and 32 CFR Part 170 point to FedRAMP Moderate (or equivalent) security, and the provider’s responsibilities should be documented (32 CFR §170.16; DFARS 252.204-7012).
Get the Customer Responsibility Matrix.Cloud and managed providers cover some controls; you cover others, and that split belongs in your SSP. “We’re FedRAMP” does not mean “you’re done.”
“Configured correctly” is the whole game.Two companies on the same platform can land in very different places depending on how it’s set up and documented.

Figure out where CUI actually lives before you migrate the entire company.

Compare enclave, GCC High, GovCloud, and managed-compliance paths →

CMMC compliance for small defense contractors: what’s required, and when

CMMC rolls out in four annual phases:

Phase 1 (underway)

November 10, 2025

Level 1 and Level 2 self-assessments appear in applicable contracts

Phase 2

November 10, 2026

DoD intends to add Level 2 C3PAO requirements to applicable contracts

Phase 3

November 10, 2027

Broader Level 2 C3PAO, plus Level 3 DIBCAC

Phase 4

November 10, 2028

All applicable contracts

A correction worth making

Some guides still say enforcement “hits October 2026.” That reflects an older, superseded target. The operative dates are the November 10phase dates above. Getting this wrong by a month is the kind of error that tells you a page didn’t read the final rule.

The real constraint is runway, not a deadline

Level 2 readiness commonly takes 6–18 months. C3PAO calendars book out. The Program Rule projected 135 C3PAO certification assessments in year one, climbing to 673, 2,252, and 4,452 by year four (89 FR 83092), against an estimated 80,000-plusentities expected to need Level 2. Primes aren’t waiting for the government’s phase clock, either — many are already demanding Level 2 status or a credible readiness plan from subs.

What should you do in your first 30 days?

Your first 30 days should produce clarity, not a stack of vendor contracts. Confirm the clause, map FCI versus CUI, define the likely assessment boundary, inventory your systems, baseline your SSP and SPRS status, and only then decide which category of help you actually need.

Window	Deliverable	Why it matters
Days 1–3	Collect the contract clause and any prime flow-down emails	Determines your level and assessment path
Days 4–7	Classify what’s FCI versus CUI, and where it flows	Determines your scope
Week 2	Inventory systems, users, vendors, cloud services, and endpoints	Defines the assessment boundary
Week 3	Draft or update the SSP	Your required evidence anchor
Week 4	Baseline your score, gaps, and POA&M eligibility; pick a provider category	Prevents premature C3PAO or software spend

Notice what’s not on this list: buying tools, calling assessors, or migrating clouds. Those come after you know your boundary. Do this order, and every later dollar is spent against a known scope instead of a guess.

Our CMMC readiness checklist, mapped to the 14 NIST SP 800-171 control families, turns this 30-day sequence into a working document — a self-serve next step, no call required.

Use the CMMC Readiness Checklist →

The biggest CMMC mistakes small contractors make

The costliest CMMC mistakes for small contractors happen early and quietly. Most are expensive precisely because they happen before the company has a clear boundary and a sequenced plan.

Assuming small means exempt. It isn’t (32 CFR Part 170).
Defaulting to Level 1 because the work “doesn’t seem sensitive.” If CUI is present, plan for Level 2.
Buying software before scoping CUI. Tools don’t make you compliant; a defined boundary plus implemented controls do.
Hiring a C3PAO too early. Readiness and evidence come first.
Letting CUI sprawl through normal email and file shares, then trying to secure all of it.
Treating SPRS as optional. Contracting officers check it before award.
Signing the annual affirmation without understanding the evidence behind it — see the Georgia Tech settlement above.
Using generic SSP and policy templates that don’t match your real environment.
Ignoring MSP/external-service-provider responsibilities. Your provider may quietly become in-scope.
Waiting for the solicitation to drop. By then, the 6–18 month clock is already against you.

Avoid the expensive first move — wrong level, wrong scope, or wrong provider order. Start in the right place.

Run the Path Finder →

What if CMMC isn’t worth the contract?

Some small contractors should pause before spending heavily — and we’d rather tell you that than route you into a six-figure project that doesn’t pay off. If a contract is low-margin, your CUI footprint is broad, and your future DoD revenue is uncertain, the deliberate move may be to renegotiate scope with the prime, pursue FCI-only or COTS work, isolate CUI in an enclave, or walk away from specific CUI-heavy opportunities. This isn’t a reason to ignore CMMC. It’s a reason to decide on purpose.

If that might be you, the smart questions are:

How much revenue is genuinely at risk if you don’t pursue this?
Can you ask the prime to reduce what CUI flows to you — or take FCI-only scope?
Is there an enclave path that makes the economics work?
Do you need counsel before you commit, if award or relationship risk is material?

If the economics are unclear, get the boundary and the path straight, then decide. Start with a scope-first provider match — not an assessment quote.

Request a scope-first provider match →

Free and low-cost help built for small contractors

Before you pay anyone, know that several government-backed programs exist specifically to help small businesses — and used early, they can reduce the paid discovery and training you need before you hire private help.

Resource	What it is	Who backs it	Use it for
Project Spectrum	Free CMMC/NIST learning platform, tools, and training for the DIB	DoD Office of Small Business Programs	Self-education and readiness basics
APEX Accelerators (formerly PTACs)	Local, often free government-contracting advisors	DoD	One-on-one help and clause interpretation
NIST MEP (Manufacturing Extension Partnership)	Regional centers with cyber help for small manufacturers	NIST	Hands-on readiness, especially for shops
SBA SBDCs	Small Business Development Centers; some run CMMC sessions	SBA	Local workshops and planning

NIST’s Manufacturing Extension Partnership has published small-manufacturer CMMC results — including Nelson Engineering, which worked with the Arizona MEP on a fixed-price engagement (a CMMC/NIST SP 800-171 gap assessment, an organized SSP, and a draft POA&M). NIST reports the effort helped the company retain $2 million in sales and six jobs (NIST MEP). Results vary with scope and starting point.

Frequently asked questions

Is CMMC required for all small defense contractors?

Not every small contractor faces the same requirement, but contractors and subcontractors can be required to hold the CMMC status named in their solicitation, contract, or flow-down for systems that handle FCI or CUI. The path depends on contract language and the type of information involved (32 CFR Part 170).

Is a small business exempt from CMMC?

There’s no blanket small-business exemption in the level structure. The DFARS final rule’s regulatory impact analysis expected the program to affect well over 300,000 entities at full implementation, most of them small businesses. COTS-only contracts are excepted.

What’s the difference between FCI and CUI?

FCI is non-public information provided by or generated for the government under a contract, excluding public and simple transactional information. CUI is information that law, regulation, or government-wide policy requires you to safeguard — and its presence is what generally pushes you toward Level 2.

Does handling CUI automatically mean Level 2?

For planning, CUI usually points small contractors toward Level 2, but the contract sets the required status and assessment type. Level 2 maps to the 110 requirements in NIST SP 800-171 Revision 2.

Can a small contractor do CMMC without a consultant?

Some Level 1 contractors can self-manage with competent internal ownership. Level 2 contractors often need at least targeted readiness, technical, evidence, or scoping help — especially when CUI touches email, endpoints, cloud storage, CAD, ERP, or suppliers.

Should I hire a C3PAO first?

Usually no — unless you’re genuinely assessment-ready and your contract requires Level 2 (C3PAO). For most small contractors, scope, readiness, and evidence come before formal assessment.

Can the same company prepare us and assess us?

Don’t assume so. The Cyber AB separates consulting and implementation from assessment, and individuals who helped implement your controls may not serve on the assessment team for that same engagement where independence rules apply.

Do I need GCC High for CMMC?

Not automatically. You need an environment that supports the applicable CMMC and DFARS requirements for your CUI, contract, and scope. GCC High suits some contractors but is never a universal substitute for implementing and proving the controls.

What is SPRS?

SPRS (the Supplier Performance Risk System) is the DoD system that holds supplier risk and NIST SP 800-171 assessment information, including your score and affirmation. It stores results; it does not perform the assessment.

Are POA&Ms allowed?

Not at Level 1. For Level 2, POA&Ms are limited — generally to the lowest-weighted requirements, never for a defined barred set — and Conditional status must be closed out within 180 days (32 CFR §170.21).

If my prime contract is Level 3, do I need Level 3?

Not necessarily. Under 32 CFR §170.23, a subcontractor that handles CUI under a Level 3 prime contract has a minimum requirement of Level 2 (C3PAO), unless DoD provides specific guidance otherwise. Confirm with your prime before planning a DIBCAC assessment.

How long does CMMC take for a small contractor?

It depends on scope, starting maturity, and assessment path. A narrow, well-controlled CUI boundary moves faster; CUI spread across email, unmanaged endpoints, and an unprepared MSP can require a much longer readiness period — commonly 6–18 months for Level 2.

Can an enclave really reduce CMMC cost?

Yes — if it truthfully limits where CUI is processed, stored, and transmitted, and the surrounding systems are properly categorized and documented. It does nothing if users keep moving CUI into normal email, file shares, or unmanaged devices.

Your next move

If you’re a small defense contractor, the next step isn’t buying a tool or calling an assessor — it’s getting your path straight. Confirm FCI versus CUI, read the clause or flow-down, map where CUI actually lives, baseline your SSP and SPRS status, and then bring in the category of help that fits your level, scope, and timeline. That order is the difference between a contained project and a runaway one.

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get matched with source-checked CMMC provider options →

Please don’t submit CUI, export-controlled data, contract numbers, system diagrams, vulnerabilities, or any sensitive security details through the form.

Related from The Defense Compliance Report

Primary sources

32 CFR Part 170 — CMMC Program (eCFR), including §§170.3, 170.14, 170.15, 170.16, 170.17, 170.19, 170.21, 170.23, and 170.24
CMMC Program Rule, 89 FR 83092 (Federal Register, October 15, 2024) — including the regulatory/cost analysis
DFARS 252.204-7021, 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7025 (Acquisition.gov)
FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
NIST SP 800-171 Revision 2 and NIST SP 800-171A; NIST SP 800-172 (NIST CSRC)
Department of Defense CIO — About CMMC
Supplier Performance Risk System (SPRS) documentation
The Cyber AB — ecosystem roles, consulting/implementation guidance, and the CMMC Assessment Process
U.S. Department of Justice — Georgia Tech Research Corporation settlement, Civil Cyber-Fraud Initiative (September 30, 2025)
NIST MEP — Nelson Engineering / Arizona MEP success story

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. The Defense Compliance Report is not affiliated with the Department of Defense, The Cyber AB, CAICO, DCMA DIBCAC, NIST, FedRAMP, or any U.S. government agency. Read our editorial review process.

This article is educational and is not legal, contractual, or compliance advice. CMMC requirements derive from your contract and the controlling regulations; verify current requirements against your contract clauses and the primary sources above. Last verified: June 8, 2026.