CMMC is no longer an abstraction for small businesses
For the last several years, most SBIR offerors have treated CMMC as something that happens to other companies — the primes, the mid-tier integrators, the shops with CUI already flowing through their networks. That posture is no longer workable. With the CMMC final rule codified at 32 CFR Part 170, and the DFARS 252.204-7021 clause implementing contractual CMMC requirements into DoD awards, every small business writing an SBIR proposal that might touch controlled information now has to answer the same question a Fortune 500 prime has to answer: what level are you, how do you prove it, and when will you be ready? This article walks through the real mechanics — not the marketing — and lands on how to represent your CMMC posture in a Phase I technical volume without overcommitting your company to a control regime you cannot actually execute.
This is written for small businesses (under 50 employees, typically) writing DoD SBIR or STTR proposals in the 2026 cycles. It is not legal advice, and it is not a substitute for a C3PAO readiness engagement. It is the field guide we wish we had had when Precision Federal first walked this path.
What actually changed from CMMC 1.0 to CMMC 2.0
CMMC 1.0 was the original framework announced in 2020: five levels, mandatory third-party assessment across the board, and a heavy emphasis on "maturity" practices on top of the baseline NIST SP 800-171 security requirements. It was, in practice, unworkable for the long tail of DoD suppliers — too expensive, too slow, and dependent on an assessor ecosystem that did not yet exist at scale.
CMMC 2.0, published in proposed form in 2021 and finalized in the 32 CFR Part 170 rule that took effect in late 2024, stripped the framework down:
- Five levels collapsed into three. Level 1 (Foundational), Level 2 (Advanced), Level 3 (Expert). The old Levels 2 and 4 "transition" tiers were removed.
- Self-attestation reintroduced for Level 1 across the board, and for a defined subset of Level 2 contracts where the CUI is non-critical.
- Third-party assessment refocused on Level 2 with critical CUI and on Level 3 (the latter always government-led, performed by the Defense Industrial Base Cybersecurity Assessment Center — DIBCAC).
- POA&M pathway added for a limited set of controls at Level 2, allowing conditional certification if the remaining items are closed within 180 days.
- Annual affirmation required from a senior official (usually the CEO or equivalent) attesting to continued compliance, posted in SPRS.
- Maturity practices removed. The "process maturity" layer that added work on top of the 800-171 practice list in CMMC 1.0 is gone. Level 2 is now equivalent to full implementation of NIST SP 800-171 practices.
These are not cosmetic changes. The elimination of maturity practices alone cuts the CMMC 1.0 Level 3 control count roughly in half and makes the framework defensible for companies that had rejected the original version as impractical.
The flow-down mechanism: how CMMC gets into your contract
CMMC requirements arrive in a DoD contract through the DFARS clause stack. The clauses that matter for SBIR offerors:
- DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. The long-standing clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and to report cyber incidents within 72 hours. Present in essentially every DoD contract involving CDI since 2017.
- DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Requires offerors to have a current (within three years) NIST SP 800-171 assessment score posted in the Supplier Performance Risk System (SPRS) before contract award.
- DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. The companion clause that obligates the contractor to provide access for DoD to conduct a higher-tier assessment if required, and to flow the clause down to subcontractors handling covered information.
- DFARS 252.204-7021 — Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. The CMMC clause itself. As the rollout progresses through its phased schedule, this clause appears in more and more DoD solicitations and triggers the Level requirement specified in the solicitation.
- FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems. The floor. Applies whenever Federal Contract Information (FCI) is present. Maps directly to the 15 practices (counted as 17 in the CMMC construction) that define Level 1.
If your SBIR topic description includes controlled technical information, export-controlled research, or any reference to "CUI" or "CDI" — which is the overwhelming majority of DoD topics involving software, AI, autonomy, sensors, or weapons systems — expect the DFARS 7012/7019/7020 stack at minimum, and 7021 increasingly often as the phased CMMC rollout advances.
Level 1 — Foundational
Level 1 applies when the only controlled information is FCI — Federal Contract Information. FCI is the lowest tier of controlled federal information: data created for the government or provided by the government that is not public and not marked CUI. Almost every federal contract involves FCI. Almost no SBIR contract involves only FCI, because the technical content of a DoD SBIR is typically CUI.
Level 1 requires implementation of the 15 basic safeguarding requirements from FAR 52.204-21 (counted as 17 practices in the CMMC scoring). These are truly minimal: limit access to authorized users, identify information system users, authenticate them, control external connections, sanitize media, limit physical access, monitor communications, implement boundary protection, update malicious code protection, and a handful of similar baseline items.
Assessment at Level 1 is annual self-assessment, performed by the offeror's own staff, with an annual affirmation posted in SPRS by a senior company official. No third-party assessor is involved.
The cost of reaching and maintaining Level 1 for a small business that is already running reasonable IT hygiene is modest — typically under $5,000 per year in direct cost, most of which is an MSP retainer or tooling subscription, plus internal staff time to perform the self-assessment and complete the affirmation.
Level 2 — Advanced
Level 2 is the level that matters for the majority of DoD SBIR offerors. It applies whenever CUI is present on the contractor's information systems. If your SBIR topic calls for access to CUI training data, government-furnished code, controlled technical drawings, or if your Phase I deliverables will themselves be CUI, you are in Level 2 territory.
Level 2 requires full implementation of the 110 security requirements in NIST SP 800-171 Rev 2. Every control family — access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity — must be implemented, documented in a System Security Plan (SSP), and evidenced with artifacts.
Two assessment paths exist at Level 2:
- Self-assessment — permitted for contracts where the CUI is deemed non-critical. The contractor performs the assessment, scores itself against the 110 practices using the DoD Assessment Methodology (maximum score 110, with negative deductions for each unimplemented or partially-implemented control), posts the score in SPRS, and provides an annual affirmation.
- Third-party assessment — required for contracts involving critical CUI. Performed by an authorized CMMC Third-Party Assessment Organization (C3PAO), operating under the CMMC Accreditation Body (Cyber AB) ecosystem. Certification is valid for three years, with annual affirmations in between.
Which path applies is specified in the solicitation. Read the section L and section M language carefully, and read the DFARS 7021 clause insertion; the required CMMC Level and assessment type flow from there.
A POA&M pathway exists at Level 2: a contractor that has implemented the overwhelming majority of controls but has a small number of specific unimplemented items (not including certain designated "not-POA&M-able" controls) may receive a conditional certification, with 180 days to close the POA&M. Use this only as intended — it is a bridge, not a strategy.
Level 2 cost reality for small businesses
Costs we have seen across the Precision Federal peer network and publicly reported small-business figures vary widely by starting posture. Ranges, not quotes:
- Level 2 self-assessment readiness: $15,000–$50,000 for the initial remediation and documentation, depending on starting posture. Add $5,000–$15,000 per year for ongoing continuous monitoring (ConMon) tooling and annual self-assessment time.
- Level 2 C3PAO assessment: $40,000–$150,000 for the assessment engagement itself, plus the readiness work above. The wide range reflects scope — a company with a tightly-scoped CUI enclave and 5 employees runs at the low end; a company with a sprawling environment and 50 employees runs at the high end.
- Ongoing annual cost: $20,000–$80,000 per year for tooling, staff time, and periodic re-assessment work. Across a three-year certification cycle, expect the fully-loaded cost to land between $100K and $300K for a typical small SBIR awardee.
These figures assume the contractor is using a commercial cloud (typically GCC High or AWS GovCloud with a properly scoped CUI enclave) rather than attempting to harden a general-purpose on-prem environment. Trying to carry a full-scope CMMC Level 2 posture across an entire general-purpose corporate network is almost always more expensive than narrowing scope through enclaving.
Level 3 — Expert
Level 3 applies to the narrowest band of DoD work — programs where the CUI is considered critical to national security and where Advanced Persistent Threat resistance is the explicit design goal. Level 3 requires all 110 practices from NIST SP 800-171 Rev 2 plus a defined subset of the enhanced requirements from NIST SP 800-172 (published count commonly referenced at 24 additional practices, though the exact selected subset is specified in the CMMC rule and should be read directly).
Assessment at Level 3 is government-led — specifically, by DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center), not by a commercial C3PAO.
Level 3 is almost never in scope for a Phase I SBIR proposal. It arrives, if at all, at the Phase II or Phase III transition, on a specific follow-on program. Small businesses should not pre-emptively pursue Level 3 on speculation; the cost runs into hundreds of thousands to low millions of dollars, and the assessment scheduling through DIBCAC is its own separate queue. Plan for it when a specific program mandates it, not before.
Levels at a glance
| Level | Applies when | Practices | Assessment | Indicative small-business cost |
|---|---|---|---|---|
| Level 1 — Foundational | FCI only, no CUI | 15 FAR 52.204-21 requirements (17 practices in CMMC scoring) | Annual self-assessment + annual senior-official affirmation in SPRS | Under $5K/yr typical |
| Level 2 — Advanced (self) | CUI, non-critical | 110 NIST SP 800-171 Rev 2 practices | Triennial self-assessment + annual affirmation in SPRS | $15K–$50K initial, $5K–$15K/yr ongoing |
| Level 2 — Advanced (C3PAO) | CUI, critical | 110 NIST SP 800-171 Rev 2 practices | Triennial C3PAO assessment + annual affirmation | $40K–$150K assessment + readiness + $20K–$80K/yr ongoing |
| Level 3 — Expert | CUI critical to national security, APT-resistance required | 110 practices + defined subset of NIST SP 800-172 enhanced requirements | Triennial DIBCAC-led assessment + annual affirmation | $100K–$500K+ initial; program-dependent |
NIST SP 800-171 Rev 2 versus Rev 3
CMMC 2.0 Level 2, as currently codified in 32 CFR Part 170, references NIST SP 800-171 Revision 2. NIST SP 800-171 Revision 3 was published in May 2024, with substantive restructuring — some controls consolidated, some new ones added, and several re-scoped. DoD has signaled a future transition of CMMC Level 2 to reference Rev 3, but the transition timeline has been deliberately paced so that contractors currently preparing against Rev 2 are not whipsawed.
For 2026 SBIR proposals, Rev 2 is the binding reference. Track Rev 3 as a forward-looking planning item, not as a current compliance obligation. A credible SSP will acknowledge the Rev 2 baseline, identify areas where Rev 3 will add or consolidate controls, and commit to re-evaluation when DoD formally adopts Rev 3.
SPRS self-score — the number on which contract awards turn
The Supplier Performance Risk System (SPRS) is the DoD's contractor performance portal. For CMMC and NIST SP 800-171 purposes, the critical element in SPRS is the self-assessment score the contractor posts against the 110 practices of NIST SP 800-171 Rev 2, computed using the DoD Assessment Methodology.
Computing the score:
- Start at 110.
- For each unimplemented or partially-implemented control, subtract the point value assigned to that control in the DoD Assessment Methodology (1, 3, or 5 points, depending on the control's weighting).
- Resulting score is an integer (can go negative for low-maturity environments; we have seen scores below zero for companies that genuinely have no implemented 800-171 controls).
The score is posted by the contractor in SPRS under the PIEE (Procurement Integrated Enterprise Environment) portal. The score, the date of assessment, the assessment type (self, medium, high), the scope of the system assessed, and the estimated completion date for any unimplemented controls are all entered.
Why it matters at proposal time: DFARS 252.204-7019 requires that the score be current (within three years) and posted in SPRS at the time of contract award. An offeror without a posted score, or with a stale score, is not eligible for award under that clause. This is an absolute bar, not a scoring factor. We have seen otherwise strong Phase I proposals flagged at contracting-officer review because the offeror's SPRS score was missing or expired.
The C3PAO ecosystem — capacity is the real constraint
CMMC Level 2 third-party assessments are performed by authorized C3PAO firms accredited under the Cyber AB. The ecosystem has grown substantially since 2022 but remains capacity-constrained relative to the population of DoD contractors that will eventually need Level 2 certification.
Practical implications for small businesses:
- Engagement lead times for a C3PAO assessment are typically 3–9 months from initial contact to assessment start, longer during peak demand windows. Scheduling is not something that can be compressed on a proposal-driven timeline.
- Readiness work precedes assessment. A C3PAO will not perform a clean-sheet assessment on an unready environment. Most C3PAOs require a gap-assessment phase first, adding 2–4 months on the front end.
- Scope negotiation is a significant value lever. A tightly-scoped CUI enclave (a dedicated GCC High tenant or GovCloud enclave) with a small set of authorized users reduces assessment effort substantially compared to a wall-to-wall corporate network assessment.
- Assessor neutrality: C3PAOs are prohibited by Cyber AB rules from providing both consulting and assessment services to the same client. Your readiness consultant cannot be your assessor.
We do not recommend specific C3PAO firms in this article — assessor selection is a function of geography, industry specialization, and team chemistry, and naming firms thematically serves no reader. Work through the Cyber AB marketplace and vet assessors on the same dimensions you would vet any professional services firm.
Representing CMMC posture in a Phase I technical volume
Here is where the practical stakes of all of the above land on an SBIR proposal. DoD Phase I technical volumes routinely require an explicit statement of the offeror's cybersecurity posture, often under a section heading like "Information Protection" or "CMMC / Cybersecurity." The goal is not to claim a level you do not hold. The goal is to state, precisely and credibly:
- Current posture: what level you are at today, what your SPRS score is, and when it was last updated. If you are at Level 1 and the contract requires Level 2, say so — do not paper over the gap.
- Phase I applicability: whether the Phase I work itself will involve CUI. Many Phase I efforts are structured so that the feasibility work uses synthetic data, public data, or government-furnished but not-yet-CUI data. If so, state explicitly that Phase I does not require CUI handling on contractor systems, and that any data provided to the contractor will be handled at the appropriate level if it becomes CUI.
- Phase II readiness plan: a credible path from current posture to the required level by the time Phase II award would occur. Include the specific remediation steps, the C3PAO engagement timeline if applicable, and the budget line. Evaluators know what this costs; vague language reads as inexperience.
- Evidence package: an SSP reference (without attaching the document unless requested), a POA&M reference, and an identification of the System Security Plan scope.
- Flow-down posture: if you have subcontractors or teaming partners, state that the DFARS 7012/7019/7020 and CMMC requirements will flow down to them consistent with their role.
Common fatal errors
Claiming a Level 2 posture without a posted SPRS score
If you state Level 2 self-assessment in the proposal but have no current SPRS score posted under your CAGE code, a contracting officer can identify the discrepancy at award and trigger a compliance review. This is the single most common fatal error for first-time SBIR awardees.
Claiming self-assessment where the contract requires C3PAO
Solicitations increasingly specify the required assessment type. Proposing to self-assess when the solicitation requires C3PAO third-party assessment is a proposal-killer at compliance review. Read the DFARS 7021 clause insertion and the section L language carefully.
Treating POA&M as a long-term strategy
The Level 2 POA&M pathway allows conditional certification with 180 days to close remaining items. It is not a mechanism for deferring controls indefinitely. Evaluators and assessors recognize the difference between a narrow POA&M (two or three specific items, with a credible remediation plan) and a broad POA&M covering dozens of controls that reads as "we will get to it later."
Failing to scope the enclave
Small businesses attempting to hold a full-scope CMMC Level 2 posture across every endpoint, every employee laptop, and every general-purpose system generally find the cost unsustainable. Enclave your CUI. GCC High, AWS GovCloud, or a hardened segment with tightly-defined user access reduces scope and cost dramatically.
Forgetting the annual affirmation
CMMC 2.0 requires an annual affirmation from a senior company official, posted in SPRS, between triennial assessments. A lapsed affirmation is a compliance finding in its own right. Calendar it on the first business day of each anniversary month; do not let it drift.
Assuming the commercial cloud is enough
Microsoft 365 Commercial is not equivalent to GCC High for CUI handling. AWS Commercial is not equivalent to GovCloud. Using the commercial tier for CUI, even temporarily, is a contract violation under DFARS 7012. Decide on the target authorization boundary before you process the first piece of CUI, not after.
Sequencing CMMC into an SBIR program plan
The realistic sequencing for a small business going from zero CMMC posture to a Level 2 C3PAO certification, on an SBIR-driven timeline:
- Month 0 — Phase I proposal submission. State current posture honestly, commit to the specific readiness milestones below, include costs in Phase II budget.
- Month 2–3 — If Phase I is awarded, engage a CMMC readiness consultant (not a C3PAO) to perform a gap assessment against NIST SP 800-171 Rev 2.
- Month 3–4 — Decide on the authorization boundary (GCC High, AWS GovCloud enclave, or equivalent) and stand up the target environment.
- Month 4–8 — Execute the remediation plan. Write the SSP. Implement the controls. Instrument logging and monitoring. Train users.
- Month 6–7 — Perform the internal self-assessment against the DoD Assessment Methodology. Post the SPRS score.
- Month 8 — Engage a C3PAO. Begin the pre-assessment readiness dialog.
- Month 10–14 — C3PAO assessment window. Remediate any findings under POA&M if eligible. Achieve certification.
- Month 14+ — Annual affirmations and continuous monitoring. Triennial re-assessment four months before certificate expiry.
This is the compressed, aggressive version. Companies starting from a weaker baseline, or with competing operational priorities, should assume a 12–18 month total timeline from Phase I award to C3PAO certification rather than trying to force a 10–14 month schedule.
How we work with SBIR clients on CMMC roadmapping
Precision Federal's position on CMMC for SBIR offerors is deliberately operator-first rather than consultant-first. We do not sell C3PAO assessments, we do not sell compliance automation tools, and we do not sell ongoing managed CMMC services. What we do is help small businesses decide, at proposal time, whether a given SBIR topic is worth pursuing given the CMMC posture required, and if so, how to write about that posture credibly in Phase I while budgeting the Phase II readiness work honestly.
In practice, that tends to look like a short engagement — two to four weeks — that produces: a clear read on the solicitation's CMMC requirement, a gap analysis against the offeror's current posture, a cost-and-schedule estimate for reaching the required level, and the specific language blocks that will go into the Phase I technical volume and the Phase II forward plan. We stop there. Execution of the readiness work itself belongs with the offeror's internal team or with a dedicated readiness consultant; the C3PAO assessment belongs with an independent authorized firm.
The reason for this scope discipline is straightforward. CMMC compliance is not a product we sell. It is a background constraint on the SBIR and federal AI work we do sell — and the job at proposal time is to make sure the background constraint is managed, not to monetize it.
Where the regulatory environment is heading
Three trajectories worth tracking over the next 12–24 months:
- Phased rollout of DFARS 7021. The CMMC clause is being inserted into DoD solicitations on a deliberately phased schedule, with the share of solicitations requiring third-party assessment rising through 2026 and 2027. Read every solicitation you respond to. The clause insertion pattern is evolving faster than the public summary documents.
- Transition to NIST SP 800-171 Rev 3. DoD will at some point formally update the CMMC reference from Rev 2 to Rev 3. The transition will carry a grace period, but companies preparing now should build SSPs that can accommodate the Rev 3 changes with moderate rework rather than ground-up rewrites.
- C3PAO capacity and pricing dynamics. As more small businesses come through the Level 2 queue, pricing pressure is likely in both directions — more firms entering drives individual assessment prices down, while peak-demand windows drive effective lead-time costs up. Plan as if capacity is tight, not loose.
Frequently asked questions
No. Many Phase I awards are structured so that the feasibility work does not require the contractor to handle CUI on its own systems — for example, work performed on government systems with government-furnished data, or feasibility analyses using synthetic or public data. Read the specific solicitation and the associated DFARS clauses. If the Phase I itself does not require CUI handling, Level 1 may be the applicable posture for the Phase I period, with Level 2 readiness committed to by Phase II award.
Yes, and in fact an honest low score is explicitly contemplated by the DoD Assessment Methodology — scores can run negative for environments with limited 800-171 implementation. What you cannot do is post a score that misrepresents your actual posture. False SPRS entries carry False Claims Act exposure and are a category of error that has produced DOJ enforcement actions.
GCC (the non-High tier of Microsoft's government cloud) is not authorized for CUI. GCC High is. Similarly, AWS Commercial is not authorized for CUI; AWS GovCloud is. Confirm the specific service and region authorization in the FedRAMP Marketplace and in the DoD Cloud Computing Security Requirements Guide (CC SRG) at the impact level you need.
Yes, if they handle FCI or CUI. The DFARS 7012/7021 flow-down requires subcontractors at every tier who handle the relevant information to comply at the level appropriate to their role. The prime is responsible for ensuring the flow-down, but the subcontractor carries the direct compliance burden for its own systems.
They are complementary, not redundant. FedRAMP authorizes cloud services; CMMC certifies the contractor that is using those services. A contractor can run its CMMC Level 2 workload on a FedRAMP-authorized cloud and rely on FedRAMP control inheritance to reduce its own direct implementation burden on a subset of controls (boundary protection, data at rest encryption, etc.). The inheritance must be documented in the SSP with explicit reference to the FedRAMP SSP and the boundary of inheritance.
Rare. Level 3 applies to programs where the CUI is considered critical to national security and APT resistance is the design goal. For a small business, Level 3 typically arrives, if at all, at Phase II or Phase III on a specific follow-on program — not at Phase I proposal time. Costs run into the hundreds of thousands to low millions, DIBCAC performs the assessment, and scheduling is its own queue. Plan for Level 3 when a specific program requires it, not speculatively.