The Defense Department’s revised Cybersecurity Maturity Model Certification program represents a significant recalibration of federal contractor requirements, but questions remain about implementation impact across the supply chain. Secureframe’s Shrav Mehta examines how CMMC 2.0’s streamlined approach addresses some compliance burdens while highlighting persistent concerns about whether smaller suppliers can meet the technical and documentation demands without being priced out of defense work entirely.
As security threats rise and federal agencies increasingly rely on contractors, the integrity of the entire defense industrial base (DIB) has become a national priority.
The Department of Defense’s (DoD) most recent update to the Cybersecurity Maturity Model Certification program, CMMC 2.0, is its most ambitious attempt yet to safeguard sensitive defense information across the federal supply chain. While this matters for companies of all sizes, it poses unique challenges for small organizations.
The program requires any company handling federal contract information (FCI), security protection data (SPD) or controlled unclassified information (CUI) to comply, regardless of company size.
Small businesses represent 73% of the DIB and receive roughly 25% of all DoD prime contracts. Their ability to comply with CMMC 2.0 isn’t just a regulatory checkbox; it’s critical to national security and federal supply chain resilience.
Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program
90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information
Read moreDetailsKey changes in CMMC 2.0 that affect small businesses
CMMC 2.0 introduces several structural changes that are expected to alleviate some of the burden on small businesses:
- Reduced certification levels: The framework now has three levels (down from five), aligned more closely with existing NIST standards.
- Self-assessments for lower-risk data: Contractors handling federal contract information or non-critical controlled unclassified information can self-assess rather than undergo third-party certification.
- Grace periods for remediation: Companies can use plans of action and milestones (POA&Ms) to address compliance gaps while maintaining contract eligibility. Contractors can achieve conditional certification with a supplier performance risk system (SPRS) score of 88 (with POA&M in place) but must remediate issues within 180 days and achieve a score of 110 for final certification.
With a phased rollout already underway, preparation is key. Many primes already require their subcontractors to meet CMMC 2.0 standards, regardless of formal deadlines.
The challenge of CMMC compliance for small businesses
Small defense contractors have voiced a serious concern: CMMC could price them out of the market, since many smaller contractors lack the internal resources to meet highly technical and documentation-heavy requirements.
These aren’t just theoretical concerns. The Small Business Administration’s Office of Advocacy warned early on that CMMC 1.0’s design was so burdensome it could force small firms out of defense work entirely.
Even after the DoD released CMMC 2.0 to reduce the cost and complexity of compliance for small businesses, among other key objectives, the SBA continues to raise concerns that these changes don’t go far enough to help small businesses. In a 2024 comment letter on a CMMC program proposed rule, the SBA highlighted ongoing issues with unclear timelines, assessment logistics and the practical realities of compliance for smaller firms. Without additional guidance and support mechanisms, the risk remains that small businesses could face exclusion from the defense supply chain due to complexity rather than security capability.
Getting CMMC 2.0-ready
To navigate CMMC 2.0 effectively, small businesses should begin preparing immediately. Here’s how:
- Classify your data: Identify whether your company handles federal contract information (FCI), security protection data (SPD) or controlled unclassified information (CUI). Your data type determines your compliance level and requirements.
- Perform a gap analysis: Compare your current cybersecurity practices against FAR 52.204-21 or NIST SP 800-171, depending on your designated CMMC level. This identifies gaps in your compliance posture and helps determine your SPRS score.
- Build your system security plan early: Your SSP is a living document that outlines how you meet each security requirement. Start building it now to stay ahead of deadlines and weigh the pros and cons of automated tooling.
Join federal support programs: Tap into DoD and SBA initiatives aimed at helping small businesses comply, like the DoD’s Mentor-Protege Program. These programs often offer free or subsidized training, resources and tools that would otherwise be costly.
Shrav Mehta is founder and CEO of Secureframe, a security compliance automation platform. He previously held roles at Pilot.com, ScaleAI, Lob and Hired.com. 
