CMMC Will Lock Small Business Out of DoD Contracts by 2028

DoD's own estimate is $487,970 over three years for a small business to comply with CMMC 2.0. Here's what Congress needs to fix before Phase 2 in November 2026.

If you own a small business that does any DoD work, read this. Then pick up the phone.

TL;DR

• CMMC 2.0 became binding federal regulation on November 10, 2025, under the Department of Defense CMMC Program. Full rollout is November 10, 2028.
• DoD's own estimate: a small business will spend roughly $487,970 over three years to comply at Level 2. Industry puts the real first-year cost at $75,000 to $300,000+.
• A survey of 2,000+ defense contractors found 70% had budgeted less than $100,000 — the community has not yet absorbed what is coming.
• Without a structural fix, thousands of small subcontractors will exit the defense industrial base by 2028 because they cannot afford to bid.
• Proposed fix: let large primes sponsor small business compliance inside their own accredited CMMC environments, with a per-seat fee paid only when the small business wins a contract. Call your congressman and ask for this.

This is not a think piece. This is an alarm.

If you are a small business in the defense industrial base, and you do not act in the next 12 months, you will be locked out of federal defense contracting by 2028. Not "at a disadvantage." Not "facing headwinds." Locked out. Period.

The Cybersecurity Maturity Model Certification — CMMC 2.0 — became binding federal regulation on November 10, 2025. A three-year phased rollout is already underway. By November 10, 2028, every applicable DoD contract will require your company to prove, via a third-party auditor, that you comply with 110 cybersecurity controls, maintained continuously, affirmed annually under False Claims Act penalty, and posted to a federal database.

The Department of Defense's own estimate of what this will cost a small business is $487,970 over three years. Industry estimates put the real number higher — $75,000 to $300,000 in the first year alone, with $15,000 to $40,000 a year forever after.

Read that again. Half a million dollars. Before you bid on a single contract. That is not a cybersecurity program. That is an entry fee designed, whether intentionally or not, to clear the small business side of the defense supplier base.

If you are running a 10-person machine shop, a 20-person engineering firm, a 30-person avionics company, you already know what that number means. You cannot absorb it. Your margins don't support it. Your bank won't lend against it. And the clock is running.

This is the call-your-congressman moment. Do it today. The rest of this piece tells you exactly what to say when you call.

What CMMC Actually Requires

Plain English, no jargon:

• Level 1: 15 security controls. Annual self-assessment. Designated officer signs the affirmation every year.
• Level 2: All 110 security controls from NIST SP 800-171. Either self-assessment (for less-sensitive data) or a triennial audit by a Certified Third-Party Assessment Organization (C3PAO). Results posted to the Supplier Performance Risk System. Annual affirmation under FCA liability. Unique system identifiers for every in-scope IT asset.
• Level 3: All 110 Level 2 controls plus 24 more from NIST SP 800-172. Government-led audit by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The vast majority of small contractors will land at Level 2. The 110 controls at Level 2 are not checklists a person fills out in an afternoon. They are enterprise-grade security requirements: identity management, access control, endpoint protection, incident response, media sanitization, physical security, supply chain monitoring, system monitoring, audit logging, configuration management, and two dozen other categories, each with multiple specific implementations that have to be documented, deployed, monitored, and maintained.

Every subcontractor is subject to the same framework. CMMC flows down through every tier of the supply chain. The small shop supplying parts to the sub-tier integrator supplying a subsystem to the prime is on the hook. There is no "we're too small" exemption.

A false affirmation — even an honest mistake by an overworked compliance officer — can trigger contract termination, negative past-performance ratings, suspension and debarment, and False Claims Act damages that can run into the millions. A single line-item error on an annual attestation can end your company.

Who is exempt from CMMC 2.0?

Almost no one. The exemptions in the final DFARS rule are narrow, and most small businesses do not qualify for any of them. Here's the honest breakdown:

• Commercial off-the-shelf (COTS) products only. If your company sells exclusively pre-packaged commercial products that would be purchased off a shelf at Best Buy or Grainger, the DFARS CMMC clause does not flow down to you. The moment you customize, integrate, or provide a service wrapped around the product, you are back in scope.
• Contracts at or below the micro-purchase threshold (currently $10,000) in limited procurement categories. Not a realistic exemption for any company that counts DoD as meaningful revenue.
• Foreign government sales under specific arrangements. Not applicable to the domestic small business base.
• Purely unclassified, non-CUI work that never touches Controlled Unclassified Information. In practice, this is a vanishing category. If you handle engineering drawings, technical data, performance specifications, personnel information, or anything else the Pentagon considers sensitive-but-unclassified, you are handling CUI. Most small defense contractors do, whether they realize it or not.

What about self-assessment? At Level 1 you can self-assess. At Level 2 you can self-assess only for less-sensitive CUI, which is a shrinking category — the vast majority of Level 2 contracts will require a C3PAO third-party assessment once Phase 2 kicks in on November 10, 2026. Self-assessment is not a loophole; it is a narrow lane that is getting narrower.

The short answer to "Am I exempt?" is almost certainly no. If you bid on DoD work, plan as if CMMC applies to you.

How much does CMMC Level 2 cost a small business?

The Department of Defense's published estimate is $487,970 over three years for a representative small business at Level 2. That figure assumes you are already in substantial conformance with NIST SP 800-171. Most small businesses are not, because for years the Pentagon accepted self-attestation that nobody verified.

Real-world estimates from firms that do this work every day:

• Paramify (2025): Level 2 runs $63,000 to $200,000+.
• 1TEN (2026): First-cycle Level 2 costs from $75,000 to $300,000+.
• Cape Endeavors (2026): First-year cost of $75,000 to $150,000, with annual maintenance of $15,000 to $40,000 forever after.
• CISPoint (2026): $75,000 to $150,000 total, with assessment fees alone at $30,000 to $70,000.

A survey of more than 2,000 defense contractors found that 70% had budgeted less than $100,000 for CMMC. That isn't bad budgeting. That is the small business community not yet realizing what is actually about to hit them.

And the cost is not one-time. It's permanent. Annual affirmations. Triennial reassessments. Continuous monitoring. Ongoing vendor audits. Employee training on every control. Policy updates every time NIST revises the framework. Forever, for as long as you hold a DoD contract. A small business does not buy CMMC. It hires a permanent compliance department it cannot afford.

For a $2 million-revenue shop with 6% margins, half a million dollars of compliance is not a compliance program. It is the end of the company.

The Math Does Not Work

Let's walk through a concrete example. Take a small defense contractor. $3 million in annual revenue. 15 employees. Net margin of 7% — call it $210,000 a year in net profit.

CMMC first-year cost, conservative industry midpoint: $150,000. CMMC annual recurring cost after year one: $30,000. C3PAO triennial assessment: another $50,000 every three years.

Year one: $150,000 of compliance cost against $210,000 of profit. The company has roughly $60,000 of net income left — before any growth investment, before any equipment replacement, before any emergency cushion. Year two and year three: $30,000 a year in maintenance, plus the amortized assessment cost. Profit drops permanently.

And that is if nothing else goes wrong. One failed audit. One FCA exposure. One employee mistake on an annual affirmation. Any of those can take the company down.

Compare that to a large prime with $40 billion in revenue. Their compliance cost as a percentage of revenue is rounding error. They already employ hundreds of information security professionals. They have internal audit teams and outside counsel on retainer. CMMC is, for them, an annoyance. This is not a regulation that applies evenly. This is a regulation that scales punitively against small businesses and almost invisibly against large ones.

What Will Happen If Nothing Changes

Watch the next 30 months. Here is the sequence:

1. 2026 (Phase 2 kickoff, November 10): Level 2 C3PAO assessments become a condition of contract award on a growing share of DoD solicitations. The C3PAO population — roughly 70 firms nationwide — cannot handle the demand. Assessment prices rise. Waitlists form. Small businesses without contracts already in hand cannot afford to reserve a slot on spec.
2. 2027: Primes begin excluding non-certified subs from their supply chains because a non-compliant sub creates contract risk for the prime. The small business sub that has been a reliable supplier for 20 years is told, "We need your CMMC certification by Q3 or we can't include you on the next award." The sub cannot afford the bill. The prime finds a larger, already-certified replacement.
3. 2028 (full implementation, November 10): Every applicable DoD solicitation requires a CMMC level as a condition of award. Small businesses that have not certified are shut out completely. The long tail of the defense industrial base — the thousands of small machine shops, engineering firms, software developers, specialty manufacturers, and service providers who have been supplying the Pentagon for decades — exits the market.

Some will sell to a prime. Some will shift to commercial work. Some will close. None of them will announce their exit in a press release. They will just stop appearing in award data, and the Pentagon will quietly notice, two or three years from now, that the supplier base it has been worried about losing has in fact been lost.

This is not speculation. This is what every industry survey and compliance economist has been telegraphing for the last 18 months.

A Better Path: Prime Sponsorship of Small Business Compliance

There is a fix. It is sitting on the table, and it costs the taxpayer almost nothing to adopt. It is this: Let large primes and midsize defense companies sponsor small business compliance under their own CMMC program.

The mechanics:

1. The prime extends its accredited CMMC environment to the sub. The prime has already built, and passed a C3PAO audit on, a compliant CUI enclave. It issues the small business pre-hardened laptops, endpoint security software, a tenant inside the prime's GCC High or GovCloud environment, and access to the prime's security operations center for monitoring and incident response. The sub operates inside the prime's compliance boundary, under the prime's written System Security Plan.
2. The small business pays a monthly per-seat fee, but only if it wins the contract. No upfront capital outlay. If the sub wins the work, a pre-agreed fee — $150 to $400 per user per month, all-inclusive — is carved out of the contract award. If the sub doesn't win, no fee. The compliance cost is tied directly to revenue, as it always should have been.
3. The DoD issues a DFARS rule that defines "Sponsor Compliance Scope." The prime assumes primary responsibility for controls implementation. The sub remains responsible for its own users' conduct. False Claims Act exposure is allocated in a written sponsorship agreement reviewed by DCMA, so both parties know exactly what they own.
4. Competitive neutrality is written into the rule. A sponsoring prime cannot use sponsorship to lock subs out of bidding with that prime's competitors. Subs retain the right to bid on any DoD contract, including with non-sponsors. Fee structures are disclosed and capped.
5. DoD recognizes sponsor-scoped compliance as equivalent to independent certification. A sub operating inside a sponsor's accredited environment is treated, for contract eligibility, as holding the same CMMC status as the sponsor.

This is not radical. It is an extension of programs the DoD already accepts. The Mentor-Protégé Program already authorizes large contractors to provide business development assistance to small subs. CUI enclave hosting already happens on a case-by-case basis. Managed-service compliance offerings already sell a version of this to small businesses — at retail prices, with no contract-contingency structure, and no formal DoD recognition.

Prime Sponsorship adds the three things that matter: no upfront cost, payment tied to winning the work, and formal DoD recognition that the sponsor's compliance is the sub's compliance.

The math changes completely. Instead of a half-million-dollar entry ticket, the cost is rent that appears only when revenue appears. A small business can bid on a contract without bankrupting itself preparing to bid.

For the prime, the math works too. Primes already want compliant subs. They already absorb supply-chain compliance risk. Sponsorship monetizes that existing effort, turns small subs into a pool of reliable suppliers, and generates a small recurring revenue stream that offsets the cost of running the environment.

For the Pentagon, it preserves the supplier base the Pentagon claims to care about. A small business that cannot afford $500,000 up front can afford $300 a seat a month when a contract lands. That is the difference between a shrinking industrial base and a stable one.

The Open Questions Congress Has to Work Through

No proposal is perfect. These are the questions that have to be answered in the rulemaking:

• Scope definition. What does "inside the sponsor's enclave" mean for a sub that also does commercial work? Solvable with standard cloud tenancy isolation.
• FCA liability. If a sub's user causes a control failure, who is on the hook? Clear written allocation, reviewed by DCMA, is non-negotiable.
• Sponsor capture. A prime sponsoring 50 subs has leverage. The rule must prohibit exclusivity clauses, cap fees, and protect the sub's right to bid freely.
• Off-ramps. The rule must require data portability, a reasonable transition period, and no penalty for switching sponsors.
• Qualifying sponsors. Not every prime should qualify. Sponsors should have to hold current Level 2 certification, demonstrate sub-tenant capacity, and meet financial responsibility standards.

Every one of those is solvable. None is a reason to do nothing.

What To Actually Say When You Call

This is the action. Today. Not next week. Today.

Step 1: Find your representative. House: house.gov/representatives/find-your-representative. Senate: senate.gov/senators/senators-contact.htm. Get the DC office number, not the district office. The DC office tracks calls on specific legislation.

Step 2: Ask for the staffer who handles Armed Services or Small Business. If your representative sits on the House Armed Services, Senate Armed Services, House Small Business, or Senate Small Business committees, this matters even more — those four committees own the jurisdiction.

Step 3: Say this (or something like it):

Hello, my name is ____. I own a small defense contractor in [state/district]. I'm calling about CMMC 2.0 compliance, which became effective November 10, 2025. The DoD's own cost estimate is nearly half a million dollars over three years for a small business. My company cannot absorb that cost, and I will be locked out of federal contracting by 2028 unless Congress acts. I am asking the congressman/senator to champion a Prime Sponsorship amendment to the next DFARS authorization cycle. The amendment would let large primes and midsize defense companies extend their accredited CMMC environments to small subs — providing hardened laptops, compliant cloud tenancy, and security monitoring — in exchange for a per-seat monthly fee paid only if the sub wins the contract. This uses existing DoD compliance infrastructure, requires no new spending, and preserves the small-business industrial base the Pentagon says it needs.

Step 4: Follow up in writing. Send a one-page email summary to the staffer. Reference the DoD cost estimate, the industry cost range, the 70%-underbudgeted survey finding, and the Prime Sponsorship structure.

Step 5: Tell other small business owners to do the same. Congressional offices count calls. Ten calls on a specific policy in one week gets attention. A hundred calls gets a meeting. A thousand calls gets a bill introduced. This is how the small-business voice gets heard in Washington — not by hoping, but by dialing.

The alarm is real. The clock is running. Phase 2 starts November 10, 2026. You have a narrow window to get Congress on record before the industrial base you work in starts to disappear. Do not wait for someone else to make this call. There is no someone else. You are it.