IT/compliance lead, fractional CISO, or owner-operator at a small or mid-size DoD contractor or subcontractor (typically under 50-200 employees) that handles FCI or CUI and must reach CMMC Level 2
Small defense contractors must comply with NIST SP 800-171 and now obtain CMMC certification to keep winning DoD work, but most are nowhere near ready — only about 1% of the DIB is assessment-ready. They face 110 controls, a System Security Plan, and a POA&M, yet usually lack a dedicated security team. First-cycle Level 2 compliance commonly runs $75K-$300K+ and 12-18 months, and a failed C3PAO assessment or lapsed compliance can cost them eligibility for contracts.
- Trigger
- The CMMC DFARS final rule became effective November 10, 2025, launching a three-year phased implementation with full applicability to covered DoD contracts by November 2028 (DFARS / DoD).
- Budget
- Annual SaaS subscription tiered by company size / control scope (e.g., ~$5K-$25K/yr), plus paid add-ons: guided remediation, C3PAO/RPO assessor matchmaking referral fees, and managed evidence-collection or vCISO upsell