The shape of the problem in 2026

The CMMC 2.0 Final Rule has been in effect for over a year. The contractual phase-in is well underway: by the end of 2027, virtually every DoD contract involving Controlled Unclassified Information (CUI) will require its prime — and most of its subcontractors — to hold a CMMC Level 2 certification from an authorized C3PAO. Some contracts have already started carrying the requirement. Many subs are getting flow-down language now.

For shops between $5M and $50M, that creates a specific problem. You're too small to absorb a Deltek-class compliance stack. You're too big to ignore the requirement and hope it goes away. And you almost certainly have at least one customer who's already asked, in writing, when you'll be CMMC L2 ready.

What CMMC L2 actually requires (in one paragraph)

110 security controls from NIST SP 800-171, plus 320-ish assessment objectives that break those controls into testable pieces. A formal assessment performed by an authorized C3PAO every three years. A System Security Plan (SSP) and Plan of Action and Milestones (POA&M) maintained as living documents. Annual senior-official affirmation. A Supplier Performance Risk System (SPRS) score posted and kept current. Self-assessment is permitted only for the small subset of contracts handling Federal Contract Information (FCI) without CUI — in practice, almost nobody.

The build/buy/skip framework

For every control, you have three honest choices:

  • BUY — the control is solved by a commodity tool you already use or can purchase. Most of the technical controls fall here.
  • BUILD — the control is partly software but mostly process. The off-the-shelf options either don't exist or are oversized for your scale. Custom, focused tooling earns its keep.
  • SKIP — the control is technically in scope but not yet active for you, or it's been over-engineered by vendors who'd love to sell you something. Defer until you actually need it.

The mistake small contractors most often make is treating every control as BUY. The result: a $40K/year GRC SaaS subscription, a $25K/year endpoint vendor, a separate $15K/year SIEM, a part-time consultant retainer — and the SSP is still hand-edited in a Word doc.

What to BUY

This is the commodity layer. Where the market has converged on good answers, buy the good answer.

Identity, MFA, conditional access

Microsoft Entra ID (included in M365 Business Premium and above), Duo, or Okta. If you're already on M365, Entra is the path of least resistance — you're paying for it anyway. Lock down legacy auth, enforce MFA on every account, configure conditional access for unmanaged devices.

Endpoint protection

Microsoft Defender for Business (about $3/user/month, included in M365 Business Premium), CrowdStrike Falcon, or SentinelOne. All three satisfy the malware-protection control category. Defender is the cheapest if you're M365-native; CrowdStrike has the strongest detection if you can absorb the cost.

Audit logging and SIEM

If you're M365-native, the cheapest viable answer is Microsoft Sentinel (a few hundred dollars a month for a small ingest volume) feeding from M365 audit logs and Defender. If you're AWS-heavy, CloudTrail + GuardDuty + a small Splunk-or-equivalent. Skip building your own SIEM — this is one of the highest-cost mistakes I see.

Email encryption and DLP

If you handle CUI in email at all (most do, even if they shouldn't), you'll need encryption in transit and at rest plus basic DLP. M365 has this built in at the GCC tier. Proofpoint and Mimecast are stronger alternatives if you've already standardized there.

GCC vs. GCC High M365

This is the single biggest "buy" decision. If your CUI lives in M365 (email, OneDrive, SharePoint, Teams), the standard commercial M365 tenant is not sufficient. You need at minimum GCC (about $20–30/user/month extra), and possibly GCC High if you handle ITAR or specific covered defense information. This is non-negotiable and it's the most expensive line item for most small contractors. Budget for it.

Backup with encryption

Any cloud-native backup that supports encryption at rest and immutable retention. Backblaze, Veeam Cloud Connect, or M365 native backup tools. Cheap and standard.

Secure remote access

Tailscale, Cloudflare Access, or a properly configured VPN. Avoid the trap of running your own OpenVPN server — the audit complexity isn't worth the licensing savings.

What to BUILD

This is where small contractors get over-sold by GRC SaaS vendors and under-served by the C3PAO consultant world. The pattern: off-the-shelf compliance platforms (Vanta, Drata, Hyperproof) were built for SaaS startups chasing SOC 2 and ISO 27001. They support NIST 800-171 controls in their checklists, but they don't speak DFARS, they don't model how a GovCon shop actually operates, and the artifacts they produce aren't shaped the way a C3PAO wants to see them.

Five things small contractors are almost always better off building (or having built for them, custom) than buying off-the-shelf:

1. The SSP as a living document

Not a 60-page Word doc that gets revised once a year. A structured data store where each control has its current implementation description, owner, evidence references, and last-reviewed date — rendered into the assessor's preferred format on demand. When the assessor asks for the SSP, they get a current PDF. When you update a control, the SSP updates automatically.

2. POA&M tracker tied to real project management

Most POA&Ms live in a spreadsheet that nobody touches between assessments. Build a POA&M that's a real ticket queue — each open finding has an owner, a due date, a remediation plan, and shows up in your weekly status meeting alongside operational work. When closure evidence is captured, the POA&M updates and the SSP cross-references the new state.

3. Control-to-evidence mapping

For each of the 110 controls, you need to know: what artifact proves we satisfy this, where does that artifact live, who owns it, when was it last refreshed. Off-the-shelf GRC tools do this generically. A custom build for a small contractor pulls evidence automatically from M365 audit logs, Entra, Defender, your AWS account, your timekeeping system, your training records — whatever your actual stack is — and surfaces gaps before an assessor finds them.

4. Access review workflow

Quarterly attestations: "Manager X, here are your direct reports' access permissions; click to approve, click to remove." Most generic IAM tools handle this for cloud resources but not for the contract-specific access categories DCAA and CMMC care about. Build it tight to your scope.

5. The assessor walk-through bundle

When the C3PAO arrives, they want the evidence in a specific shape: control-by-control, with cross-references and timestamps. The hours your team spends compiling that packet under deadline pressure are the most expensive hours of the assessment. Build a tool that compiles the bundle on demand and you save those hours every cycle.

What to SKIP

The over-buying graveyard. Each of these is genuine money small contractors waste at this scale:

  • General-purpose GRC SaaS at $30K–$60K/year. Vanta and Drata are great products for the wrong customer. At your size, they cost more than the focused custom build that would actually fit your shop — and they don't produce GovCon-shaped artifacts.
  • Building your own SIEM. Buy Sentinel or pay for managed CrowdStrike. Running open-source ELK or Wazuh at this scale will eat an engineer.
  • Premature CUI segmentation. Don't build a separate "CUI environment" with its own AD forest until you actually have CUI volume and process complexity that needs it. For most $5M–$20M shops, a single GCC tenant with proper labeling is sufficient.
  • Cloud security posture management (CSPM) tools like Wiz, Lacework, Orca. Excellent products; massively oversized at this scale unless you have a heavy cloud footprint.
  • Hiring a full-time CISO. Use a fractional CISO ($3K–$8K/month) until your security team is at least 3 FTEs. Most shops never need a full-time CISO.
  • Pre-assessments more than 9 months ahead of your real one. Pre-assessment artifacts go stale fast. Done too early, you'll pay twice for the same effort.

The honest cost picture

Rough orders of magnitude for ongoing CMMC L2 compliance costs (excluding the C3PAO assessment fee itself, which is a separate $30K–$80K every 3 years):

$5M shop, ~25 employees

  • M365 GCC uplift: ~$8K/year
  • Defender for Business: ~$1K/year
  • Microsoft Sentinel (small ingest): ~$3K/year
  • Backup, MFA token costs, misc: ~$2K/year
  • Fractional CISO or part-time security lead: ~$30K/year
  • Custom readiness tooling (one-time): $20K–$40K
  • Total: ~$45K/year ongoing, plus ~$30K one-time

$20M shop, ~80 employees

  • M365 GCC uplift: ~$25K/year
  • Defender or CrowdStrike: ~$15K/year
  • Sentinel or equivalent SIEM: ~$10K/year
  • Fractional CISO or in-house security manager: ~$80K/year
  • Custom readiness tooling: $40K–$80K one-time
  • Total: ~$130K/year ongoing, plus ~$60K one-time

$50M shop, ~200 employees

  • M365 GCC uplift: ~$60K/year
  • CrowdStrike or SentinelOne: ~$40K/year
  • Sentinel or managed SIEM: ~$30K/year
  • In-house security manager + analyst: ~$200K/year
  • Custom readiness tooling: $60K–$120K one-time, plus retainer for evolution
  • Total: ~$330K/year ongoing, plus ~$100K one-time

These ranges are deliberately generous on the low side and conservative on the high side — they're what I see actually work, not what vendors quote. Your mileage will vary based on existing infrastructure and CUI scope.

When to engage a C3PAO

Wrong time: as soon as you've heard about CMMC. You'll pay for a pre-assessment that goes stale before your real one is due.

Right time: roughly 6–9 months before your first contract will mandate L2, and only after your gap remediation work is around 80% complete. The pre-assessment is most valuable when it catches the last few items you missed — not when it gives you a long list of things you already knew you needed to do.

Worst time: three weeks before your contract requirement deadline, after a customer has already asked for your certification status. At that point you're paying for an emergency assessment with no time to remediate findings.

Need a hand?

If you're staring at a sales pitch from Vanta, a quote from a C3PAO consultant, or an internal debate about whether to move to GCC — we offer free 30-minute teardown calls for small Defense contractors. Bring your scope, your current controls, your vendor pitches. We'll tell you which boxes are real, which are oversold, and which you can defer.

Book a teardown

FAQ

If I only have FCI and no CUI, do I still need Level 2?

If all you handle is FCI, CMMC Level 1 with annual self-assessment is sufficient. The catch: many contracts assume any "covered defense information" you touch is at least CUI by default, and a lot of small contractors discover they have CUI scope they didn't realize. Confirm with the contracting officer in writing before assuming Level 1 is enough.

Do I have to move to GCC or GCC High M365?

If your CUI lives in M365 services (email, OneDrive, SharePoint, Teams), then yes — standard commercial M365 is not authorized to handle CUI. GCC is the floor; GCC High is required for ITAR/EAR-controlled data or specific covered defense information types. If you can keep CUI out of M365 entirely (e.g., in a separately segmented Linux file share), you can sometimes avoid the GCC upgrade — but that requires real discipline most small shops can't sustain.

What's the difference between an RPO consultant and a C3PAO?

An RPO (Registered Practitioner Organization) helps you get ready for assessment. A C3PAO (Certified Third-Party Assessment Organization) performs the assessment. The same firm can hold both authorizations, but they cannot do both for the same client — that's a conflict of interest. If you have an RPO consultant, you'll need a separate C3PAO for the actual assessment.

How much does the C3PAO assessment itself cost?

Roughly $30K–$80K every three years for shops in this size range, depending on scope (number of CUI assets, number of employees in scope, complexity of your environment). Cheaper than I expected the market to settle, honestly — competition among authorized C3PAOs has kept prices reasonable. Get at least three quotes; they vary.

What's my SPRS score and why does it matter?

SPRS (Supplier Performance Risk System) is the DoD database that stores your self-assessment score against the 110 NIST 800-171 controls — a number between -203 and +110. Primes increasingly look at it before awarding subcontracts. You're required to post a current score for any contract carrying DFARS 252.204-7019. Most small contractors post once and forget; keep yours current as you remediate.

Can I be CMMC-ready without custom tooling?

Yes, if your shop is simple enough — small team, single contract, M365 GCC, a tidy spreadsheet for your SSP and POA&M, and a part-time security lead. Past 25–30 CUI-handling employees or 2+ active contracts, the spreadsheet starts breaking down and you'll spend more time wrestling it than running your business. That's when custom tooling pays for itself.

Related: DCAA-Compliant Timekeeping for Small Defense Contractors · Earned Value Without Deltek · Our Defense service line