The State of CMMC for
Small Defense Contractors
How ready the small business defense base really is for the Cybersecurity Maturity Model Certification, in plain business English.
The Custodia Small Business CMMC Readiness Index
The small business defense base scores 33 out of 100 on CMMC readiness in this inaugural edition. The mandate is sized and dated, the deadline is moving, and the floor is low. Most firms are not where the rule will require them to be.
How this number is calculated
The index is an equal weight mean of three public indicators, computed by Custodia from the cited sources. This inaugural edition uses defense base wide proxies. Future editions add Custodia platform telemetry specific to small business Level 1 readiness. Methodology is published so the number is reproducible.
- Self-assessment score health (61/100): The average self reported NIST 800-171 score sits near negative 12 on a scale that runs from negative 203 to positive 110. Normalized to a 0 to 100 scale, that is 61. Source: U.S. Department of Defense.
- Certification readiness (12/100): Roughly 1,000 organizations have reached Level 2 certification against an estimated 8,350 that will need a third party assessment. That is about 12 percent. Source: The Cyber AB.
- Assessor capacity (26/100): Current certification run rate is near 2,100 per year against 8,350 organizations that need an assessment, roughly 26 percent of annual demand. Source: The Cyber AB.
The universe
How many of us does this actually hit?
The Department of Defense sized this itself. Its Regulatory Impact Analysis for the CMMC program estimates that more than 337,000 contractors and subcontractors are affected, and roughly 230,000 of them are small entities. About two thirds of the entire affected population is small business.
Most of that population sits at Level 1, the basic safeguarding tier for Federal Contract Information. Only an estimated 8,350 medium and large entities are pushed to Level 2, where an outside assessor is required. In other words, the rule is overwhelmingly a small business event, and it is overwhelmingly a Level 1 event.
For context, the defense industrial base is roughly 59,678 companies and 1.1 million workers, and small businesses won more than 183 billion dollars in federal prime contracts in FY2024. The base that this rule touches is not a niche. It is the backbone of how the government buys.
CMMC is not a big business problem with a small business footnote. It is a small business problem at Level 1, by the government's own numbers.
The gap
How far behind is everyone, really?
The single most revealing number in federal cybersecurity is the average self reported score. On a scale that tops out at 110, the average sits near negative 12. The bar is a perfect score. The base is starting deep in the hole.
Worse, the self reported numbers tend to be optimistic. When the Defense Industrial Base Cybersecurity Assessment Center validated scores that contractors reported themselves, it found many self reported perfect scores were not accurate. That gap between what firms claim and what they can prove is exactly what the move to third party assessment is meant to close.
Level 1 does not produce a 0 to 110 score. It is a binary check of 15 requirements, pass or fail. But the same readiness gap shows up: most small firms have never run a real self assessment, and they discover the gaps only when a prime asks for proof.
The floor is low and the self reporting is generous. The deadline is what turns that from a paperwork problem into a contract problem.
Who is exposed
Is my industry actually in the blast radius?
Exposure is not about whether you feel like a cybersecurity company. It is about whether you touch Federal Contract Information, and almost every federal contract creates it. A statement of work, a delivery schedule, a non public email from a contracting officer: that is all FCI, and FCI triggers Level 1.
The dollars make the reach concrete. Custodia analysis of USAspending shows a single trade, machine shops, drawing more than 75 million dollars in federal obligations in FY2025, spread across thousands of awards to mostly small firms. Repeat that across metal fabrication, construction and facilities, IT services, logistics, and professional services, and the in scope population is most of the small business base.
The firms most surprised to be in scope are the ones who do not think of themselves as defense companies at all: the welder, the parts supplier, the facilities contractor, the staffing firm. The rule does not care about your self image. It cares about your data.
If you hold a federal contract, assume you hold FCI, and assume Level 1 applies until you can prove it does not.
The readiness curve
Is anyone actually getting certified?
After years of warning, actual readiness is tiny. By early 2026 roughly 1,000 organizations had reached Level 2 certification, about 1 percent of the defense base. The assessor side is thin too: around 103 authorized assessor organizations and several hundred certified assessors to serve thousands of companies.
That math creates a queue. Certificates are being issued at a rate in the low hundreds per month against a Level 2 population in the thousands, which means the firms that wait will compete for scarce assessor time exactly when their contracts demand it.
Level 1 firms self assess, so they are not in the assessor queue. Their risk is different and quieter: they can wait until a prime or a solicitation asks for proof, and then have days, not months, to produce it.
Readiness is a single digit percentage and the assessor pipeline is narrow. Being early is a competitive advantage, not just a compliance checkbox.
The cost of compliance
What is this going to cost me, in time and money?
The good news for the small business base is that Level 1 is the affordable tier. The Department of Defense estimates a Level 1 self assessment near 6,000 dollars for a small entity and near 4,000 dollars for a larger one, and most of that is internal time, not vendor fees.
Level 1 is 15 requirements, self assessed, with no outside assessor required. The expensive path is letting a vendor reframe a 15 requirement self assessment as a full Level 2 rebuild when your contracts only involve FCI. That mismatch, paying for Level 2 infrastructure to solve a Level 1 problem, is the most common way small firms overspend.
Ongoing maintenance, the annual affirmation and keeping evidence current, is a modest recurring cost when the work is done once and kept up, and a painful one when it is rebuilt from scratch every year.
Level 1 is cheap if you scope it correctly and do it once. The cost risk is buying the wrong level, not the right one.
The risk
What happens if I get it wrong?
The affirmation a senior official signs is not a formality. Under the Department of Justice Civil Cyber-Fraud Initiative, knowingly misrepresenting your cybersecurity posture to win or keep federal work is treated as fraud. Aerojet Rocketdyne settled for 9 million dollars in 2022 and Penn State for 1.25 million dollars in 2024, both over false cybersecurity representations.
Once the acquisition rule made the CMMC affirmation a condition of award in November 2025, that affirmation became material to payment, which is the exact element these cases turn on. The exposure is real, but it is also specific: it attaches to knowingly signing something you cannot back up, not to honest gaps you are working to close.
The practical guardrail is boring and effective. Run a real self assessment, write down the result for each requirement, keep the evidence, and only sign once it is true.
The risk is not honest mistakes. It is signing an affirmation you cannot defend. Documentation is the defense.
The small business squeeze
Are small firms getting pushed out?
The defense base has been consolidating for thirty years. The Congressional Research Service documents the aerospace and defense prime field shrinking from 51 companies to 5, and the Department of Defense has flagged a decline in small business prime contractors as a national security concern.
Compliance burden is a consolidation force. Every requirement that is easy for a large firm with a security team and hard for a three person shop pushes work up the chain. CMMC done badly accelerates that squeeze. CMMC done simply, at the right level, is how a small firm stays in the game.
Small businesses still won more than 183 billion dollars in federal prime contracts in FY2024. The opportunity is enormous. The question is whether the small firms that can do the work can also clear the compliance bar to bid for it.
Compliance is becoming a gate on who gets to compete. Clearing it cheaply is a small business survival skill.
The forecast
Where is this going next year?
The rollout is phased over three years, and each phase pulls more contracts into scope. Phase 1 began in November 2025, when solicitations could start requiring Level 1 and Level 2 self assessment. Phase 2 begins in November 2026 and expands Level 2 third party assessment. Phase 3 in November 2027 adds Level 3. Phase 4 in November 2028 is full implementation across all applicable contracts, with no exceptions and no grandfathering.
The takeaway for a small firm is timing. The cheapest, calmest moment to get Level 1 right is before a solicitation forces it. The most expensive moment is the week a contract you want lists the requirement and you have nothing prepared.
Demand for assessors will outrun supply as Phase 2 lands. The firms that prepared during the quiet phase will move while the rest wait in line.
The window is open now and closes in stages through 2028. Early is cheap. Late is a queue.
What to do about it
If you hold or want federal work, the move is the same: confirm whether Federal Contract Information touches your business, then meet the 15 Level 1 requirements and post your annual affirmation. Do it during the quiet phase, not the week a contract demands it.
Start with the free CMMC qualifier to see where you stand, read the plain English Level 1 guide, and check the real cost of Level 1 and the False Claims Act risk so you scope it correctly the first time.
See where your business stands in 4 minutes.
The free Custodia qualifier checks your exposure against all 15 Level 1 requirements. No card, no jargon.
Methodology and sources
This report compiles primary U.S. government data, defense ecosystem figures, and Custodia analysis of public contract data. Every figure above links to its source. The readiness index is computed by Custodia from the cited indicators, with the method shown in the index panel. Figures are current as of the publication date and will be updated in the next edition. This is the inaugural 2026 edition; the report is published annually.
- U.S. Department of Defense. Regulatory Impact Analysis, CMMC Program (32 CFR Part 170). https://downloads.regulations.gov/DOD-2023-OS-0063-0003/content.pdf
- Office of the Federal Register. 32 CFR Part 170, CMMC Program. https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
- Federal Register. CMMC Program final rule. https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
- Federal Register. DFARS CMMC acquisition rule (48 CFR), effective November 10, 2025. https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
- U.S. Department of Defense. Supplier Performance Risk System, NIST SP 800-171 assessments. https://www.sprs.csd.disa.mil/nistsp.htm
- The Cyber AB. CMMC ecosystem marketplace and town hall figures. https://cyberab.org/marketplace
- Congressional Research Service. The U.S. Defense Industrial Base, Background and Issues for Congress (R47751). https://www.congress.gov/crs-product/R47751
- U.S. Small Business Administration. Small Business Procurement Scorecard, FY2024. https://www.sba.gov/federal-contracting/contracting-data/small-business-procurement-scorecard
- National Defense Industrial Association. Vital Signs, the health of the defense industrial base. https://www.ndia.org/policy/publications/vital-signs
- U.S. Department of Justice. Civil Cyber-Fraud Initiative. https://www.justice.gov/civil/cyber-fraud-initiative
- Custodia analysis of USAspending.gov. Federal contract obligations by industry, FY2025. https://www.usaspending.gov/
Cite this report: Custodia. The State of CMMC for Small Defense Contractors (2026). https://bidfedcmmc.com/state-of-cmmc