CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
How CMMC Became a Competitive Advantage for DoD Contractors
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Submit any questions you would like answered on the podcast!
CMMC is no longer just a compliance requirement. It is now a competitive advantage that directly impacts who wins and who loses DoD contracts.
In this episode of the CMMC Compliance Guide Podcast, Stacey and Brooke break down how the final 48 CFR rule has changed the contracting landscape and why primes are now aggressively pushing CMMC requirements down to their subcontractors. We explain how CMMC certification, SPRS scores, and assessment status are already being used to evaluate risk and readiness, even before certification becomes mandatory on every contract.
You will learn why contractors who are already certified, or at least scheduled for certification, are gaining an edge over competitors who waited too long. We also cover how flow-down requirements work, how primes protect themselves from False Claims Act risk, and why small businesses face a higher barrier to entry than midsize firms.
This episode also explains how contracting officers and primes view SPRS scores, what happens once certifications are uploaded through EMASS, and why CMMC status is not likely to become publicly searchable. Finally, Brooke walks through what contractors should be doing right now to stay competitive, including scoping CUI, running gap assessments, engaging a C3PAO early, and preparing subcontractor oversight.
If you want to keep winning DoD contracts in 2026 and beyond, this episode will help you understand how CMMC is reshaping the defense industrial base and what actions you need to take now.
Hey there. Welcome to the CMMC Compliance Guide podcast. I'm Stacy.
BrookeAnd I'm Brooke.
StaceyFrom Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800 171 compliance. We're hard guns getting companies fast tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's topic is one that gets right to the heart of government contracting. CMMC is no longer just a compliance box. It's now a competitive advantage. We're going to talk about how CMMC is reshaping who wins and who loses contracts. And what that means for primes and subs alike. So, Brooke, let's start with the big picture. Why has CMMC gone from just a compliance requirement to a competitive differentiator?
BrookeBecause the latest, uh the 48 CFR rule, uh, which puts CMMC in place on contracts, uh was uh went final uh or went was published and went active uh on November 10th of 2025. Uh so now there's no more guessing, no more thinking, no more anything. It's here, it's coming, uh, and it will be on a contract near you soon. So uh there are four phases to it. Uh so there is that. Uh so the first phase is roughly what you've been doing. Uh, but the next phase, each phase is a year. So the next phase um in 2026, November 10th, 2026 is when it will start, uh requires the level two certifications to be in place on contracts. That said, uh there are a lot of people who put this off. Uh there's a lot of people who have just put off a certification. They put off getting ready, or they they got ready, and then they said, you know, until that 48 CFR shows some movement, we're just gonna we're just gonna tap the brakes a little bit. So a lot of our clients did that. Uh, I know that. And so uh they're all getting on calendars to be uh to get the certification. But there are a lot of people uh that we've talked to and and uh have started helping here lately that uh haven't got it aren't ready and need to get ready before they uh before they can put that certification assessment on the schedule. So um seeing as there's a whole lot of people out there who are not ready yet, those who are uh will be able to win contracts easier and quicker than than those who are not, of course. Um the uh what I can tell you is now that now that that has dropped and it's in place and active, uh that 48 CFR, uh the DFARS 252-204-7021, basically, it's made the prime contractors uh start at I don't know if it's made, but it's basically made the the the uh prime contractors have uh have started reaching out to all their subs and saying, hey, you know, they were they were getting a little pushy before, and now there's a full-on push to get their uh all their thousands of subcontractors uh up to par. So um I even heard from one of our clients that uh only really has to be level one compliant, uh, that they want them to be at level two. So that's all a discussion in place, but uh point is they've said no, we're we want all of our subcontractor base uh to be on level two. Um so uh the and the point of all that really is just there's a huge push now. And and they're gonna start getting pushy and telling you you really need to do that to win contracts. The prime contractors can tell you anything you want. You know, from this date forward to win contracts, you have to have a level two certification. Doesn't matter what the government necessarily wants, because what they're doing is trying to make sure they have a certified base big enough to be able to fulfill those contracts. Um anyway, it's coming. Uh it's it's very important to get that done now. Um and if you already have it done or you're um right now, if you can get on um if you can show that your score is, you know, 110 and uh you've got a certification date scheduled or something like that, that's what they want to see. Uh at some point they'll there'll be a cutoff where they say you have to be certified by this date uh or you won't get any new contracts. But those people who are who are either there already or will be very soon, they're you know, all they lack is a certification, then um those uh those are the ones who are in a really good spot. They're marked green in the uh contract, so the prime contractor system. Uh so that just means that you know they've they're at 110 and uh either have a certification schedule or already have their level two certification, and they can go forward with those contracts. So uh the primes are pushing really big. It's coming with direct federal government contracts, so um that that will be a competitive advantage because I can tell you with over 300,000 contractors and subcontractors in the US, there's we're not gonna have 300,000 ready that quick. Uh I don't uh don't recall what exactly the numbers of uh C through PAOs are, but if you know figure out how many uh how many assessments they have to do uh per day or per hour to get that done by 2026, it ain't gonna happen. So um, but those who already have their level two certification or or have it on the schedule, they're they're gonna have a competitive advantage.
StaceySo let's move into why primes are really cracking down on subcontractor compliance. Can you elaborate a bit on that, please?
BrookeSure. So uh there's a flow down rule, and we kind of touched on it just a second ago, but there's a flow down rule. It's really always been there, but they really called it out uh recently uh in the last uh in the 32 CFR. So um the uh the flow down means that uh if they have to have level two certification on this contract, then anybody that they send CUI to also has to have that level two certification. If this contract just says level two uh self-assessment, uh then whoever they send that CUI to just has to have level two self-assessment. Um same thing with FCI. You know, if a contract just has FCI in it, uh then uh level one, then that's that's what flows down. Um there can be instances where uh somebody somebody gets uh contract with CUI in it, and then they need some subs to work on something, but they don't they don't send them any CUI. That there can be some situations like that, but don't try to tell the federal government or an accessory that all of your all of your subs do that. If they uh you know, no, none of my subs have to be have to be certified, we're okay, you know, then they'll want you to explain that in depth and detail and you know, tell them why. So um, but uh yeah, that that flowdown will happen, uh is happening, you know, from Primes wanting their subs to be certified. Um so uh the next thing that'll happen is or the then the reason, I guess the biggest reason behind that is if they say yes, these uh all our subs are good and uh and they're really not, then there's a false claims act there that could happen, you know. Uh conversely, if the sub says, We're all good, I promise, I'll check these boxes, and uh, you know, of course at some point you won't be able to just check the boxes, but um, you know, I'll just check the boxes and we're all good. If you know there's a false claims act, they're waiting for you as well, or for that subcontractor as well. So uh you don't want to be the subject of a false claims act. Uh they're very serious about those. Um, you know, and and when you're just thinking about the federal government forcing things, you know, wanting these things to happen, it you know, it's like, well, why are they doing all this? But then you step back and think about really why they are doing all this. And it's to keep China and Russia and Iran and everybody else, but big one being China, uh, from stealing all our stuff, right? I mean, our joint strike fighter ships, Humvees, uh laser systems, all sorts of fun stuff that the Chinese have just stolen, outright stolen. Um, so they're they're trying to curtail that theft and and uh get it down to it'd be great if it went down to zero. But um, but they're trying to curtail that and not lose quite as much to the Chinese. So we keep our advantage. Uh but that's why it really is. Uh and uh it all boils down to this, you know, to CMMC and the the false claims act, you know, if you if you're not doing something you say you that you're doing, then uh you could get in some big trouble. So and uh the other thing I might add is uh the the primes want to do their due diligence and make sure that they are not facing that legal risk. So they're gonna that's why they're making sure, you know, trying to get their contractor base up to snuff and with proof and everything before that happens. Um before it before that they get those contracts so they can stay away from any legal issues.
StaceyAll right, Brooke, what about contracting officers? How do they actually use SPRS or Spurs scores and CMMC status in evaluations or assessments?
BrookeUh well, that's where um eventually, so right now you put your scores into SPRS or SPRS, however you want to praise it or say it. Uh, but right now you put your own scores in there. You're supposed to do an assessment, uh, an actual assessment against the assessment guide and score yourself using the appendix A, I believe it is. Uh you know, you start at 110, you subtract scores for things that are not met. You can be down at a negative 200 and something, but uh anyway, you put your score in uh to SPRS and the date you did the assessment and all this kind of fun stuff. Eventually, what's going to happen when everybody uh when well when you get certified, uh eventually it'll only be this way, but uh when you get certified, what the C3PAO will do is say, you're good, congratulations, you passed, and then they'll upload all your stuff and your score to a system called EMAS. Uh and that'll however on the back end is connected, it it flows over to PIE and SPRS, and uh you get your SPRS score in there, and uh that's where it'll come from, and you won't be able to put it in and or edit it or anything. So um, at least the way I understand it, you won't be able to edit it. I don't see why you would. Nevertheless, that would that'll be your official score. Um an SPRS is supplier performance risk system, I believe is what it is, but it's your risk score basically based on 110 out of uh uh CMMC controls. So uh if you score 110, great, you're good. Uh if you have a POAM, uh then um to be compliant with uh within the 180 days of being able to work that POM off and complete it, uh you know, you can be at an 88. Uh there are some items that can't be POAM, five-pointers, three-pointers, uh, and some one-pointers can't be POAM. So if any of those are uh or scored is not met, then um, well, as far as your certification goes, uh you can't get certified. But uh if you um as far as your certification goes, if you score an 88 or above and all those other conditions are met, then you have 180 days to clear it up. Um score anywhere below that, it's not good. Uh so the further they move along, the more attention they're gonna pay to your score and your whether you've had an actual level two certification or not, the more attention they're gonna pay to that. And the other thing is that uh I don't know if this will change or not, but Primes really can't go in and uh you can't search for scores. You can't search for who's got a level two certification. Um that was actually brought up at one of the uh uh last conferences that I was at. It would be great if we could just go search for level two uh certified contractors, and they're like, well, that would mean the list would probably be probably be easily available to China, and we don't want to give them that list of people directly. You know, we don't wan wanna make it that easy for them. So um the likelihood of level two certif certificates or even the scores being searchable um is probably not gonna happen uh if I had to guess. Uh could it could have guessed at some point, but uh it didn't sound like it was very likely to happen because they don't want they don't want that easily attainable all in one spot. Um but you can share your scores with uh uh or a screenshot or whatever with your s with your primes. Generally they ask you to fill out a questionnaire and then sign a blood oath and swear, you know, all that kind of fun stuff.
StaceySo how does all of this affect small contractors compared to mid-sized contractors?
BrookeWell, um the bar is set here, whatever you want to say it. The bar is set way up here, and uh so a small contractor and a mid-sized contractor, they have to start there. Easier easier for a mid-sized contractor to start at a higher bar because they've got more resources, more personnel to pour into this project. Small ones are gonna have uh a harder time uh with an amount of resources and and uh amount of cash that you have to put into it. Um, understandably, and there's gonna be I've already heard from quite a few that they're gonna have to take a really hard look at it and see if, you know, keeping these contracts is gonna be worth it. You know, is it enough of their business to worry about it? Is it enough, are they profitable enough, you know, uh in these in these areas to keep doing it? Uh some of them are not, you know. Um I do know a couple that uh of very small companies that it's uh that that is their that is their whole line of business with one prime for instance and they you know one of them tells me, you know, this is gonna put me out of business. I'm like, well, you know, I'm not sure what to tell you other than, you know, raise your prices or you know, get more contracts or or something, but uh it's it's tough, it's really tough for them. So uh it is expensive. Um it's hard for a smaller company to handle. Uh I can vouch for that because we're a small company. Um and we're uh we're scheduled for our uh level two certification um after the first of the year. So um we're gonna be going through it as well. Um it ain't cheap, it ain't easy. Uh but uh you can hire folks uh to uh to come help out. You know, that won't be cheap and it won't be easy either, but uh it'll at least make it possible uh for you to do that. Um just the certification in itself is is you know there's a pretty much a floor or somewhere between 40 and $60,000 just for the level level two certification. That doesn't include a mock assessment, you know, to make sure you're there. That doesn't include if you gotta hire somebody to come in and help with that, it doesn't include that. Uh doesn't include your time on it, you know. Uh so you could probably, you know, you could add on another $30,000, $40,000, $50,000 for that, you know, and that doesn't include if that's if you're already ready. You know, that doesn't include getting ready. So it is a uh uh tall bar to get over. Uh it's a tall ask. Um so it's gonna it's gonna hurt some small businesses. It's gonna hurt it's gonna hurt all small businesses um a lot worse than it will mid-size ones. Uh but uh, you know, if you've planned and watched this, you know come along and gotten your business in a place where you can do this, um, hopefully you have. Uh uh, but it's uh it is uh it is a tougher thing to do as a small business than it is a little larger. So it doesn't scale down very well. Uh, you know, it's like a lot of you know a lot of software tools you can go out there and buy, you know, and the software tools are only uh, you know, $100 a user per month. Great, I can afford that. Oh yeah, but you gotta buy a hundred users of it. You know, it's so it's like, well, you know, that doesn't that doesn't help. Uh so which maybe y'all don't have to deal with very much, but uh, but we see that where there's some really great enterprise tools that we'd like to take advantage of, but they have a really high bar of entry, and we say, no thanks. We'll go find something else, you know. So uh, but it happens. Uh those we have a choice in, you know, this not so much. Um so it's just without rambling on and on and on, which is kind of what I'm doing, but uh it is tough for small businesses um because there is there's just such a high bar to to get in. The other thing I will add is that if you can do, you know, if you can do this and you're a small business and you can squeak this in, if you can squeak it in early and uh go ahead and get that certification as soon as you can, we go back to I think one of the very first things we talked about, and that's competitive advantage. You have a competitive advantage against a whole lot of other people, and maybe you can grow your business, maybe you can get you know better contracts, whatever it may be. Um, but uh that can be a competitive advantage advantage for you. Is the federal government gonna tell you that you can get more money from them? No. Is uh is a contractor, Lockheed, or Bell or anybody gonna tell you that you can win more contracts for sure, you know? No, they're not gonna tell you that, but they will suggest that highly. So I you know those uh I have seen some emails that have been forwarded to me about, you know, the scores and where they want you to be. And they have uh they have all but said you'll get more contracts. You know, that's they said it's very possible, or I don't remember the wording exactly, but uh that is a competitive advantage.
StaceySo wrapping everything up, what should contractors be doing right now if they don't want to lose out on any more DOD contracts?
BrookeWell, it depends on uh where you're at in the process, but assuming uh that you're going that you looked at this and said, Oh crap, I guess we gotta do this thing for real now. Uh so do a figure out what kind of CUI you have uh and whether you're gonna need to be level two or level one, level two self-assessed or or certified, most likely level two certified. Um, or if you're gonna need to be level three, there'll be a few of a few of those as well. But find out what kind of CUI you have, because that'll matter in the whole scheme of things as well. Some of it is gonna be you know, no foreign or ITAR, ear or um or something like that, where you have to do you have an extra level. There you can't have any foreign citizens working uh working with that data, for instance. Um in other words, there's some export controls. Uh but in any case, quit chasing rabbits here, uh, to answer what you asked. Uh find out what kind of CUI you have, uh find out what all systems it goes in. So draw this is a data flow diagram, is what we talk about a lot. So draw out a diagram of all your systems, think applications in the cloud, applications on your computer, servers, uh systems like your ERP, which is an application, but however people think about that, map out the data flow between all that. And then once you have that, you can figure out what your scope is or what your scope needs to be, uh, and then do a gaps analysis. Okay? Go do uh lay out all the controls, and I'd really say lay out all the assessment objectives. So there's 110 controls, but inside those 110 controls, there's 320 assessment objectives. So lay out those 320 assessment objectives, go through it and say, you know, yes, we uh yes we do this, yes, we do that, no, we don't, no we don't, or we've gotta we gotta document this. A ton of it is documentation. Uh so do a gaps analysis based on those 320 assessment objectives and see where you're at and see where you need to be, right? Umce you have that done, go through and if you have that already on that, on a spreadsheet or preferably a GRC tool, um, you can build out your SSP pretty quickly with that. Uh, and then build out your POAM. POAM is a plan of action and a milestone. SSP, I guess I should say that just in case, is SSP is your system security plan, and it's required if you don't have your system security plan in place, you just fail the whole thing. Uh, because that's what it's all about. So uh but uh Build out your SSP, build out your POM items, make some projects out of those POAM items, and then build all your policies, you know, how you want your system to look or how your system needs to look. And then as soon as you can, get on a C through PO schedule. Interview some C through PAOs. They're not all created equal. Not necessarily that there are bad ones and good ones, but maybe there's some that understand your industry better. Or ones that you just mesh with better, you know. Whatever it may be, they're not going to be there may be some that are easier and some are that are harder. But uh you just need to interview some, ask them questions that you want to ask, they'll answer the ones that they can't ask without consulting. They don't they can't consult. Um well, they can't consult and do a certification assessment for you, so uh, or any kind of assessment. So they'll probably until they know uh you can hire them to do some consulting. Um some I guess most will do that, but uh but uh if you do that, then they can't do any assessment for you. So uh most of them are gonna say, until we know you know that we're not assessing you, uh, we won't answer any consulting questions. Of course, at that point, if they're gonna answer any consulting questions, then it turns into a paid engagement anyway. So you have to be aware of that. Um point is get on a C3PO's calendar, find one, get on a C3PO's calendar, which will involve a down payment, you know, and a commitment to say, by Valentine's Day, we're gonna start that we're gonna start our uh mock assessment, for instance, or whatever it may be. Um and then the other thing is to audit your subs and figure out how, and actually that'll that should be part of your uh SSP and your POM, um how your how you need to work with your subs, right? Um, and how you need to, you know, what you're gonna do to vet your subs. So you need to figure out which subs even know about CMMC, which ones are compliant, gonna be compliant, all that kind of fun stuff. So you need to figure that out. Um and of course, you know, once you do all that and you get certified, then I don't know where they landed with the uh uh you aren't supposed to use your certificate. Uh they're supposed to be coming up with a publicly available level two certificate, I believe. Um the uh but you know, market your compliance, you can say, hey, we're level two certified, you know, we want to do, we want more, we want more of your business DOD or or Lockheed or whatever. And uh I can tell you that I've had um I've had some primes, some people at primes uh that I know uh that have reached out to me and said, Hey, I need a list of your people that of your clients that are uh level two certified, you know. Um and of course, have to ask them first, you know, and then and then get them together. But uh, you know, they're they're the primes are asking for that. They want to know. So um it is marketable, it is something that they want to know, uh, and it will be a competitive advantage for you.
StaceyIf you have questions about what we covered, reach out to us. We're here to fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
