CMMC by November 2026: what small defense contractors must do

This guide is for owners and managers of small companies in the Defense Industrial Base — machine shops, parts suppliers, manufacturers, and IT firms — who keep hearing about "CMMC" and need to understand what it actually means for their business.

What's happening, in one paragraph

If your company handles Controlled Unclassified Information (CUI) for the Department of Defense, you will soon be required to prove your cybersecurity meets a fixed federal standard before you can win or keep DoD contracts. The standard is NIST SP 800-171. The program that enforces it is CMMC (Cybersecurity Maturity Model Certification). The phased rollout makes CMMC Level 2 a contract condition, with the pivotal date being November 10, 2026.

Who is affected?

Hundreds of thousands of businesses across the Defense Industrial Base. If you receive, store, process, or transmit CUI — DoD drawings, specifications, technical data — Level 2 applies to you. That includes subcontractors several tiers down a prime's supply chain. If a prime tells you that you need CMMC to keep the work, they mean it: they can't legally pass CUI to a non-compliant supplier.

What does CMMC Level 2 require?

Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Revision 2, spread across 14 families:

• Access Control, Identification & Authentication (including multifactor authentication)
• Audit & Accountability, Configuration Management
• Incident Response, Maintenance, Media Protection
• Personnel & Physical Security, Risk & Security Assessment
• System & Communications Protection, System & Information Integrity
• Awareness & Training

In practice, "Level 2" means implementing all 110 — and being able to prove each one with evidence.

How the SPRS score works

The DoD measures your progress with a Supplier Performance Risk System (SPRS) score. You start at 110 and subtract points for each unimplemented control — 1, 3, or 5 points depending on its weight. The scale runs from −203 to 110. A score of 88 or higher, paired with a Plan of Action & Milestones to close the remaining gaps, is the threshold for conditional eligibility. Many small contractors are surprised to find their honest starting score is negative.

You can calculate your SPRS score for free here — no signup, about ten minutes.

The two documents you'll need

Beyond the controls themselves, an assessor expects two documents. The System Security Plan (SSP) describes how you satisfy each requirement. The Plan of Action & Milestones (POA&M) lists what's not yet done and your timeline to finish. Producing these by hand is tedious; readiness tools generate drafts from your assessment.

What to do now — a practical sequence

• 1. Scope your CUI. Identify exactly where CUI lives in your business. The smaller and more segmented that environment, the smaller your compliance burden.
• 2. Self-assess all 110 controls. Get an honest baseline and SPRS score. You can't plan what you haven't measured.
• 3. Prioritize the gaps. Close the highest-point, lowest-effort items first — multifactor authentication, security configuration, logging, and access control tend to move the score fastest.
• 4. Document as you go. Build your SSP and POA&M alongside the work, and track where each piece of evidence lives.
• 5. Engage a C3PAO when ready. The official certification comes from an accredited assessor — but only attempt it once your readiness work is genuinely done.

Common mistakes

• Waiting. Remediation takes months. Starting in mid-2026 may be too late for the November date.
• Over-scoping. Letting CUI sprawl across your whole network multiplies the work. Contain it.
• Claiming without proof. "Implemented" isn't enough — every control needs evidence an assessor can review.
• Treating it as one-and-done. Compliance is an ongoing annual cycle, not a single project.

How 144 helps

144 is built for exactly this situation: a small contractor who needs to get ready without a five-figure consultant. It walks you through all 110 controls in plain English, scores you the way the DoD does, builds a prioritized roadmap with cost and a projected ready date, generates your SSP and POA&M, and tracks where your evidence lives — without ever storing your CUI.