Most small businesses in the defense industrial base have been preparing for CMMC the wrong way. They've been implementing controls. That's not the problem.
The problem is they can't prove it.
Federal News Network's coverage this week framed it sharply: CMMC won't fail on controls, it will fail on proof. That's correct, and it understates how badly unprepared most sub-$10M revenue contractors are for what "proof" actually demands in a formal assessment context.
The Gap Nobody's Talking About
Here's the uncomfortable math. A company can have multi-factor authentication deployed, access controls locked down, incident response procedures written, and CUI properly scoped — and still fail a CMMC Level 2 assessment because the documentation trail doesn't satisfy an assessor that those controls are operating consistently and have been for a meaningful period.
CMMC assessors aren't auditing your security posture in real time. They're auditing your evidence of your security posture. Those are different things, and treating them as the same thing is what's going to burn a lot of small shops.
The NIST SP 800-171 framework that underlies CMMC Level 2 has 110 security requirements. Each one needs not just implementation but traceable, timestamped, cross-referenced evidence that an assessor can follow without your help. The moment you're explaining to an assessor what a document means, you've already lost ground.
An assessor won't take your word that a control is operating. They need policies, procedures, system screenshots, logs, training records, and configuration outputs — all cross-referenced to the specific practice being assessed. If you can't hand them a package and leave the room, your documentation isn't done.
Why Small Businesses Are Structurally Disadvantaged Here
Large primes have compliance infrastructure. They have people whose entire job is maintaining the System Security Plan, keeping the POA&M current, and generating audit-ready evidence packages. That function exists as a cost of doing business.
Small businesses don't have that. The person responsible for CMMC compliance is usually also the IT lead, or the contracts manager, or — at the smallest shops — the owner. Documentation discipline is the first thing that slips when you're also trying to win new work, deliver on existing work, and manage cash flow.
The result: technically solid security implementations with no paper trail that an assessor can independently follow.
Consider a scenario that's going to play out hundreds of times once C3PAO assessments scale up. A 15-person engineering firm — call them Example Defense Solutions — has been operating with solid security hygiene for two years. They use a cloud environment with proper CUI boundaries, they've trained staff, they have an SSP. But their SSP was written 18 months ago and hasn't been updated to reflect a tool migration they did last spring. Three of their practices reference a tool they no longer use. Their training records exist but live in email threads, not a centralized system. Their configuration baselines are real, but the documentation of how they were derived isn't.
They fail. Not because their security is bad. Because their evidence package tells a story that doesn't fully match their actual environment, and assessors are paid to find gaps, not give benefit of the doubt.
The Assessment Industry Is Not Your Friend
The C3PAO ecosystem is staffed heavily by people who came out of Big 4 audit and federal consulting. Their natural posture is adversarial — not malicious, but rigorous in a way that rewards complete documentation packages and penalizes anything that requires interpretation.
Industry estimates put CMMC Level 2 assessments in the range of $50,000–$150,000 depending on scope, with remediation costs on top if you don't pass the first time. For a small business running 10–15% margins on $5M in revenue, a failed assessment followed by a remediation cycle and re-assessment isn't just expensive — it can push a contract award out by 6–12 months, which in federal contracting can mean losing the work entirely.
This is where the proof problem becomes a bid/no-bid problem. If you're evaluating an opportunity in the bid strategy stage and your CMMC documentation posture isn't ready, you're not just risking the assessment cost — you're risking the time-to-award window. Some small businesses are going to win competitions and then fail to meet the CMMC condition of award. That's not a compliance failure. That's a capture failure.
Primes who know their sub's CMMC readiness is shaky have cover to quietly stop awarding subcontracts to them. They're not discriminating — they're managing compliance risk. If your documentation posture is weak, you may be getting filtered out at the teaming stage before the RFP even drops.
Rev. 3 Is Coming. Don't Optimize for Rev. 2.
The compliance trade press is starting to flag that CMMC Rev. 3 is on the horizon. The underlying NIST SP 800-171 has already moved to Revision 3, which added 17 new requirements and reorganized the control families. CMMC's rulemaking will eventually catch up.
Small businesses who are just now getting their documentation in order for Level 2 assessments based on NIST 800-171 Rev. 2 need to understand that the framework isn't static. The evidence package you build now should be designed to be maintainable — not just passable for one assessment cycle.
That means treating your SSP as a living document with a real change control process. It means your POA&M has actual closure dates with evidence attached, not open items that have been sitting unaddressed for a year. It means your training records are in a system that can generate a report, not scattered across inboxes.
The businesses that will handle CMMC well over time are the ones building compliance infrastructure, not just compliance snapshots.
What This Means for BD Decisions Right Now
If you're a small business BD lead evaluating DoD opportunities, CMMC readiness needs to be part of your bid/no-bid analysis — not because the controls are the hard part, but because the documentation posture determines your real timeline to award.
Three questions worth asking before you commit pursuit resources:
1. Is your SSP current and cross-referenced to your actual environment? Not the environment you had 18 months ago. The one you're operating today, including every tool, every boundary, every user.
2. Can your evidence package stand alone? If an assessor walked in tomorrow and you handed them a box of artifacts and left the room, would they be able to map every practice to its implementation evidence without you explaining anything?
3. What's your remediation buffer? If you fail an assessment or get a Conditional CMMC, how long does remediation take and does that timeline fit within the award window of the opportunity you're pursuing?
If the answers are shaky, that's a concrete factor in how much pursuit cost you should commit — and whether teaming up with a prime who already holds a CMMC certification is a better path for this particular pursuit.
CMMC is a real security program and the underlying requirements exist for legitimate reasons. But in the contracting context, it's also a documentation game. The companies that treat it as a security-only problem are the ones who are going to be surprised when a solid implementation fails an assessment because the paper trail wasn't there.
The proof problem is solvable. But you have to know that's the problem you're solving.
Frequently Asked Questions
If we have all the NIST 800-171 controls implemented, why would we fail a CMMC assessment?
Implementation and documentation of implementation are different things. An assessor needs timestamped, traceable evidence that each control is operating consistently — not just that you've deployed the right tools. Policies, configuration outputs, training records, logs, and your SSP all need to align with each other and with your current environment. Gaps in any of those layers can result in a failing or conditional finding even when the underlying security is real.
How long does it realistically take to get documentation assessment-ready if we have the controls in place?
For a small business with solid controls but weak documentation, industry practitioners generally estimate 3–6 months of focused effort to build a clean, assessor-ready evidence package — assuming you're not rebuilding the controls themselves. That estimate can stretch significantly if your SSP needs to be rewritten from scratch or if you have unresolved POA&M items that require actual remediation.
Should we disclose our CMMC status to a prime before they ask?
Yes, and proactively. Primes are doing their own compliance risk management, and a sub who volunteers their CMMC readiness status — including honest gaps and a remediation timeline — is easier to work with than one who obscures it until the teaming agreement is signed. Surprises late in the process damage relationships. Transparency early creates room for structure (like phased teaming arrangements or a prime-led compliance support model).
Does CMMC Level 1 create similar proof problems for smaller businesses?
Level 1 (17 practices, annual self-assessment) is significantly lighter, but the proof problem still exists in a different form. Self-assessments now feed into the Supplier Performance Risk System (SPRS), and primes are increasingly scrutinizing SPRS scores. An optimistic self-assessment that can't withstand basic scrutiny creates liability — both regulatory and reputational — when a prime does its own due diligence on your score.