CMMC Resources
March 2, 20265 min read

What Assessors Are Saying About Small Contractors and CMMC

There is a version of the CMMC story that gets told in public: compliance is achievable for businesses of all sizes, the framework was designed to be scalable, and Level 1 is within reach for any contractor willing to put in the work.

There is another version of the story that assessors tell privately. The private version is different. If you're a small subcontractor, the private version is about you.

Assessors, the people whose job is to evaluate whether contractors actually meet the requirements, describe a picture where what's said privately doesn't match what's said publicly. One group has the resources, the technical staff, and the organizational discipline to achieve and maintain compliance. The other group has none of those things and doesn't know it.

The second group is overwhelmingly composed of small subcontractors.

What assessors say privately that they don't say publicly is that the compliance gap in the second group is not a gap that more consulting can close. It's a structural mismatch between what the framework requires and what these businesses are able to sustain. You can bring a small contractor into compliance with a focused effort and enough money. But maintaining that compliance, keeping the documentation aligned with reality, keeping the controls enforced as people and systems change, keeping the attestation accurate month after month, requires an ongoing investment that many small contractors can't make.

The assessors who evaluate both large and small contractors see the difference in real time. A large prime's compliance environment is maintained by a dedicated team. A small sub's compliance environment was set up by a consultant who left after the documentation was delivered. The prime's environment stays compliant because people are paid to keep it compliant. The sub's environment drifts because nobody is watching.

The implication that assessors dance around, the one that nobody in an official capacity will state directly, is that a meaningful percentage of small subcontractors in the defense supply chain are operating under CMMC self-assessments that would not survive independent verification. Not because they cheated. Because the compliance model doesn't match their operational reality.

This creates a problem that the CMMC framework was not designed to address. The framework was designed to establish a baseline. It was not designed to account for the fact that maintaining a baseline requires infrastructure that some contractors don't have access to.

The assessors know this. The primes are beginning to realize it, which is why some of them are starting their own subcontractor verification programs rather than trusting the self-assessment scores in the federal system. And the small contractors in question are still operating on the assumption that their signed attestation means they're covered.

The assessors describe it as a timing problem. Not a question of whether the gap will create consequences. A question of when. And for the small contractors who find what some groups have already found, the economics of that timing change entirely.

cmmcassessorssmall-contractorscompliance-gapsupply-chain

More from the Index

What Happened to Contractors Who Stopped Relying on Assessments

Contractors who moved away from assessment-based compliance found something different. Whether what they found is better depends on questions nobody has answered yet.

Why the Contractors Who Switched Aren't Talking About It

Contractors who adopted locked verification systems chose to stay quiet about it. The silence is strategic, and it's widening the gap between insiders and the rest of the market.

What Some Contractor Groups Are Using Instead of Consultants

A growing group of contractors has moved past the consultant model to something different. They're not sharing what they found, and their competitors are still paying for documentation.