Small Defense Contractor x The Certification Wall
A certification wall drops across the defense industrial base in November 2026, and which side of it a contractor lands on is decided months earlier, by who prepares them, not by the deadline itself.
For eight years the Pentagon ran its supply chain's cybersecurity on the honor system. Since late 2017, a contractor touching sensitive unclassified defense information simply attested that it met the 110 security requirements of NIST SP 800-171, and awards flowed on that signature (DFARS 252.204-7012). The honor system is over. A final acquisition rule effective November 10, 2025 began writing CMMC, the Cybersecurity Maturity Model Certification, into DoD solicitations as a condition of award (Federal Register, 48 CFR final rule, September 10, 2025). On November 10, 2026, Phase 2 begins: for work involving controlled unclassified information, contracting officers start requiring certification by an accredited third-party assessor, checked in the Supplier Performance Risk System before award and before option years are exercised (32 CFR Part 170). No status in SPRS, no award. The Department's own rulemaking counts 337,968 entities in the blast radius, roughly two-thirds of them small businesses.
Inside that number is a specific company. Thirty to three hundred people. A precision machine shop, an engineering services firm, an R&D house, carrying a handful of DoD contracts that quietly became a large share of revenue. Its drawings, specs, and test data are CUI whether anyone has labeled them that or not. The exposed surface is not the next bid. It is the contract already won, whose period of performance runs past November 2026 and whose option year has just become a re-qualification event. Readiness for a Level 2 assessment runs six to eighteen months. Assessor calendars are booked out months beyond that. The arithmetic between those figures and next November is the part nobody at these companies says out loud: for many, the window to start has already inverted, and the plan is still "our IT guy thinks we're mostly there."
The Department's history with that sentence is exactly why the program exists. When DoD's own assessors began checking self-reported scores, the gap between attestation and reality was wide enough that the Justice Department built an enforcement initiative around it. Aerojet Rocketdyne paid $9 million in 2022 to settle claims it misrepresented its compliance, and contractor and university settlements have followed since (DOJ, Civil Cyber-Fraud Initiative). The new assessment is built to close that gap. Level 2 means all 110 requirements assessed; a conditional pass allows only a minority of low-weight items onto a remediation plan, and those must close within 180 days or the certification lapses. It holds for three years, with an executive affirming compliance annually, on the record. The Department priced the exercise honestly: its regulatory analysis puts Level 2 certification at roughly $105,000 to $118,000 for most organizations, the bulk of it preparation. Fewer than one thousand companies held the certificate as of early 2026, against roughly eighty thousand expected to need it (CyberAB Marketplace analyses, 2026).
The instinct at a 75-person shop is to hand this to whoever runs the network. That instinct is where first attempts fail. A generalist IT provider has typically never scoped a CUI boundary, never written a System Security Plan that survives an assessor's reading, never made the enclave decision that keeps the certification footprint small enough to afford, and never sat in an assessment. The rules even prohibit the one obvious shortcut: the firm that conducts the assessment is barred from advising the client it assesses. And the market that formed to help has a noise problem of its own. Roughly 350 Registered Provider Organizations now advertise readiness, but registration is a fee and a credentialed employee, not a completed assessment; the pool that has actually walked a contractor through certification is a fraction of the directory. Telling those apart, from inside a machine shop, with revenue on the clock, is the real problem. The certification is merely expensive. The wrong guide costs the fee, the calendar, and a failed first attempt with a queue behind it.
Practices exist that do nothing but this walk, from scoping through the assessor's actual questions, and have finished it with contractors this size. They are few, they are busy, and they are hardest to tell from the noise at exactly the moment it matters. An introduction to a vetted one is available, if the situation described here is the situation at hand.
By Your Presence is a quiet introductions practice. If this Field Note describes something you're navigating, you can write in directly: javien@byyourpresence.com.