CMMC for Small Businesses – A Perspective on Compliance

I love a good free marketplace.

Until it turns into the Wild West, filled with echoes of blaming the marketing intern when someone advertises something blatantly erroneous.

All it takes is a few minutes on LinkedIn to find talk about CMMC for small businesses. This chatter ranges from people who are either ignorant about CMMC for small business compliance and technology implementation or simply using what they do know as scare tactics to get more business.

Should small businesses be focused on good cybersecurity hygiene?  Yes.  Should small businesses be as confused as they are about the number of assessment objectives within a control and rule-making timelines related to DFARS clauses that may be coming to a contract near you? 


Small businesses have a billion things to worry about: R&D tax credits, hiring and expanding to meet growth capacity, dealing with supply chain pricing and availability fluctuations, and meeting the expectations of their customers, to name a few.  Just last month, one Registered Provider Organization’s LinkedIn feed read, “you shouldn’t sit on your laurels after your CMMC Assessment – you should work to improve and get better for the next one.”

This misdirection takes the small business’s eye off the ball.

The Place to Start – Cybersecurity

If you are a small business struggling to be compliant to NIST 800-171, this mindset can make your own efforts seem futile.

When we talk about CMMC for small businesses, conversations about follow-up assessments are losing the forest through the trees and can become overwhelming.  But then again, perhaps that’s the marketing plan for some of these pop-up CMMC shops.

Yes, contractors can get a Joint Surveillance Voluntary Assessment (JSVA) right now.  For some companies, it is a good decision.  For many companies that are not yet ready, it is not a good decision.  A JSVA is not a gap assessment. 

Federal contractors (and sub-contractors) must focus on what is in front of them now.  Many companies already have DFARS 252.204-7012 in their contracts.  Compliance to NIST 800-171 Rev. 2 is the here and now. If a small business approaches it right, it can improve its entire operation, not just protect government data. 

CMMC for Small Businesses – 4 Questions to Ask

  1. What are the lowest-hanging fruits in my environment, right now?

    For a small business with poor cyber hygiene, NIST 800-171 can be overwhelming, even for a business that has made strides over the last year or so. Money, time, and people do not grow on trees.

    A business should consider some of the “simplest” tasks it can immediately implement to improve its cybersecurity posture. For example, determine if everyone in the front office has administrative access.  If they do, limit that permission now!  Does everyone have anti-malware software installed on workstations?  How long has it been since you updated your operating system and software?

    There are meaningful tasks that, while they would make massive steps toward immediate risk mitigation, can shake up business processes, depending on the business.  Multifactor authentication should be something that all businesses embrace, and a small business should determine a game plan for its implementation.

    Depending on the small business environment, some actions may help to comply with multiple requirements.  For example, protecting and controlling media during transport inherently involves controlling access to that media.  Also, under the System and Information Integrity controls, a contractor must “monitor the information system to detect attacks and indicators of potential attacks.”  They must also “identify unauthorized use of the information system.”  These things go hand-in-hand.

    2. Have I mapped my data flow to get a true understanding of the scope of my environment?

    As overwhelming as it can all be, this process can help to visualize what to protect in the first place.

    Many businesses in the Defense Industrial Base (DIB) are familiar with a variety of quality management system (QMS) frameworks that have evolved and helped guide their business processes over time.

    A small business can consider the work they have implemented in their QMS to help them define and map out the flow of data, products, and services.  The visualization may help a business see opportunities and obstacles in the CMMC context a bit differently.

    3. Do I document what I do, and do I follow what I document?

    Businesses operating in the DIB, no matter how small, are familiar with documentation.  ISO9001 and AS9100 documentation can be what provides a small manufacturing business with the opportunity to do business in the DIB in the first place.

    A small business should take what they know to develop documentation for the CMMC-related processes.  Start simple and build.  There are free and for-a-fee templates available in the marketplace but it is important to avoid the temptation of downloading templates and simply replacing “company name” with the business name. 

    4. When was the last time I practiced an incident response with my (likely small!) team?

    It may seem silly to play pretend, but talking through the “what-ifs” is key to risk management and being more effective in the event the real thing happens.  A small business should involve its team, including the business owner, a manager, and an MSP. 

    Some of the scenarios a small business may want to talk through include:

    • An employee receives a phishing email and clicks on a malicious link.
    • A ransomware attack encrypts data, and there is a demand for a ransom payment.
    • A disgruntled employee intentionally leaks or steals company information.
    • A natural disaster disrupts business operations and impacts IT infrastructure
    • A third-party vendor is compromised, affecting the business’ supply chain.

    These are the things small businesses should be in the weeds about. 

    So lace up your sneakers and focus on walking the 5K before running the marathon. Do it today or do it next week, but just don’t sit on the couch.

    About the Author: Allison Krache Giddens worked for small business manufacturer Win-Tech, an aerospace precision machine shop in Kennesaw, Georgia before buying the company with her business partner in 2020.  From assistant to co-owner over the course of almost 18 years, Allison now leads as President for business operations while her business partner, John Hudson, leads manufacturing and the shop floor.

    Cuick Trac helps defense contractors satisfy all of the technical controls for NIST SP 800-171 and CMMC Level 2. Learn how with a free 30-minute demo today!


    Part of the most relevant industry groups and committees

    department of defense badge
    ndia partnership badge
    cmmc certification badge
    defense alliance badge
    infragard partnership badge

    Get a 30-minute demo from a Cuick Trac product expert

    You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

    Schedule a quick product tour

    See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.