Let me be direct with you: most of the information online about CMMC is written for large prime contractors with dedicated compliance teams. You're not that. You're a 15-person machine shop in Ohio, or a 30-person IT services firm in Virginia, or a solo defense consultant who just got their first DoD contract. This post is for you.
I've spent years helping companies navigate compliance frameworks. CMMC is, without question, the most stressful one I've seen for small businesses — not because it's technically complex, but because the stakes are catastrophic if you ignore it. You lose the contract. Full stop.
Here's what you actually need to know about CMMC Level 2 compliance for small businesses in 2026.
What CMMC Level 2 actually requires
CMMC Level 2 maps to 110 security practices drawn directly from NIST SP 800-171. These aren't suggestions. They're requirements. And as of November 2026, you need a certified third-party assessor (C3PAO) to verify them — self-attestation alone won't cut it for most Level 2 contracts.
The 110 practices span 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
That sounds overwhelming. In practice, many small businesses are already doing 40–50% of this — they just haven't documented it.
The SPRS score problem
Every DoD contractor must have a current Supplier Performance Risk System (SPRS) score on file. Your SPRS score is calculated by assessing your 110 NIST 800-171 controls — each one has a point value, and the maximum score is 110. The average score for small contractors who do an honest assessment is somewhere between 30 and 60.
If you haven't submitted a score yet, you're out of compliance right now, regardless of whether you've been asked about it.
What most small contractors get wrong
The three most common failures I see:
Confusing having IT security with having documented IT security. You might have multi-factor authentication turned on everywhere. But if you don't have a written Access Control Policy that says you require MFA, it doesn't count for CMMC. Documentation is not a formality. It's the evidence.
Treating the System Security Plan as an afterthought. Your SSP is the central document that describes your entire security posture. It should map every one of the 110 controls to how you've implemented it, who owns it, and where the evidence lives. Most contractors have either no SSP or a generic template that doesn't actually describe their environment.
Underestimating the scoping exercise. CMMC applies to systems that process, store, or transmit Controlled Unclassified Information (CUI). You need to define your CUI boundary carefully. Scope it too broadly and your assessment gets expensive fast. Scope it too narrowly and you leave CUI unprotected.
The November 2026 deadline is real
Phase 2 of CMMC enforcement means that contracts requiring Level 2 compliance will now require a certified C3PAO assessment — not a self-attestation. If you're in the bidding process for a DoD contract right now and you haven't started your CMMC journey, you are already behind.
The assessment itself takes months to schedule. C3PAOs are backlogged. And before the assessment, you need to remediate your gaps — which takes additional time. The companies that will lose contracts in 2027 are the ones reading this in 2026 and thinking "we'll deal with it later."
Where to start this week
If you've never done a formal CMMC gap assessment, start with your SPRS score. Map your current controls against the 110 NIST 800-171 requirements. Be honest. A score of 45 isn't a failure — it's a starting point with a clear remediation roadmap.
Then build or update your System Security Plan. This doesn't require a consultant for Level 1 or a straightforward Level 2 environment. What it requires is time, honesty, and a structured template to work from. Scarlet Risk can generate your SSP and supporting policies in minutes.
The companies that are navigating CMMC successfully aren't necessarily the ones with the best security. They're the ones who started early, documented everything, and treated their SSP as a living document rather than a checkbox.