top of page
Search

The Startup Guide to CMMC

  • Writer: Kedge Security Team
    Kedge Security Team
  • Nov 25, 2025
  • 6 min read

A digital plant grows from a circuit board on a desk with business charts on screens. Hand fills CMMC checklist. Modern and innovative mood.

If you are a founder in the Defense Industrial Base (DIB), the "wait and see" era is officially over.


As of November 10, 2025, the Department of Defense (DoD) has begun including Cybersecurity Maturity Model Certification (CMMC) requirements in active solicitations. The final rule is effective. The phased rollout has begun.


For years, CMMC was the "boogeyman" of government contracting—looming, confusing, and constantly delayed. But today, it is a binary filter: Compliant or Disqualified.


For a startup, this presents a unique challenge. You don't have the bottomless compliance budget of a Lockheed Martin or Northrop Grumman. You have a burn rate, a product roadmap, and investors expecting 3x growth.


This guide is a strategic roadmap to CMMC for startups. We are moving beyond the legalese to map CMMC compliance directly to your company's growth stages—from Seed (getting your foot in the door) to Series C (scaling prime contracts).


Part 1: The Context (Or, Why This Isn't Going Away)



The "Trust but Verify" Shift


To understand CMMC, you have to understand why it exists. For over a decade, defense contractors were allowed to "self-attest" to their security. You simply signed a contract stating, "Yes, we follow NIST 800-171 security standards," and the DoD took your word for it.


It didn't work. The DIB continued to hemorrhage intellectual property to foreign adversaries.


CMMC 2.0 shifts the model from Trust to Verification.

  • Old World: You promise you are secure.

  • New World (CMMC): You prove you are secure, either through a verified self-assessment with personal executive liability or a third-party certification audit.


The Nov 10, 2025 Milestone


Just last week, the DoD flipped the switch. The implementation timeline is now active:

  • Phase 1 (Now): Self-assessments for Level 1 and Level 2 are required as a condition of contract award.

  • Phase 2 (Nov 2026): Third-party certifications (C3PAO) begin appearing in solicitations.

  • Phase 3 & 4 (2027-2028): Full implementation across all contracts.


The False Claims Act (FCA) Danger


This is critical for founders: CMMC compliance is not just an IT ticket; it is a legal peril. Under the Department of Justice's Civil Cyber-Fraud Initiative, failing to accurately report your compliance status can lead to False Claims Act lawsuits.

Founder Note: If you sign a self-attestation saying you have a score of 110/110 in SPRS, and a whistleblower reveals you actually have a score of 60, you are personally liable for treble damages.

Part 2: The Three Levels of CMMC 2.0


Do not overcomplicate this. Your level depends entirely on the type of data you handle.

Level

Focus

Data Type

Requirement

Verification Method

Level 1

Foundational

FCI (Federal Contract Information)

17 Practices (FAR 52.204-21)

Annual Self-Assessment

Level 2

Advanced

CUI (Controlled Unclassified Information)

110 Controls (NIST SP 800-171)

Split: Self-Assessment OR Third-Party (C3PAO)

Level 3

Expert

High-Value CUI

110 + Subset of NIST 800-172

DoD-Led Assessment


The "Split" at Level 2


This is where most startups get confused. Level 2 is for companies handling CUI (Controlled Unclassified Information).

  • Non-Prioritized Acquisitions: If the data is less sensitive, the DoD may only require a Self-Assessment.

  • Prioritized Acquisitions: If the data involves critical national security information, you must hire a C3PAO (Certified Third-Party Assessor Organization) to physically audit you.


Part 3: The CMMC for Startups Roadmap (Seed to Series C)


Compliance shouldn't bankrupt you. Here is how to right-size your approach based on your funding and contract maturity.


Stage 1: The Seed Stage (Level 1 Focus)


  • The Profile: You are 5-15 employees. You are likely a subcontractor or winning SBIR Phase I grants. You do not handle sensitive CUI yet.

  • The Goal: "Get in the game."

  • The Requirement: Level 1 (FCI).

  • The Data: Federal Contract Information (FCI). This is basic info, like contract details, that isn't public but isn't "secret."

  • The Work:

    • Implement the 17 basic practices (e.g., lock your screens, use passwords, update your antivirus).

    • Submit your self-assessment score to SPRS (Supplier Performance Risk System).

  • Cost: Minimal ($0 - $5k). Can often be done with standard commercial tools (Google Workspace/Office 365 commercial) if configured correctly.


Stage 2: Series A (The "Gap" Phase)


  • The Profile: You are growing. You are chasing SBIR Phase II, TACFI/STRATFI, or bigger subcontracts. You are now touching CUI.

  • The Goal: "Audit Readiness."

  • The Requirement: Level 2 (Preparation).

  • The Reality Check: You likely cannot afford a full C3PAO audit yet (which can cost $30k-$50k+ just for the assessor), but you must have a System Security Plan (SSP) and a trusted SPRS score.

  • The Strategy:

    • Conduct a Gap Analysis: Assess yourself against the 110 NIST 800-171 controls.

    • Draft your SSP: This is your "living" document describing how you meet security rules.

    • Upload Score to SPRS: Even if your score is low (e.g., +40 out of 110), you must upload it to be eligible.

    • Create POA&Ms: "Plans of Action and Milestones" for the controls you miss. Warning: Under CMMC, you cannot have open POA&Ms for critical controls effectively forever. You need a plan to close them.


Stage 3: Series B/C (The Certification Phase)


  • The Profile: You are a prime contractor or a critical sub on a major program. You are handling "Prioritized" CUI.

  • The Goal: "Certified & Scalable."

  • The Requirement: Level 2 (C3PAO Certification).

  • The Strategy:

    • The Enclave Approach: Do not try to make your whole startup compliant. It is too expensive and slows down your developers. Instead, build a "CUI Enclave"—a secure, isolated environment (e.g., using GCC High, PreVeil, or a dedicated VPC) where only CUI handling happens.

    • Hire a C3PAO: Schedule your assessment.

    • Maintenance: Compliance is now a recurring operational cost, not a one-time project.


Part 4: The Practical Path to Compliance



1. The "110 Controls" (NIST 800-171)


CMMC Level 2 is mapped 1:1 to NIST SP 800-171 Rev 2. These are the 110 definitions of "safe." They are grouped into 14 families.

  • AC (Access Control): Who can log in?

  • AT (Awareness & Training): Do your people know not to click phishing links?

  • AU (Audit & Accountability): Do you have logs of who did what?

  • IA (Identification & Authentication): MFA. Everywhere. No exceptions.

  • IR (Incident Response): Do you have a plan for when you get hacked?

  • ...and 9 others.


2. The SSP (System Security Plan)


If you take one thing from this article: No SSP = No Contract.

The SSP is a document that describes how you meet the controls. It defines the boundary of your system.

  • Bad SSP: "We use MFA."

  • Good SSP: "We utilize YubiKeys for hardware-based MFA on all administrator accounts and Microsoft Authenticator for standard users, enforced via Azure AD conditional access policies."


3. SPRS (Supplier Performance Risk System)


This is the DoD's report card.

  • The Score: Starts at 110.

  • The Deduction: Every control you miss subtracts points (usually -1, -3, or -5 depending on severity).

  • The Result: You can have a negative score.

  • The Requirement: To be awarded a contract, you must have a current score (less than 3 years old) in SPRS.

  • How to submit: You (or your measured vendor) submit this via the PIEE (Procurement Integrated Enterprise Environment) portal.


Part 5: The "Enclave" Strategy (Your Secret Weapon)


For a Series A startup, upgrading your entire Google Workspace or Slack environment to meet GovCloud standards is a culture killer. It breaks integrations and slows down devs.


The Solution: The CUI Enclave to isolate the "Radioactive" data.

  1. Corporate Network (Commercial): Keep your MacBooks, your standard Gmail/Slack, and your dev tools here. No CUI allowed here.

  2. Secure Enclave (GovCloud): Create a separate, smaller environment (e.g., Microsoft 365 GCC High or a secure file sharing wrapper) specifically for the 5-10 people who actually touch CUI.

  3. Boundary Protection: Strictly police the data flow between these two worlds.


This reduces your "Scope of Assessment" from 100 employees and 500 devices to just 10 employees and 10 devices. This can save you $100k+ in implementation costs.


Summary: Your Immediate Checklist


If you are a startup founder looking at a DoD solicitation today (Nov 2025), here is your drill:

  1. Check the RFP: Does it say "CMMC Level 1" or "CMMC Level 2"?

  2. Level 1? Log into SPRS, confirm you do the 17 basic things, and submit your self-assessment. Total time: 2 days.

  3. Level 2?

    • Define your boundary (try to use an enclave).

    • Perform a Gap Assessment against NIST 800-171.

    • Write your System Security Plan (SSP).

    • Calculate your score.

    • Upload score to SPRS.

    • If "Prioritized": Contact a C3PAO immediately (wait times are 6+ months).


CMMC is no longer a "future problem." It is a current market condition. The startups that treat compliance as a product feature—building it into their operations efficiently—will win the contracts that their slower, non-compliant competitors are now disqualified from.


Build Your Product. We’ll Build Your Shield.


Navigating NIST 800-171 doesn't have to mean hiring a six-figure executive or distracting your engineering team. At Kedge Security, we act as your Fractional CISO—guiding you on architecting your secure enclave, building your SSP, and walking you through your SPRS submission so you can get back to shipping code.


 
 
 

Comments

bottom of page