CMMC Readiness: Part 1

Before Phase 2: What Small Defense Contractors Should Get in Order Now

7/7/20266 min read

For small defense contractors, I like to think of CMMC Phase 1 as the warning light on the dashboard. It is not the full roadside emergency yet, but it is the signal that something needs attention before the pressure increases.

Before we begin, let’s clarify the timeline.

CMMC guidance says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 is expected to increase pressure around Level 2 third-party certification requirements where applicable.

Breaking it down further:

• Phase 1 gives companies time to understand the basics: what information they handle, where that information lives, who has access to it, and whether current safeguards are actually operating as expected. A control only works if it is operating as expected.

• Phase 2 is where the pressure increases. Companies that wait until a solicitation, prime contractor, or customer requirement appears may find themselves trying to build documentation, evidence, access controls, policies, and remediation plans under deadline pressure. That is never the best time to discover that the company does not have a clear data map, access inventory, or evidence trail.

CMMC readiness does not need to start as a massive compliance project. For a small business, especially one with fewer than ten employees, the best place to start is with clarity.

Essentially, it gives companies time to understand the basics. What information they handle, where that information lives, who has access to it, and whether their current safeguards are operating correctly. A control only works if it is operating as expected. Phase 2 is where the pressure increases. The companies that wait until a contract requirement appears may find themselves trying to build documentation, evidence, access controls, policies, and remediation plans under deadline pressure, which is never fun.

CMMC readiness does not need to start as a massive compliance project. For a small business, especially one with fewer than ten employees, the best place to start is with clarity. Ask yourself the following questions:

1. Do you process, store, or transmit Federal Contract Information?

2. Do you touch Controlled Unclassified Information?

3. Are your users accessing client data through email, cloud storage, personal devices, shared drives, or third-party platforms?

4. Do you know which vendors have access to what tiers of data?

5. Can you prove that only authorized people can access sensitive information?

Phase 1 gives small contractors an opportunity to answer these types of questions before Phase 2 makes them harder to ignore. Phase 1 also gives small contractors a useful way to prepare even if they do not handle Federal Contract Information or Controlled Unclassified Information today. That may change as the business grows, pursues new contracts, supports a prime, or touches different types of customer data. Having a simple way to distinguish between categories of data is useful before the requirement becomes urgent.

Here are five practical strategies small defense contractors should focus on now.

1. Know what data you handle

Before a company can assess CMMC readiness, it needs to understand the data.

That means identifying whether the business receives, creates, processes, stores, or transmits Federal Contract Information, Controlled Unclassified Information, technical files, contract documents, client records, engineering data, pricing, specifications, or other sensitive information.

This is where many small businesses underestimate the scope. Sensitive information may not live in one formal system. It may be in email, attachments, shared folders, local laptops, project management tools, accounting systems, or vendor portals.

The first readiness step is simple: map the data, a simple data flow will work that can answer the following questions:

1. What comes in?

2. Where does it go?

3. Who touches it?

4. Where is it stored?

5. Who can send it outside the company?

6. Also, when the data is no longer needed where is it stored or how is it removed?

Without this map, pricing, scoping, assessment, and remediation all become guesswork.

2. Identify who has access and why

For very small businesses, access often grows informally.

A founder has access to everything but there might be scope creep as the company grows. As an example, a bookkeeper has access to finance files, an outside IT provider has admin rights, a contractor may still have access to a shared drive from a prior project. A personal device may be used because it is convenient but then forgotten about.

That may work operationally, but it creates risk when a company needs to demonstrate control.

Small contractors should create a basic access inventory that identifies every employee, contractor, vendor, administrator, and outside support provider with access to company systems or client data.

The key questions are:

1. Who has access?

2. What systems can they access?

3. Do they need that access?

4. Do they have administrative privileges?

5. Is multi-factor authentication enabled?

6. How is access removed when someone leaves?

This is one of the most important readiness steps because it turns informal business operations into something that can be reviewed, explained, and improved.

3. Turn the 15 Level 1 controls into operating habits

Habits have this magical way of compounding and creating huge benefits over time. CMMC Level 1 is not just a checklist and it is a basic operating model for protecting Federal Contract Information.

The 15 Level 1 requirements cover foundational areas such as access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.

For a small contractor, the goal should be to turn these controls into repeatable habits. Examples can include:

· Only authorized users access company systems.

· Users have unique accounts.

· Multi-factor authentication is enabled.

· Public information is reviewed before release or posting.

· Devices are protected, updated, and tracked.

· Old devices and files are wiped, destroyed, or securely disposed of.

· Physical access to systems and records is controlled.

· Malware protection is in place and updated.

· Security issues are identified and corrected.

These are not just technical settings; they are vital governance practices. Someone needs to own them, review them, and be able to show that they are working. Evidence is key.

4. Start collecting evidence before someone asks for it

Many small companies have some security controls in place, but sometimes they cannot prove it quickly. That becomes a problem when a prime contractor, government customer, insurer, investor, or assessment requirement asks for evidence. A verbal answer is not the same as a documented and evidenced control or response.

Evidence does not have to be complicated; it can include screenshots, user lists, device inventories, MFA settings, endpoint protection reports, vendor lists, access review records, offboarding checklists, policies, and meeting notes.

The important part is to build an evidence habit. Here are some more examples:

1. If you say MFA is enabled, can you show it?

2. If you say access is limited, can you produce the user list?

3. If you say devices are protected, can you show endpoint protection status?

4. If you say former users are removed, can you show the offboarding process?

Phase 2 readiness will be much easier for companies that already know how to collect and maintain evidence.

5. Build a realistic roadmap before the deadline creates urgency

Small contractors do not need to solve everything at once.

They do need a clear roadmap that separates immediate fixes from longer-term improvements. The roadmap should identify which systems are in scope, which controls are already operating, which gaps need remediation, which vendors need review, and which policies need to be documented.

A good roadmap should answer:

1. What needs to be fixed now?

2. What can be documented quickly?

3. What requires IT support?

4. What requires leadership approval?

5. What would affect contract eligibility?

6. What needs to be maintained monthly or quarterly?

This is also where companies should decide whether they need a one-time readiness project, ongoing advisory support, or a monthly retainer to help maintain evidence, respond to client questionnaires, and prepare for future contract requirements.

The bottom line

For small defense contractors, CMMC readiness should start with the basics: data, users, systems, access, evidence, and accountability.

Phase 1 gives companies a chance to understand where they stand and Phase 2 will reward the companies that used that time wisely.

The best time to prepare is before a solicitation, prime contractor, or customer makes the requirement urgent. A small contractor does not need a massive compliance program on day one but it does need a clear scope, a practical control baseline, and a defensible story about how it protects the information entrusted to it.

Sturnella advises defense contractors, mining, energy, and critical infrastructure companies on CMMC readiness, SEC cybersecurity disclosure, and board-level cyber governance.

contact@sturnellahq.com | sturnellahq.com | news.sturnellahq.com

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.

Contact

Reach out for discreet advisory support

Email

contact@sturnellahq.com

Sturnella LLC © 2026 All rights reserved.

  • Independence

  • Governance Precision

  • Discretion

  • Capital Markets Alignment

  • Accountability

Our Values