CMMC's Middle-Market Squeeze: What It Actually Looks Like From the Inside 

Getting through Cybersecurity Maturity Model Certification (CMMC) Level 2 certification has been one of the more challenging experiences I have seen running this business for 18 years. That should tell you something. 

My team at IntelliGenesis has already produced more than 50 policies, procedures and documents for this process. We have spent tens of thousands of dollars so far, and we are not done yet. By the time we complete our CMMC assessment, I expect we will have spent well into six figures.  

That is real money for a company our size. 

Here is what I think deserves more attention: the companies feeling this most acutely are not the smallest shops or the large primes. Companies like mine are the ones in the middle. We have around 140 employees. We work across multiple contracts with the intelligence community and defense customers. We have complex networks, distributed teams and legacy systems mixed with modern ones. That combination makes CMMC readiness genuinely difficult to plan and execute. 

The Middle Gets Stretched Thin 

If you are a two- or three-person company, your information technology footprint is simple. You can move fast. Leadership can make decisions on the spot. If you are a large prime, you have dedicated compliance teams, legal staff and policy people. You hand this off to them, and they handle it. 

But in the middle? We do not have those dedicated resources. When I need someone working on CMMC documentation, I pull them off proposals or delivery work. Everything competes for the same people and the same hours. We brought in a consultant to help because the assessors made it clear that they are not in a position to give advice. They review your documents. So now, we are paying for that guidance separately. 

The mock assessment, the actual assessment, the consultant fees, the infrastructure upgrades. It adds up quickly. And if you do not pass the first time, you go through the assessment process again. We are focused on getting through on the first try. 

When we started looking for an assessor, the earliest available slot was months out. Everyone is trying to get through this process around the same time, and there are only so many certified CMMC Third-Party Assessment Organizations (C3PAOs). The demand for C3PAOs is high and the supply is limited, which affects both scheduling and pricing. 

On top of that, once you achieve certification, you need to maintain a Government Community Cloud High infrastructure. Many of the tools you already use now require the Federal Risk and Authorization Management Program-compliant version, which comes at a premium. Those recurring costs are part of the equation too. 

What It Means if Mid-Sized Companies Slow Down 

I have talked to other mid-sized companies that are weighing their options carefully. Some are saying they will hold off and focus on commercial work until the process matures a bit more. The margins on some government contracts are already thin. Layer this on top, and the math gets harder to justify. 

That is worth paying attention to at the policy level. If mid-sized companies pull back, even temporarily, the vendor pool shrinks. Some of the more technical, more specialized companies may take their capabilities to commercial markets where the compliance burden is lighter. 

Large primes are also starting to push their own CMMC expectations down to subcontractors ahead of the official government timelines. So mid-tier suppliers are not just tracking the federal deadlines. They are also managing whatever their prime partners decide to require. That adds another layer of pressure. 

We Are Moving Forward 

We are going through with certification. We do not really have a choice. We are a cybersecurity company that builds network defense tools. It would not make sense to tell customers that our product helps with CMMC controls and then not be certified ourselves. Our assessment is coming up soon, and we are preparing accordingly. 

But I do think this process could work better for companies in our position. The costs are significant. The timelines are compressed. And the infrastructure to support the volume of companies going through this is still catching up. 

CMMC is designed to protect the defense industrial base, and those are the right goals. My concern is that if the implementation creates too much friction for mid-tier companies, the ones that bring specialized capabilities and can move quickly, then we may end up with a narrower supplier base than we intended. That is a tradeoff worth watching as this rolls out. 

Angie Lienert is president and CEO of IntelliGenesis LLC, a woman-owned and veteran-owned defense technology company she founded in 2007. Lienert leads IntelliGenesis’ work across applied AI, cybersecurity and mission-focused software supporting U.S. defense and intelligence organizations.