CMMC Guy LogoTHE_CMMC_GUY
NEWSBLOGCALCULATORPROVIDERSABOUT
←BACK_TO_INTEL
SMALL_BUSINESSCOMPLIANCEREQUIREMENTSSUBCONTRACTORS

No Small Business Exemption: What This REALLY Means

Mike Torres
Mike Torres
Manufacturing Security Advisor
2025-12-17
9 min read
Share

Advised global manufacturers and machine shops across Asia and US for 7 years. Now helping small shops navigate CMMC compliance without the BS.

SHARE_ON_XSHARE_ON_LINKEDIN
⚠ ⚠ NEXT_STEP

RUN READINESS CHECK

Get your CMMC readiness score + cost estimate. 2 minutes. No signup.

GET_CMMC_UPDATES

Enforcement news, deadline alerts, and compliance tips. No spam.

RELATED_INTEL

Read More

CMMC Tools That Actually Work (For Under $500/Month)
ToolsBudgetGetting StartedCompliance

CMMC Tools That Actually Work (For Under $500/Month)

Budget-friendly compliance tools tested on real machine shops. What you need for asset tracking, password management, backups, and more.

Dec 23, 2025•12 min read
What IS CMMC? (And Why Your Shop Needs It)
CMMC BasicsGetting StartedDoD ContractsCompliance

What IS CMMC? (And Why Your Shop Needs It)

No jargon explanation of CMMC for machine shops making DoD parts. What it is, what it costs, and why Phase 1 enforcement started November 2025.

Dec 21, 2025•8 min read
CMMC Level 1 vs Level 2: Which One Do You Actually Need?
CMMC BasicsLevel 1Level 2Requirements

CMMC Level 1 vs Level 2: Which One Do You Actually Need?

Handle CUI? Level 2. Only FCI? Level 1. Cost comparison, requirements breakdown, and how to tell what data you handle. Stop guessing.

Dec 12, 2025•8 min read

TABLE_OF_CONTENTS

No Small Business Exemption: What This REALLY Means

"We're just a 5-person shop. CMMC doesn't apply to us, right?"

Wrong.

"We only make a few parts for one prime. Surely there's a small business exemption?"

Nope.

"We're subcontractors. This is the prime's problem, not ours."

Also wrong.

Let's clear this up once and for all.

The DoD Was Crystal Clear: No Exemptions

From the K&L Gates legal analysis (November 2024):

"The CMMC rule provides no carve-outs for small businesses or foreign entities."

From the final DFARS rule (September 2025):

"CMMC applies to contracts above the micro-purchase threshold involving FCI or CUI."

Translation: If your DoD contract is over $10,000 (micro-purchase threshold) and you handle Federal Contract Information or Controlled Unclassified Information, you need CMMC.

Company size? Irrelevant.

Number of contracts? Irrelevant.

Revenue? Irrelevant.

The only thing that matters is:

  1. Do you have a DoD contract?
  2. Does it involve FCI or CUI?

If yes to both, you need CMMC.

Why People Think There's an Exemption

Myth 1: "Small Businesses Are Exempt from Cybersecurity Requirements"

This confusion comes from the fact that some federal regulations DO have small business exemptions.

But CMMC isn't one of them.

The DoD's logic: adversaries don't care if you're small. Chinese hackers don't skip your network because you only have 3 employees. They go after the weakest link.

And statistically, small businesses have weaker cybersecurity than large ones.

Myth 2: "We're Too Small to Be a Target"

False.

The 2023 Verizon Data Breach Investigations Report showed 43% of cyberattacks target small businesses.

Why? Because they're easier to breach. Less security. Less monitoring. Less expertise.

And if you're in the defense supply chain, you're not "too small." You're a backdoor to your prime contractor.

Hack the 5-person machine shop → steal CUI → use it to target the prime → access DoD systems.

It's called supply chain compromise. And it's one of the top threats to national security.

Myth 3: "We Only Do Commercial Work, Plus a Few DoD Parts"

If those "few DoD parts" involve CUI, your entire IT environment needs to be compliant.

You can't have a "CMMC network" and a "commercial network" unless you have strict network segmentation (basically, air-gap or equivalent).

Most shops can't afford that. So the practical answer is: make your whole environment compliant.

What "No Exemption" Actually Means

For Sole Proprietors

Yes, even you.

If you're a one-person consultant working on DoD contracts involving CUI, you need Level 2 certification.

That means:

  • Your laptop must be compliant (full-disk encryption, EDR, logging, etc.)
  • Your home office must be secure (locked room, visitor controls)
  • Your home internet must be protected (firewall, segmented network)

Can you still work from your kitchen table? Maybe, if you implement physical access controls and document them.

It's awkward, but it's required.

For Startups (1-10 Employees)

You're not exempt.

If you're a 3-person aerospace startup making export-controlled parts, you need Level 2.

Cost: $50K-$100K for implementation + assessment

Timeline: 6-9 months

That's a big chunk of your budget. But it's the cost of doing DoD business.

Some startups decide it's not worth it and pivot to commercial-only work. That's a legitimate business decision.

But if you want DoD contracts, you pay the price.

For Family-Owned Machine Shops (10-50 Employees)

You're definitely not exempt.

This is the typical CMMC target: small to mid-size manufacturers doing precision work for defense primes.

You might be doing $2M-$10M/year in DoD revenue. CMMC compliance will cost you $100K-$200K all-in (first year).

That's 5-10% of revenue for a $2M shop. Painful.

But losing DoD contracts entirely? That's 100% revenue hit.

For Subcontractors

This is where the confusion is worst.

"We're just a sub. The prime has CMMC. We don't need it."

Wrong.

CMMC requirements flow down to subcontractors. DFARS 252.204-7021 explicitly requires primes to impose CMMC on subs handling FCI or CUI.

If you're a sub and you handle CUI, you need certification. Not the prime. You.

The prime isn't going to certify your network for you. They're going to require proof YOU'RE certified. And if you're not, they'll find a sub who is.

Real-World Examples

Example 1: 5-Person CNC Shop in Ohio

Annual DoD revenue: $800K (40% of total business)

Contracts: Make precision components from ITAR-controlled drawings

Required level: Level 2 (handling CUI)

Compliance cost: $75K (tools, consultant, C3PAO)

Decision: Painful, but worth it to keep DoD contracts

Alternative: Drop DoD work, focus on commercial. Would lose $800K revenue.

Choice: Pay $75K or lose $800K? They paid.

Example 2: 2-Person Defense Consultant

Annual DoD revenue: $250K (100% of business)

Contracts: Technical advisory services involving classified briefings (CUI)

Required level: Level 2

Compliance cost: $40K (mostly C3PAO assessment and documentation)

Decision: Shut down DoD consulting, pivot to commercial consulting

Outcome: Lost DoD work but avoided compliance costs. Revenue dropped 60% first year, recovered by finding commercial clients.

This is the hard choice some micro-businesses face.

Example 3: 30-Person Metal Fabricator in Texas

Annual DoD revenue: $4M (60% of total business)

Contracts: Sheet metal components for aerospace primes (CUI)

Required level: Level 2

Compliance cost: $150K

Decision: Implement CMMC. Already had basic IT infrastructure, so implementation was faster.

Outcome: Certified in 7 months. Retained all DoD contracts. Actually won MORE contracts because competitors weren't certified yet.

The Flow-Down Requirement

Let's talk about how this affects subs specifically.

DFARS 252.204-7021 requires primes to "flow down" CMMC requirements to subs at all tiers.

What that means:

  • Prime has CMMC Level 2 → requires Tier 1 subs to have Level 2 (if handling CUI)
  • Tier 1 sub requires Tier 2 subs to have Level 2 (if handling CUI)
  • And so on, all the way down the supply chain

Nobody escapes.

How Primes Are Enforcing This

Some primes are already requiring subs to certify even during Phase 1 (before the government mandates it).

Why? Because:

  1. Primes are liable if subs have a breach
  2. Primes want to avoid supply chain disruption when Phase 2 hits
  3. Primes are using CMMC as a competitive filter (fewer compliant subs = more negotiating power with remaining ones)

Real example: Lockheed Martin sent a memo to subs in mid-2024 saying "get CMMC certified by mid-2025 or we'll find new suppliers."

Other primes are taking a softer approach: "We prefer C3PAO-certified subs" without making it mandatory yet.

But the trend is clear: primes are pushing CMMC down to subs faster than the DoD is.

Foreign-Owned Companies

Quick note: No exemption for foreign-owned companies either.

If you're a Canadian, UK, Australian, etc. company doing DoD work, you still need CMMC.

Caveat: Some classified contracts require U.S.-citizen-only IT staff. But that's a separate requirement from CMMC.

CMMC itself doesn't discriminate based on ownership nationality. If you touch CUI, you need Level 2, regardless of where your parent company is based.

The Micro-Purchase Threshold Loophole (Sort Of)

The only exemption is contracts below the micro-purchase threshold.

Current threshold: $10,000

If your entire contract value is under $10K, CMMC doesn't apply.

But realistically, how many defense contractors are doing $10K contracts? Most contracts are $50K minimum, often $100K+.

So this "exemption" doesn't help many people.

Can You Just Drop DoD Work?

Some small businesses are considering this.

"CMMC costs $100K. We only make $300K/year from DoD. Let's just focus on commercial work."

It's a valid decision. But consider:

Pros of Dropping DoD:

  • Avoid CMMC compliance costs
  • Simpler IT requirements
  • Less paperwork/red tape

Cons of Dropping DoD:

  • Lose steady revenue stream (DoD contracts are reliable)
  • Lose competitive advantage (not many shops can do ITAR work)
  • Hard to get back into DoD market later (takes years to rebuild relationships)

The Hybrid Approach

Some shops are doing this:

  • Keep existing DoD contracts (grandfather clause? nope, doesn't exist)
  • Don't bid new DoD contracts
  • Wait and see if CMMC requirements relax

Warning: This doesn't work. Even existing contracts will eventually require CMMC when they renew or modify.

And CMMC requirements aren't going to relax. If anything, they'll get stricter.

What If You Can't Afford Compliance?

If you're a micro-business and truly can't afford $50K-$100K for compliance, you have a few options:

Option 1: Finance It

Some lenders offer cybersecurity compliance loans. Interest rates vary but it's an option if you have decent credit.

Alternatively, roll the cost into your contract bids. Add 5-10% to pricing to cover CMMC. Customers might grumble but if you're the only certified shop in your region, they'll pay.

Option 2: Partner with Compliant Companies

If you can't afford certification, subcontract through a prime who IS certified.

You handle manufacturing, they handle the CUI. You never touch CUI, so you only need Level 1 (much cheaper).

Downside: You lose direct relationship with end customer and probably make less margin.

Option 3: Exit DoD Market

Painful, but sometimes it's the right business decision.

Focus on commercial aerospace, automotive, medical devices — industries that value precision manufacturing but don't require CMMC.

You won't make as much margin (DoD pays well), but you won't have compliance headaches.

The Bottom Line

No small business exemption.

No subcontractor exemption.

No "we only make a few parts" exemption.

No foreign entity exemption.

If you handle CUI on a DoD contract, you need CMMC Level 2. Period.

Company size doesn't matter. You could be a solo consultant or a 10,000-person corporation. Same rules.

The only question is: Can you afford to comply, or should you exit the DoD market?

For most shops making $500K+ in DoD revenue, compliance is cheaper than losing the contracts.

For micro-businesses making $50K-$200K in DoD revenue, it's a tougher call.

Run the numbers. Make the decision. But don't assume you're exempt. You're not.

Next Steps:

Not sure if you can afford compliance? Use our cost calculator to estimate your total cost.

Need to understand what Level 2 actually requires? Read our NIST 800-171 priority guide.

Thinking about dropping DoD work? At least get a gap analysis first to see how far away you really are. It might be cheaper than you think.