Shifting Focus to SDVOSB Government Solicitations

Since the beginning of 2026 I’ve noticed an uptick on SDVOSB requirements over 8(a), WOSB, and Hubzone set asides. Is this shift a result of the recent SBA audit the reviews direct award contracts to 8(a)s and especially to Super 8(a)s, or the Trump Administration focus on veteran owned businesses?

This apparent shift and recent CMMC requirements seem to indicate SDVOSBs with the right contracts (i.e., OASIS+ and Polaris) and already having a Final CMMC L2 (C3PAO) are best positioned in 2026 and 2027 to receive a favorable amount of new contract awards.

What are adjustments your companies are considering to align with the apparent shift?

I look forward to hearing from this group.

reddit.com
u/DR-CT — 9 days ago
▲ 0 r/CMMC

Shifting Emphasis to SDVOSB Set Asides with CMMC

Since the beginning of 2026 I’ve noticed an uptick on SDVOSB requirements over 8(a), WOSB, and Hubzone set asides. Is this shift a result of the recent SBA audit the reviews direct award contracts to 8(a)s and especially to Super 8(a)s, or the Trump Administration focus on veteran owned businesses?

This apparent shift and recent CMMC requirements seem to indicate SDVOSBs with the right contracts (i.e., OASIS+ and Polaris) and already having a Final CMMC L2 (C3PAO) are best positioned in 2026 and 2027 to receive a favorable amount of new contract awards.

What are adjustments your companies are considering to align with the apparent shift?

I look forward to hearing from this group.

reddit.com
u/DR-CT — 9 days ago
▲ 6 r/govcon

Apparent Shift to SDVOSB Solicitations

Since the beginning of 2026 I’ve noticed an uptick on SDVOSB requirements over 8(a), WOSB, and Hubzone set asides. Is this shift a result of the recent SBA audit the reviews direct award contracts to 8(a)s and especially to Super 8(a)s, or the Trump Administration focus on veteran owned businesses?

This apparent shift and recent CMMC requirements seem to indicate SDVOSBs with the right contracts (i.e., OASIS+ and Polaris) and already having a Final CMMC L2 (C3PAO) are best positioned in 2026 and 2027 to receive a favorable amount of new contract awards.

What are adjustments your companies are considering to align with the apparent shift?

I look forward to hearing from this group.

reddit.com
u/DR-CT — 9 days ago

Shifted Emphasis To SDVOSB

Since the beginning of 2026 I’ve noticed an uptick on SDVOSB requirements over 8(a), WOSB, and Hubzone set asides. Is this shift a result of the recent SBA audit the reviews direct award contracts to 8(a)s and especially to Super 8(a)s, or the Trump Administration focus on veteran owned businesses?

This apparent shift and recent CMMC requirements seem to indicate SDVOSBs with the right contracts (i.e., OASIS+ and Polaris) and already having a Final CMMC L2 (C3PAO) are best positioned in 2026 and 2027 to receive a favorable amount of new contract awards.

What are adjustments your companies are considering to align with the apparent shift?

I look forward to hearing from this group.

reddit.com
u/DR-CT — 9 days ago
▲ 27 r/CMMC+1 crossposts

CMMC Has an Implementation Gap That SMB DoD Contractors Are Struggling With

I think one of the biggest challenges with CMMC for SMB DoD contractors is not only the requirement itself.

The bigger issue is the gap between assessment guidance and implementation guidance.

The CMMC Assessment Guide and Scoping Guide are very useful, but they are mainly written to explain what will be assessed and how the scope should be defined.

That helps assessors and compliance teams.

But many small DoD contractors are still asking very practical questions:

Where do we start?

How do we identify FCI and CUI?

Which systems are in scope?

What policies are actually required?

What technical controls should be implemented first?

What evidence should we collect?

How do we maintain this after the assessment?

This is where many SMB contractors struggle.

They are told what will be checked, but they are not always clearly shown how to build, operate, and maintain the security practices before the assessment happens.

In my opinion, CMMC should not be treated only as a compliance checklist. It needs to be treated as an implementation program that includes people, process, technology, evidence, ownership, and continuous operation.

The missing bridge is a practical implementation roadmap for contractors.

A simple way to say it:

CMMC gives auditors a guide to assess, but DoD contractors still need a guide to implement. That missing bridge is where confusion begins.

Curious to hear from others working with CMMC:

Are SMB contractors struggling more with the requirements themselves, or with translating those requirements into practical implementation?

reddit.com
u/DR-CT — 21 days ago
▲ 7 r/CMMC

Subcontractor CMMC Verification Challenges

Has anyone experienced subcontractor compliance issues with CMMC L2 verification when DFARS 252.204-7021 is in a contract mod advancing a prime contract into a new Option Period? If so, how does a prime respond to a subcontractor that is unable or refuses to provide SPRS report or other supporting evidence a CMMC L2 status?

We also noticed some SMB subcontractors initially resist providing a cyber report from SPRS, but then provide a CMMC L2 (self) verification from SPRS that is dated within a day or two of the prime requesting their status.

reddit.com
u/DR-CT — 26 days ago

Formal C-SRM Program Protects Prime Contractor Compliance

Becoming a student of CMMC evolves our understanding of the risks that can render prime contractor non-comoliance.

One of the biggest CMMC misconceptions is that a prime contractor only needs to worry about its own certification. That’s not how supply chain risk works when CUI is involved.

When an existing contract is modified to include CUI requirements and accompanying DFARS clauses are present, the prime contractor becomes responsible for ensuring CUI is protected throughout the entire performance chain—including subcontractors that may receive, access, process, store, or transmit that information.

A formal Contractor Supply Chain Risk Management (C-SRM) program helps primes verify subcontractor compliance, validate CMMC status and SPRS reporting, assess CUI handling practices, review cloud service providers, and identify security gaps before they become contractual or cybersecurity incidents.

Without a structured C-SRM process, a prime may not discover that a subcontractor is using unmanaged devices, unapproved cloud services, or non-compliant email systems until after a CUI exposure occurs.

CMMC is not just about securing your own environment. It’s about managing risk across your entire supply chain. As more and more contract modifications add CUI requirements, primes that fail to implement formal C-SRM processes are assuming significant performance, compliance, and business risk.

Don't be caught with risk exposure when your prime contract has CUI handling requirements.

🚀 Document and implement a formal C-SRM program to harden subcontractor engagement.

🚀 Determine how CUI is managed on the contract and who handles it.

🚀 Exclude access to CUI when subcontractors are unable to validate CMMC Level certification requirements.

🚀 Embed and reference the C-SRM in subcontracts that clearly state both prime and subcontractor obligations.

🚀Ensure subcontractor personnel complete annual CUI training and retain certificates of completion in the record.

🚀Consider using prime contractor CMMC-compliant managed devices for essential subcontractors that are not yet CMMC certified.

CMMC is likely one of the most disruptive regulatory changes that has hit small business GovCons in nearly 40yrs. If DFARS 252.204-7012, -7019 and -7020 were taken seriously and accurate reporting of NIST 800-171 was made in SPRS, the “general population” of SMB GovCons would have a more positive state of readiness for CMMC.

reddit.com
u/DR-CT — 29 days ago

Formal C-SRM Program Protects Prime Contractor Compliance

Becoming a student of CMMC evolves our understanding of the risks that can render prime contractor non-comoliance.

One of the biggest CMMC misconceptions is that a prime contractor only needs to worry about its own certification. That’s not how supply chain risk works when CUI is involved.

When an existing contract is modified to include CUI requirements and accompanying DFARS clauses are present, the prime contractor becomes responsible for ensuring CUI is protected throughout the entire performance chain—including subcontractors that may receive, access, process, store, or transmit that information.

A formal Contractor Supply Chain Risk Management (C-SRM) program helps primes verify subcontractor compliance, validate CMMC status and SPRS reporting, assess CUI handling practices, review cloud service providers, and identify security gaps before they become contractual or cybersecurity incidents.

Without a structured C-SRM process, a prime may not discover that a subcontractor is using unmanaged devices, unapproved cloud services, or non-compliant email systems until after a CUI exposure occurs.

CMMC is not just about securing your own environment. It’s about managing risk across your entire supply chain. As more and more contract modifications add CUI requirements, primes that fail to implement formal C-SRM processes are assuming significant performance, compliance, and business risk.

Don't be caught with risk exposure when your prime contract has CUI handling requirements.

🚀 Document and implement a formal C-SRM program to harden subcontractor engagement.

🚀 Determine how CUI is managed on the contract and who handles it.

🚀 Exclude access to CUI when subcontractors are unable to validate CMMC Level certification requirements.

🚀 Embed and reference the C-SRM in subcontracts that clearly state both prime and subcontractor obligations.

🚀Ensure subcontractor personnel complete annual CUI training and retain certificates of completion in the record.

🚀Consider using prime contractor CMMC-compliant managed devices for essential subcontractors that are not yet CMMC certified.

CMMC is likely one of the most disruptive regulatory changes that has hit small business GovCons in nearly 40yrs. If DFARS 252.204-7012, -7019 and -7020 were taken seriously and accurate reporting of NIST 800-171 was made in SPRS, the “general population” of SMB GovCons would have a more positive state of readiness for CMMC.

reddit.com
u/DR-CT — 29 days ago
▲ 6 r/CMMC

Going from CMMC L2 👉 L3

Who from within this group has looked at what it takes going from a Final CMMC L2 to achieve CMMC L3?

The cost we laid down to obtain out L2 (C3PAO) was a LOT and I shutter at the cost to get L3 (DIBCAC), but some of the opportunities we are working towards have indicated a L3 is required. While most SMBs struggle to contain costs to get a L2, requiring a SMB to demonstrate a L3 as a condition for award is seemingly paralyzing.

What are the challenges? 😱🤯🤬

What are lessons learned? 🤔

What is the cost? 💰💵💵💲💲💰

Does the DIBCAC conduct the audits or can a C3PAO?

I appreciate your inputs and feedback!

reddit.com
u/DR-CT — 1 month ago
▲ 6 r/CMMC+1 crossposts

Subcontractor CMMC L2 Compliance

As solicitations and existing contract modifications that move into option periods requiring CMMC L2 verification, how are others handling this mandatory DFARS requirement.

When DFARS 252.204-7019, -7020, and -7021 show up in contract modification and require contractors to possess a CMMC L2 (self) that is recorded in SPRS, we are finding subcontractors either resist providing verification of their status, are report “we are not yet certified, but plan to be in July or August.” with an option beginning in June, without having a certified subcontractor that would handle CUI puts the prime contractor out of compliance. The inability to report the status to contracts nearly impossible.

LB GovCons, like L3Harris, have already sent letters to their SMB supply chain requiring CMMC compliance before the end of July and provide a copy of their CMMC cyber report from SPRS or certificatation from an approved C3PAO assessor.

As for solicitations, we now incorporate CMMC verification and require validation before teaming agreements are signed.

We are finding there to be only a small number of SMBs that can confidently verify their status. Why is this and will this continue as CMMC Phase 2 rollout gets closer?

reddit.com
u/DR-CT — 1 month ago
▲ 10 r/CMMC+1 crossposts

CMMC Certification Cliff

With CMMC 2.0 going through Phase 1 self-attestation through 11/9/2026 and Phase 2 expected to begin 11/10/2026 will the DoD hold to requiring GovCons to represent a Final CMMC Level 2 (C3PAO) as a condition to receive an award of a new contract or an option period of an existing contract?

I've heard it over the past 6-months CMMC is the most disruptive thing that has hit small business GovCons in nearly 40yrs.

How will this “certification cliff” effect the DIB?

What are SB GovCons doing to align to CMMC requirements? Many are saying they are waiting until then government forces them to certify. Is this smart?

There still seems to be unclear direction as to how the government is using CMMC DFARS in solicitation, and when the DFARS show up SB GovCons quickly report their self-attestation in SPRS as all 110 controls are fully compliant without actually having implementing what is required to fully comply with NIST SP 800-171.

Can any knowledgable CMMC SMEs weigh in to help bring clarity to how CMMC requirements will go over the next 6-months and year?

reddit.com
u/DR-CT — 1 month ago