- A small cyber firm that does business with the DOW feels pinched by CMMC 2.0’s high costs, excessive paperwork and long waits for third-party assessors
- DOW contracts will soon require third-party certification and prime contractors and big opportunities like Golden Dome are already requiring them
- Hear the latest developments in CMMC directly from top DOW and federal officials at the 2026 Artificial Intelligence Summit on March 18!
A small cyber firm that does business with the Pentagon and the intelligence community is frustrated by the process for Cybersecurity Maturity Model Certification 2.0, specifically high costs, excessive paperwork and long waits for third-party assessors.
Angie Lienert, IntelliGenesis owner, president and CEO, told ExecutiveGov that she has spent $100,000 toward CMMC 2.0 Level 2 certification and expects to spend $180,000 to $200,000 to become fully CMMC-certified, not including updates nor additional assessments. She said CMMC 2.0’s excessive costs will eventually be passed down to the customers and that she had hoped for some sort of credit, discount or benefit in certification costs for small businesses.
What Is IntelliGenesis?
IntelliGenesis is a woman- and veteran-owned firm that has about 140 employees and revenues in the eight-figure range. It performs services such as cybersecurity and network operations, artificial intelligence and machine learning, and data science and analytics, among others.
CMMC 2.0 Level 2 mandates third-party certification starting Nov. 10, 2026, for all applicable Pentagon contracts. Jeremiah Jensen, IntelliGenesis chief operating officer and program manager, told ExecutiveGov that the company is struggling to find an available third-party assessor available because many other companies are also pursuing CMMC. In January, Jensen said the earliest IntelliGenesis could book a third-party assessor was March and, if that got postponed, October.
“Just trying to get on the schedule, and trying to push this through, and everything has been really, really staggering,” Jensen said.
Lienert feels the unavailability of third-party assessors also allows them to charge premium pricing for their services, which will also eventually get passed down to the customer and taxpayers. A mock CMMC Level 2 assessment, Lienert said, cost $40,000. If a company fails the assessment, they have to pay for another one.
Get the latest on CMMC from top DOW and federal officials at the Potomac Officers Club’s 2026 Artificial Intelligence Summit on March 18! Hear whether relief is coming for small businesses or whether CMMC will expand throughout the federal government. Secure your seat today!
What Is CMMC?
CMMC is a Department of War effort that started in the first Trump administration. It seeks to strengthen the DOW’s industrial base cybersecurity and better protect DOW information as it faces increasingly frequent and complex cyber attacks. CMMC assesses defense contractor compliance with existing safeguarding requirements for federal contract information and controlled unclassified information.
DOW officially launched a three-year rollout of CMMC 2.0 cybersecurity requirements on Nov. 10, 2025. Contracting officials will now, in what’s called Phase 1, include new CMMC 2.0 requirements in new solicitations and contracts for the basic safeguarding of FCI. Companies must self-assess and submit scores in the Supplier Performance Risk System.
Phase 2, which begins Nov. 10, 2026, will require either a self-assessment or an independent assessment by an authorized CMMC third-party assessment organization every three years, depending on the type of information involved. Phase 3, where some solicitations will require Level 3 certification, begins on Nov. 10, 2027.
Every contractor will have to be fully compliant by the fourth year, or Nov. 10, 2028.
Deltek’s 2025 Clarity Government Contracting Industry Study provides insights to how businesses are spending money preparing for CMMC. The top three cost-drivers in CMMC, according to survey respondents, are investing in new cybersecurity tools and technologies; infrastructure upgrades, such as hardware or software; and developing and documenting compliance policies and procedures. Thirty-six percent of respondents said they were hiring external CMMC consultants.
Jensen described the paperwork required for CMMC Level 2 as staggering. The company, he said, has already processed 50 documents as part of certification. IntelliGenesis also brought in a consultant, at additional cost, to help with the more technical questions because third-party assessors are not allowed to provide guidance or advice.
Lienert told her team to wait as long as possible to do CMMC Level 2 to see if the DOW would provide any sort of sliding scale for small businesses. Once she realized that help wasn’t coming, she moved forward.
Additionally, Lienert said larger companies are already forcing smaller businesses like hers to comply with CMMC ahead of the DOW’s timelines. Small businesses, she said, could find loopholes around the CMMC process by changing their business structure to stop providing services and only provide products.
If the customer wants the product, she said, there might not be any CMMC associated with it.
“Then push is going to come to shove, and we’ll see which way wins,” Lienert said.
The DOW and Katie Arrington, the Wash100 Award-winning former Pentagon chief information officer, now CIO for IonQ and considered the lead architect of CMMC, declined to comment for this article.
Are you a small business laboring through CMMC? Then you cannot miss the Potomac Officers Club’s 2026 Artificial Intelligence Summit on March 18! Hear how leading contractors are securing their AI systems to secure future DOW business. Learn of new business opportunities with AI and cybersecurity. Sign up today!
Deltek Insights on Small Businesses and CMMC Level 2
An expert on cybersecurity and the CMMC process was not surprised to hear IntelliGenesis’ concerns. Michael Greenman, Deltek senior product marketing manager, told ExecutiveGov that CMMC’s development has had a lot of starts and stops, and opponents and proponents, along the way before implementation.
Greenman said many businesses were skeptical, or even doubtful, that CMMC would get implemented. The market, he said, may have also been misled as to CMMC’s importance, when it would be implemented and how quickly it would be required.
But Greenman said businesses who started the CMMC process early are being rewarded. Firms that started the compliance process earlier had better available third-party assessors and, thus, lower fees.
Additionally, Greenman said CMMC serves a competitive differentiator, as it’s not a bad thing to have extra security, credentials and receipts.
“You have gone through this extra effort to demonstrate to your customer, whether the federal government or a prime contractor, that you have the security, and proof,” Greenman said. “That’s when the lights flicked [on] for that group of typically highly-intelligent, highly-motivated individuals.”
Is CMMC Required for Golden Dome?
Yes, CMMC is required for the first two Golden Dome homeland missile defense system contract vehicles. The Scalable Homeland Innovative Enterprise Layered Defense, or SHIELD, both require CMMC Level 2, and, in some cases, Level 3, to do business, Greenman said this caught many small businesses by surprise.
Golden Dome is an especially lucrative program. SHIELD is potentially worth $151 billion over 10 years. Golden Dome, overall, is estimated to cost at least $252 billion over 20 years. The White House has already provided a $25 billion down payment for Golden Dome.
Greenman doesn’t believe the DOW should have provided special considerations, or a sliding scale, for small businesses in CMMC. Data has to be protected, he said, regardless of how cheap or expensive it can be. Greenman said small business CMMC certification is important because their security is weaker than security used by the DOW, and they’re targeted for data breaches.
“They’re not going to try to attack the Pentagon,” Greenman said. “That data needs securing because our warfighters are in danger and our national security is in danger now more than ever.”
Prime Contractors Wield Influence in CMMC Level 2
Greenman said prime contractors have the most effective leverage in CMMC to garner compliance from smaller businesses. He said they have published communication putting subcontractors and small businesses on notice that they are taking CMMC seriously.
Primes aren’t going to risk their business, Greenman said, to uncertified supply chain members because the primes are both in positions of responsibility and enforcement.
“They hold the authority,” Greenman said. “They hold the responsibility and ability to kind of command and demand compliance.”
Could the US Government Expand CMMC?
The federal government could also expand CMMC to other agencies. Greenman said the General Services Administration is starting to put similar language in its contracts. There could also be a top level Federal Acquisition Regulation rule implemented in 2026, he said, that will require all agencies to mandate National Institute of Standards and Technology SP 800-171, likely revision three, as a minimum standard requirement for all contracts.
Of course, how it would be enforced is another open question, he said.
