Nobody Built the First Mile

The structural gap between CMMC assessors and the small defense contractors who need readiness work. And why the window to fix it is closing.

About 80,000 small defense contractors need CMMC Level 2 certification to keep doing the work they already do. Roughly one percent have it. The other 99 percent are stuck somewhere between knowing they need to start and knowing what starting means.

The reason is not laziness, and it is not a software problem. It is structural.

The wall in the middle of the market

103 firms in the country are authorized to assess a contractor against CMMC Level 2. By rule, no C3PAO can also do the readiness work on the same engagement it audits. Within that engagement, the firm that prepares you cannot test you. The firm that tests you cannot prepare you. This is not a bug. It is the engagement-level independence rule that makes the whole certification mean anything.

So a small contractor needing to get ready has to find someone else. That someone has to be experienced enough to know what assessors will accept, cheap enough to fit a contractor with two or three primes on the book, and willing to engage at the size of the work being asked. The number of firms who clear all three bars at once is small. The number who do it consistently for shops under 100 people is smaller.

Who is in the middle, and why they are not the answer

Big 4 federal practices do real CMMC work at hourly rates that put them out of reach for any shop below the $50M-revenue line. Their clients are primes and primes' top tiers, not your shop.

Tier 2 accounting firms with C3PAO authorization, including Cherry Bekaert, Aprio, Baker Tilly, RSM, and Forvis Mazars, have started to productize SMB readiness. Cherry Bekaert's "CMMC Fasttrack" launched in mid-2025 as an explicit move down-market. These firms are credible and well-staffed. Their entry-level engagements still start at price points that assume 100-employee shops rather than 30-employee shops.

Boutique CMMC consulting comes closest. Summit 7, CyberSheath, Redspin, Kieri Solutions, and a handful of others are where the community recommendations cluster. Their typical engagements range from roughly $15K at the low end to $30K and up for fuller SMB readiness packages, depending on the firm and scope. Most reserve the deeper work for clients who can spend more.

Automation platforms like Vanta, Drata, and Hyperproof sell software, not preparation. They shipped CMMC modules in 2024. The software is real. It does not replace the work of figuring out what you need, why, and how to write it down.

That leaves Registered Provider Organizations and Registered Practitioners. Roughly 250 RPOs and a few thousand RPs are credentialed to do pre-assessment advisory work. Many of them are excellent. Few of them are economically configured to deliver a complete readiness package to a 30-person shop that needs an SSP, a POA&M, and a remediation plan, end-to-end, for less than the cost of a Sprinter van.

The first mile

The first mile is the segment that needs to go from zero to a defensible Level 2 readiness package. Owner-operator, 20 to 100 people, one to four prime contracts, CUI in CAD files, no full-time security headcount, and a contracting officer who has started asking when the SSP will be ready.

This is the segment where every firm in the market either cannot work (the C3PAOs), will not work at the price (Big 4, Tier 2 accounting), is not configured to scale into (boutiques at $30K and up), or is selling something adjacent (SaaS platforms).

That segment is who reads this page. If you are the CEO of a 40-person aerospace machine shop, your problem is not finding a list of compliance frameworks. Your problem is finding someone who will sit with you on a Tuesday afternoon and turn your business into a defensible package without charging you what it costs to hire a full-time security director.

Nobody built that. We are building it.

The window is closing

The reason this is timed and not theoretical: the door does not stay open forever.

Cherry Bekaert's Fasttrack is one of three or four early moves from accounting-firm C3PAOs to productize SMB readiness. More are coming. Vanta and Drata are publishing CMMC walkthroughs aimed at exactly the small-shop segment. The Secureframe National Cybersecurity Summit in May 2026 framed the direction of the entire compliance industry, in General Nakasone's keynote, as a shift from point-in-time audits to continuous certification. The firms moving fastest toward that posture are the firms most likely to push into the SMB segment as the FedRAMP 20x program proves out the model later this year.

The first mile will be served. The only question is whether it is served by firms who understand the texture of a 30-person aerospace shop's day, or by firms who treat that shop as the long tail of a deck slide. A Level 2 certification is, operationally, a contract-retention instrument. The prime does not renew a sub who cannot produce one. We have an opinion about which firms should be doing this work.

What we do

Eagle Ridge prepares small DIB contractors for CMMC Level 2 assessment. We sit at one point in a supply-chain certification loop. The prime flows the DFARS clause down. The sub needs readiness. The C3PAO does the assessment. The prime needs confirmation. Our work makes the rest of the loop close.

A typical first-mile engagement produces a System Security Plan draft, a POA&M aligned to the controls you do not yet meet, and a remediation roadmap that prioritizes the controls that matter most. Scope, evidence collection, and policy alignment work scales from there.

Pricing runs from $3,000 to $25,000, and at the lower end of that range we are honest about what is and is not in scope. $3K buys you a draft, a remediation plan, and a clear path forward. It does not buy you a fully assessment-ready package with twelve months of evidence and policy training already done. Assessment-ready packages live higher up the range, depending on the size of the shop and the state of the existing program.

We hand off cleanly when the work is done. The C3PAO who eventually assesses you will not be us. By design.

For shops who want to keep the SSP current between assessments, every engagement includes a 90-day post-certification review and a 12-month drift check. The deliverable at each is a dated attestation of SSP currency, the thing your C3PAO will ask for at reassessment. The SSP that is current the day after you certify is the SSP that earns you a clean reassessment three years later. Most firms do not stay that close to their own SSP after the engagement closes. We are designed to.

The map this page sits behind

We published a map of the CMMC services market at eagleridge.io/market-map.html. 89 firms, tools, and authorities. Filter by category, click any cell for details. The map is the inventory. This page is the argument.

Nobody built the first mile. We are building it.