For small businesses navigating the SBIR program at DOD / DOW, the CMMC cybersecurity requirement is already in the first phase of implementation. All DOD / DOW awards from 10 Nov 2025 are requiring either a CMMC Level 1 or Level 2 self-assessment.   The current CMMC Level required for a specific DOD / DOW SBIR award is determined by the Topic of that award.  The required CMMC measures must be implemented prior to any award, meaning awards can be held up without CMMC compliance.  Further, DOD / DOW plans to implement the next stage in Nov 2026 that will require any contract handling Controlled Unclassified Information (CUI) to have a 3rd party certified Level 2 CMMC.  All SBIRs will generate CUI, meaning the 3rd party certification requirement is coming quickly.

That’s why BBCetc has partnered with Totem Technologies, a team of best-in-class specialists providing CMMC certification and compliance software. Totem Tech is the trusted CMMC and NIST 800-171 compliance GRC software solution for defense contractors and their external service providers. As a DOD Tier 1 supplier, Totem Tech brings years of first-hand experience in cybersecurity requirements to offer the right approach for small businesses.

Learn about the SBIR CMMC Survival Kit™_ HRDN-IT™