Small businesses account for 73% of the companies in the Defense Industrial Base. They do not, however, account for 73% of the regulatory burden that comes with working in it.
The DoD’s Cybersecurity Maturity Model Certification program completed its two-stage rulemaking in late 2025. The first rule, establishing the CMMC framework itself, was finalized in October 2024 and took effect that December. A separate rule embedding CMMC requirements into actual defense contracts was finalized in September 2025 and took effect in November of that year, triggering a phased implementation timeline that runs through 2028.
The gap between those two rulemakings gave contractors time to prepare, but it didn’t change the underlying economics. A small contractor handling Controlled Unclassified Information now faces substantial first-year compliance costs for Level 2 certification, plus ongoing annual maintenance expenses that compound over time. For a company generating a few million dollars in annual revenue, that math can strain fast.
The SBA’s Office of Advocacy raised this issue throughout the rule’s development, warning that the program was “so complex, detailed, and costly that many small businesses would be dissuaded from even attempting to obtain certification.” Some smaller defense contractors have concluded that the cost of maintaining a place in the DoD market now exceeds the value of being there, a quiet consolidation that narrows the pool of companies realistically competing for federal work.
“There are heightened cybersecurity requirements, and contractors will not have a choice but to implement them if they want to be a government contractor,” says Margarita Howard, sole owner and CEO/president of HX5, a defense and aerospace contractor with roughly 1,000 employees at over 70 government locations across over 20 states.
Howard doesn’t treat CMMC as an external imposition so much as a structural reality her company has been building toward since its founding in 2004.
“We try to stay ahead of changing technologies like artificial intelligence and cybersecurity,” she says.
Acquisition Reform Raises a Different Set of Pressures
While CMMC has raised the compliance floor, the DoD simultaneously moved to raise the pace ceiling. In November 2025, Defense Secretary Pete Hegseth announced the conversion of the Defense Acquisition System into the Warfighting Acquisition System, a structural overhaul aimed at shifting procurement away from documentation-heavy processes toward speed and operational outcomes.
New Portfolio Acquisition Executives will oversee clusters of related acquisition programs with authority to waive non-statutory technical standards, shift resources across portfolios, and replace alternatives analyses with competitive prototyping. A 180-day mandate requires the DoD to establish a “two-to-production” standard, requiring at least two qualified sources for critical content to reduce single-supplier dependence.
Some of the WAS framework’s components require congressional action before they take effect. But the structural changes already in motion represent a real departure from how the DoD has acquired capabilities for decades. Morgan Lewis’s analysis of the framework identifies enhanced small business opportunity as an explicit design feature. Whether implementation follows stated intent is, as always, a separate question.
For contractors whose work is technically embedded rather than transactional, faster procurement cycles can cut both ways. Shorter timelines advantage firms that can field capabilities without extended qualification periods. Performance-indexed penalties for delivery delays raise the stakes on execution. HX5’s services — software and hardware engineering, research and development, modeling and simulation, mission operations support — are not peripheral functions that agencies routinely cycle through a new vendor. They are built into programs over years of sustained performance.
Howard frames this kind of depth as a deliberate operating choice, not a byproduct of scale. “To best support our customers and their respective missions, it’s imperative we fully understand and comprehend the specifics of their needs and priorities,” she says. “Experience in their respective fields, while supporting these agencies’ respective programs and missions, is very different from experience gained from working in the commercial world.”
HX5’s Approach: Building the Compliance Foundation Early
Howard built HX5 without outside capital, financing growth through internal cash flow, disciplined reinvestment, and a willingness in the company’s early years to occasionally self-fund mission-critical contracts until government reimbursements arrived. She secured four contracts during her first year through the SBA but deliberately avoided dependence on sole-source awards, pursuing competitive bids to develop capabilities that would hold up when set-aside protections expired.
That operating discipline extends into how HX5 handles compliance. “It’s important that a company’s records are impeccable when working with the government due to the compliance reporting and audits that companies have to agree to in order to perform on government contracts,” Howard says.
Cybersecurity infrastructure, in her view, belongs in the same category as financial controls: not a cost center to minimize, but a foundation to build correctly from the start. “We know that what we do is not easy to do, and it’s very expensive to ensure it’s done right,” she says.
Since 2021, HX5 has hosted eight transitioning service members through the U.S. Chamber of Commerce Foundation’s Hiring Our Heroes Corporate Fellowship, a 12-week program in which active-duty personnel work four days each week with HX5 while devoting the fifth to professional development. Veterans who have operated inside military organizational structures bring built-in familiarity with security clearance requirements, operational tempo, and the expectations that govern contractor-government relationships. Margarita Howard, an Air Force alumna who worked on the contractor side of the Tricare military health care implementation before founding HX5, has carried that perspective into hiring.
“We prefer to hire experienced individuals — people who have worked with, or supported, the Department of Defense — as this experience is always very helpful,” she says.
CMMC and the Warfighting Acquisition System are reshaping the defense market in different directions simultaneously: one raising the compliance floor, the other compressing the pace of delivery. Neither trend favors contractors whose position in the market depends on price over capability or on relationships that haven’t been tested.
But companies with two decades of embedded technical work, auditable records, and a workforce that already knows how the government operates are navigating this moment from a different starting position.
