The November 2026 Cliff Is Real. The Small Shops Are Going Over It First.

There is a bad habit in this industry of talking about defense contractors like they are all giant logos with giant budgets and giant internal compliance teams.

They are not.

A huge amount of real defense work is carried by smaller shops that do one thing really well and have been doing it that way for years. The twelve-person precision machine shop in Ohio making titanium brackets for F-35 landing gear. The family-owned electronics outfit in Huntsville stuffing circuit boards that end up inside a Tomahawk guidance system. The composites fab in Connecticut that has been in the same family for three generations and builds radome skins for airborne early warning aircraft. The sonar transducer specialists on the coast of Maine who wind coils for Virginia-class submarines. The precision gear cutter in Texas making transmission components for the Apache.

These are the shops that actually build America's weapons. Not the logo on the side of the missile. The ones whose names you have never heard but whose parts are in every airframe, every hull, and every warhead in the inventory.

They are the backbone. They are not the headline. They are still on the hook.

And in November 2026, that hook gets a lot sharper.

The Dates Are Not Theoretical Anymore

Phase 1 began on November 10, 2025. Self-assessments started appearing in applicable new DoD contracts. The DoD estimates roughly 65 percent of the Defense Industrial Base is affected.

Phase 2 begins on November 10, 2026. That is when Level 2 certification assessments performed by C3PAOs start appearing in applicable new contracts. No current CMMC status in SPRS at the required level means no contract award. It means no option year exercised. It means no extension. It is that simple and that brutal.

This is no longer academic. This is contract eligibility. This is revenue continuity. This is whether a shop stays in the room.

The primes are already pushing it downstream. Boeing has told suppliers to start preparing for Level 2 certification now. Lockheed Martin has told its supply chain to document CMMC status in SPRS and made it clear that compliance is a condition of continued business. The flow-down is real and it is happening today.

What 110 Practices Actually Look Like From the Shop Floor

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Rev. 2. That sentence is meaningless until you try to implement it in a building where the IT department is one guy named Dave who also runs the phones, the firewall, the Microsoft 365 tenant, the endpoint agents, and gets called when the copier decides to die at 4:47 PM on a Friday.

Here is what that burden actually looks like.

Your Controlled Unclassified Information is everywhere. It is on the CAD workstation next to the CNC machine. It is in the email your engineer just sent your prime's contracts officer. It is in a PDF sitting on the shared drive because nobody ever moved it. It is in the vendor spec your machinist printed out and taped to the side of a toolbox.

You need an SSP. An actual System Security Plan. The government expects somewhere around eighty pages of documentation describing every system, every boundary, every control, every implementation. You have never written one. Dave has never written one. Your nephew who does your website has never written one.

You need MFA everywhere. FIPS validated encryption. Audit logging on systems you did not know had audit logging. Incident response procedures that are documented and tested. Configuration management. Media protection. Training. Risk assessment. System integrity. You need to control the physical perimeter of a building that has been unlocked during business hours since 1987.

You need continuous vulnerability scanning. Identity threat detection. Endpoint detection and response with a human team behind it. Annual affirmations in SPRS signed by an official willing to put their name on it under the False Claims Act. Flow-down requirements enforced against your own subs. Evidence. Not claims. Not checklists. Actual artifacts your C3PAO assessor can pull up and verify.

And the first time somebody asks you what your SPRS score is, you need to know the answer.

The Burden Is Not Just “Do Security”

That is the part too many people miss.

The burden is interpreting the requirement correctly. Then implementing it in a real production environment without breaking something. Then documenting it in a way an assessor can follow. Then collecting evidence for it. Then maintaining it over time while your environment changes every week. Then surviving assessment scrutiny without finding out too late that your spreadsheet, your shared drive folder, and your half-finished policy set are not going to cut it.

Every one of those steps is its own job. Small shops do not have six people to spread across them. They have Dave.

The Traditional Answer Is Garbage

The Big-4 consultants will quote you somewhere between eighty thousand and two hundred thousand dollars. They will hand you a binder. They will walk away. Your environment changes in six months and you start over.

The spreadsheet path does not scale. Spreadsheets do not calculate SPRS. They do not generate SSPs. They do not version control evidence. They do not survive an assessor asking for proof.

The do-nothing path ends the company. No CMMC means no contract. No contract means the shop closes. A business that has been in one family since the Reagan administration disappears because nobody gave them a tool they could actually use. The people who made parts for this country for forty years are suddenly looking for work, and the supply chain the DoD spent decades cultivating has a hole in it.

That is the reality we built JAXBERT to address.

Why We Built JAXBERT

We are a security company. We have been protecting networks for nineteen years. We are an SDVOSB. I served. Our COO served. We are the people who answer the phone at three in the morning when a client is watching an actor land on a domain controller.

We saw what was happening to the small defense industrial base. We watched compliance vendors circle the water looking for easy money. We watched Big-4 firms roll up to machine shops in Tier 4 towns and quote them a quarter of their annual revenue for a binder.

We said no.

JAXBERT is built for the shop, not the prime. It is built for the thirty-person fab, the twelve-person electronics house, the fifty-person precision components company. It is built for owners and operators trying to keep the lights on and also prove to the Department of Defense that they can be trusted with controlled unclassified information.

There are two ways to run it.

JAXBERT Comply

Comply is the full compliance platform. Guided assessment of all 110 practices with plain English translations. Real-time SPRS scoring. An AI compliance assistant that answers CMMC questions without making you read the NIST 800-171 PDF for the fifteenth time. Auto-generated SSP as an eighty-plus page Word document with your company name and your data. POA&M tracking with AI written remediation plans. An evidence vault with SHA-256 integrity. Mock assessment mode so you know what your C3PAO day actually looks like. A one-click assessment package you hand to your assessor.

This is the replacement for the binder-and-walk-away model. This is the replacement for the spreadsheet. This is every tool a small shop needs to manage CMMC Level 2 without hiring a compliance officer.

JAXBERT Secure

Secure is where the security company shows up.

Comply tells you where your gaps are. Secure closes them.

When you turn on Secure, you are deploying real security tools that cover real practices. MILBERT handles identity threat detection and covers nine practices. TACT-IO handles vulnerability management and covers eight. ARGOS brings managed detection and response with our hunt teams on the back end and covers ten. That is twenty-seven plus practices auto-covered with continuous evidence generation. Not one-time artifacts that go stale the day after you produce them. Continuous. Every day.

This is the part most small contractors get wrong. They treat CMMC as a paperwork exercise. They write an SSP, check a box, and move on. Then the assessor shows up and asks for evidence the control is actually operating. They have nothing. Points come off the SPRS score. Sometimes enough points that they fail.

A lot of small contractors are going to lose points for the same reason. Not because they are careless. Because they do not have enough hands, enough time, or enough budget to build mature coverage across identity, vulnerability, and detection. A firewall and an antivirus product are not going to carry them. An MSP doing patch management is not going to carry them either.

Secure fixes that on day one. The minute the sensors are deployed, you are generating the evidence an assessor needs. Logs, alerts, tickets, resolution records, scan results, detection history. All of it attached to the right practice in the platform. All of it ready to pull into the C3PAO package.

You do not patch points after the fact. You stop losing them in the first place.

That is the difference between hoping you pass and knowing you pass.

The Clock

Phase 1 is running right now. Phase 2 starts this November. C3PAO calendars are already filling into next year. The number of certified assessors is not keeping up with demand. The shops that wait until fall to start will not find a seat.

If you are a small defense contractor and you have not started yet, start now. If you have been quoted two hundred thousand dollars by a consultant, hang up and call us instead.

The primes are going to be fine. We built JAXBERT for everybody else.

They do not need more noise. They need a way to get compliant, get protected, and keep doing the work that actually matters.

Schedule a demo at threathunter.ai or reach out at sales@threathunter.ai. See your real SPRS score in under an hour. No binder. No spreadsheet. No excuses.