CMMC for Solopreneurs: A Realistic Guide
You are a one-person IT shop thinking about DoD contracts. CMMC sounds overwhelming. Here is what it actually takes, what you can do this weekend, and what to POA&M for later.
Reality check
A 1-person company will not score 110/110 on NIST SP 800-171. Some controls assume multiple people, physical facilities, and formal HR processes. That is fine. You need a credible baseline score and a documented Plan of Action and Milestones (POA&M) for every gap. The POA&M is what makes a negative SPRS score acceptable to a contracting officer.
CMMC Timeline
Self-assess, implement easy controls, document gaps in POA&M
Phase 2: DoD may require CMMC in new solicitations
Phase 3: CMMC becomes mandatory across DoD
6 Controls You Can Implement This Weekend
These take approximately 4 hours total and move a typical solopreneur from roughly -12 SPRS to +40.
Document who has access to each system (just you). Write a one-paragraph access control policy. Enable screen lock after 5 minutes of inactivity.
Enable MFA on every account: email, cloud storage, banking, code repos. Use an authenticator app (TOTP), not SMS. Document which accounts have MFA enabled.
Enable full disk encryption. Mac: FileVault (System Settings > Privacy & Security). Windows: BitLocker (Settings > Privacy & Security > Device Encryption). Verify it is active.
Write a one-page incident response plan: (1) detect, (2) contain, (3) report to DoD via DIBNet within 72 hours, (4) preserve images for 90 days, (5) cooperate with DoD damage assessment. Save to your compliance folder.
Complete a free cybersecurity awareness course (CISA, SANS Cyber Aces, or FedVTE). Save the completion certificate. For a one-person company, you are both the trainer and the trainee.
Verify your network boundary protection: router firewall enabled, no open ports exposed, VPN for remote access to any CUI systems. Document the configuration.
Controls That Are Genuinely Hard for Solopreneurs
Put these in your POA&M with a realistic remediation timeline.
Cannot screen yourself. Document that you are the sole operator and accept the risk. POA&M this with a plan for when you hire.
Home office requires documented physical security: locked room or cabinet for CUI, visitor log if applicable. Harder than it sounds for a home office.
Standard disk encryption may not be FIPS 140-2 validated. May require specific configurations or commercial solutions.
Remote management of systems must use MFA. If you use remote desktop or SSH, ensure MFA is on those connections.
Find your SPRS score
Take the ClariFAR CMMC self-assessment. 5 minutes, no signup, get your score and gap report.
Take Self-AssessmentFAQ
Do I need CMMC if I only handle FCI, not CUI?
CMMC Level 1 (17 basic controls, self-assessment) covers Federal Contract Information. Level 2 (110 controls, third-party assessment) is only required for Controlled Unclassified Information.
What is a realistic SPRS score for a 1-person company?
Most solopreneurs start between -50 and +30. With a weekend of work implementing basic controls (MFA, encryption, incident response plan), you can reach +30 to +50.
How much does CMMC Level 2 certification cost?
Third-party assessments (C3PAO) are estimated at $30K-$50K for small businesses. Level 1 is self-assessment only (free). DIY compliance tools and policies can reduce the preparation cost significantly.
Can I use a Plan of Action and Milestones (POA&M) for gaps?
Yes. You can have a negative SPRS score with a documented POA&M for each gap. The POA&M must include specific remediation steps and realistic timelines. However, some controls cannot be POA&M'd.
This guide is for informational purposes only. CMMC requirements are evolving. Verify current requirements at acq.osd.mil/cmmc.