What small government contractors need to know about CMMC and FOCI

For small businesses pursuing federal and defense contracts in 2026, “contract readiness” is no longer just about past performance—it increasingly includes regulatory eligibility. Agencies are placing greater emphasis on a contractor’s cybersecurity posture and ownership transparency as part of the source selection and risk review process. 

In simple terms: before you can win many defense contracts, you may need to show that your systems are secure and that your ownership structure does not present national security risks. 

Two critical frameworks are shaping this landscape: CMMC (Cybersecurity) and FOCI (Foreign Ownership, Control, or Influence). 

 

CMMC: cybersecurity now tied to eligibility 

The Cybersecurity Maturity Model Certification (CMMC) program is designed to ensure that defense contractors can safeguard sensitive government information. Under the Department of Defense’s CMMC rule (32 CFR Part 170), CMMC requirements are being phased into DoD solicitations and may appear as a condition of award. 

The level that applies depends on the type of data your business handles. 

• Level 1 (Foundational): Handling FCI
  If your business handles Federal Contract Information (FCI) — government-provided information not intended for public release—you are expected to meet CMMC Level 1 requirements. 

At this level, compliance is demonstrated through an annual self-assessment and senior official affirmation submitted in the Supplier Performance Risk System (SPRS). 

• Level 2 (Advanced): Handling CUI
  If your business handles Controlled Unclassified Information (CUI) — such as technical drawings, blueprints, or research—you are expected to meet CMMC Level 2 requirements, which align with NIST SP 800-171. 

Important nuance: Under 32 CFR Part 170, Level 2 assessments vary by acquisition. Some solicitations may allow self-assessment, while others—particularly “prioritized acquisitions”—may require a Third-Party Certification Assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). 

 

FOCI & Section 847: assessing supply chain risk 

The Department of Defense is placing increased focus on Foreign Ownership, Control, or Influence (FOCI) as part of broader supply chain risk management. This scrutiny is no longer limited to companies performing classified work. 

NDAA Section 847 requires beneficial ownership disclosures for certain covered defense contracts so the Defense Counterintelligence and Security Agency (DCSA) can evaluate potential foreign influence risk. 

Depending on the contract, contractors may be required to disclose: 

• Beneficial ownership (who ultimately owns or controls the company) 
• Foreign investment, debt, or financing 
• Foreign board members or governance rights 
• Other relationships that could indicate foreign influence 

Having foreign ownership or investment does not automatically disqualify a business, but it may trigger additional review or mitigation requirements. 

 

What small businesses should do now

• Identify whether your work involves FCI or CUI 
• Conduct or update a self-assessment against NIST SP 800-171 
• Maintain a Plan of Action and Milestones (POA&M) for gaps 
• Ensure your SPRS information is current, if applicable 
• Review ownership, investment, and debt structures for potential foreign influence 
• Organize cybersecurity and compliance documentation 

UCEDC’s APEX Accelerator provides confidential, educational counseling to help small businesses understand government contracting requirements and assess readiness. We also regularly offer workshops and webinars on topics such as CMMC readiness and FOCI considerations. Visit our workshops page to view upcoming sessions and register.

Disclaimer: UCEDC’s APEX Accelerator does not provide legal advice or official CMMC certifications. Compliance requirements may change and are ultimately governed by the specific terms of each government contract. 

 

---

Official Resources:

• CMMC Program Guidance: DoD CIO CMMC Portal (32 CFR Part 170 / 48 CFR) 

• NIST Standards: NIST SP 800-171 (CUI Protection)

• FOCI & Section 847: DCSA Section 847 Program and DCSA FOCI Overview 

• Small Business Support: APEX Accelerators Official Site