Know Your Options…

Let me tell you the story of a small, two-person machine shop that I’ll call Ironclad Precision. Ironclad is the textbook definition of a mom-and-pop operation. It’s owned by a father in his 80s and his son who is thinking about retiring in a few years.  No employees. No subcontractors.

Ironclad Precision is a sole-source supplier for three critical mechanical parts used by the U.S. Marines. Their contracts are directly with the DoD — They’re a prime contractor. No other company is currently qualified to fabricate these parts. In addition to this subcontract work, they have a couple of small subcontracts with Quantum Naval Solutions. Quantum has been using Ironclad for a couple of decades to make these parts.

In total, Ironclad’s annual revenue from these military parts is $275,000. With a 10% profit margin, that’s just $27,500 in yearly profit.  They also have occasional work making custom parts for water well drillers and farmers.  All in all, they take home $80K.  Dad lives with the son and his wife.

A few days ago, Ironclad Precision called me with a tough question: “Is CMMC something we should do? And if so, how do we afford it?” This is not a simple question for a business like theirs.

Let’s talk about cost. A basic CMMC Level 2 assessment alone typically starts around $30,000—already more than Ironclad’s entire annual profit from DoD work. And their situation isn’t basic. They run older, computer-controlled equipment, including a CNC machine running Windows 98.

Yes, Windows 98.

Very typical.

It’s not impossible to operate legacy equipment within a CMMC-compliant environment. But the security architecture, segmentation, and compensating controls needed to do it right can be complex and expensive. On top of that, the assessment requires documentation, policy development, and evidence that could take months to prepare—even for a larger team.

For Ironclad Precision, it’s not just a question of technical compliance—it’s a business viability decision.

Ironclad’s government work is supplemented with some commercial work (the water well drilling components and custom farm implements.) But that additional revenue still isn’t enough to support the business long term or pay the family’s bills.

The owners are at a crossroads.

Now is the Time to Plan Ahead

There is a small silver lining if Ironclad starts planning now. The CMMC rule (48 CFR) has just gone to OIRA (Office of Information and Regulatory Affairs) for review. That means finalization is still at least a few months away. Ironclad probably won’t face an immediate cutoff of their DoD revenue.

It’s also unlikely that the U.S. Government will mandate CMMC Level 2 for Ironclad directly until at least the end of next year. More likely, Quantum Naval Solutions—Ironclad’s prime contractor—will soon notify Ironclad that they will need a CMMC Level 2 assessment in the near future.  Maybe immediately.  (Hopefully not.)  Maybe in 6 months.  But there is likely to be some sort of phase-in time.  That’s not certain, though.  I have talked to quite a few companies that are already losing contracts with big primes because of their lack of CMMC compliance.   In other words, the end of Ironclad’s defense work won’t come overnight, but a slow revenue squeeze is almost certain unless they act.

To determine the best course of action, Ironclad needs help from someone who is both a CMMC expert and a business and financial analyst. They face a set of strategic questions:

1.      Can they exit government contracting without financial harm? Selling their specialized fixtures for making the Marine Corps parts might be a viable exit strategy. But they have to avoid selling them for pennies on the dollar. It’s easy to assign a low value to them based on the cost of the labor hours and materials to fabricate them.  The value of those fixtures includes not just machining time, but also the non-recurring engineering, design, and testing work behind them. A smart exit plan needs to account for that full value. Potential buyers, of course, will try to ignore it.

2.      Can they invest in CMMC and stay in the game? If Ironclad wanted to expand DoD contracts and amortize CMMC costs across more revenue, could they scale up? Could they partner with another small business or merge?  Or maybe they could scale up their commercial businesses to replace DoD contracts. Closing shop may be inevitable for them, though… The father is 85. The son is looking at retirement. There’s no one in the pipeline to take over. Continuing in the DIB may not be something they want to do considering the owners’ ages and retirement plans.

3.      Is there a low-cost CMMC path they haven’t considered? Could a hosted enclave or secure VDI allow them to isolate CUI and keep legacy equipment functional without full-blown network modernization? Perhaps a CMMC consultant could help them find a hybrid solution like virtual desktop infrastructure (VDI), where Controlled Unclassified Information (CUI) is only viewed and not stored or processed locally.

That third option is tricky. The parts for the Marine Corps are manually coded into the CNC software, running on Windows 98. Replacing that setup with a VDI (or somewhat hybrid) solution might not be possible. But, then again, perhaps it could be if the code could be entered without ever having the need to make paper prints of specifications and if the Windows 98 is never connected to the internet or wifi.

Tough Decisions

CMMC isn’t just a cybersecurity compliance issue for small businesses like Ironclad—it’s a life-or-death question for the company itself.

A rigid approach—telling every small shop to “just get CMMC certified”—misses the nuance of small business operations, particularly in niche manufacturing. What we need instead is a collaborative approach:

Ironclad needs to partner with business-minded security professionals who can help owners evaluate their full spectrum of options, not just CMMC compliance. Here is my advice for companies like Ironclad Precision:

1.       Don’t panic. The rule isn’t final yet, and the timeline gives you space to think. You can’t wait too long, though.

2.       Get Expert Help. Not just from a CMMC professional, but also someone who understands ROI, market strategy, and exit planning.

3.       Explore every angle. Whether that means full CMMC Level 2 compliance for the whole facility, partial enclave solutions, commercial expansion, or an orderly wind-down, the key is to make the decision proactively—not under pressure when the contracts dry up. That’s when the Private Equity firms will be calling and trying to buy companies for pennies on the dollar. Unfortunately, many will be selling, and it will be a buyer’s market.

Small manufacturers are the unsung backbone of the DIB. Without companies like Ironclad Precision, our warfighters don’t get the parts they need. We must make room in the compliance conversation for flexibility, scalability, and smart transition planning—especially for companies that are sole-source suppliers with deep legacy knowledge and decades of trust.

If you know a small DoD contractor in a similar spot, now is the time to connect them with the right experts. And if you’re a consultant or analyst who can help them chart the way forward, there’s no better time to step up.