Sub-tier DIB suppliers handling FCI only
Small DoD subcontractors who need a self-attested SPRS score, fast.
"Self-attest against 17 NIST 800-171 controls and submit an SPRS-ready score in hours."
See the self-service journey this ICP walks through (PDF) →
~220,000 companies in the Defense Industrial Base; the vast majority are Level 1.
The DoD published the CMMC Program final rule (32 CFR Part 170) on October 15, 2024; it took effect December 16, 2024. The companion acquisition rule (48 CFR / DFARS 252.204-7021) is rolling into contracts on a phased basis from 2025 through late 2028, after which a CMMC requirement will appear in essentially every DoD solicitation that touches FCI or CUI.
Level 1 applies to any contractor that processes, stores, or transmits Federal Contract Information (FCI) — defined in FAR 52.204-21 as information provided by or generated for the government under a contract that is not intended for public release. It maps to the 17 basic safeguarding requirements in FAR 52.204-21 and is satisfied by an annual self-assessment plus a senior-official affirmation submitted in SPRS.
DoD's own regulatory impact analysis estimates roughly 139,000 Level 1 entities in the assessable population — and the typical L1 supplier is a small business of fewer than 50 employees with no in-house security staff. Prime contractors are now flowing the requirement down to even small parts suppliers, machine shops, logistics providers, and IT services firms.
These companies are NOT going to hire a $40k consultant or buy a $25k/yr GRC platform. They want a guided self-assessment, an SPRS-ready score, and an affirmation workflow — done in a day, not a quarter.
How to filter your list.
- Employee count
- 5–100 (sweet spot 10–50)
- Revenue
- $1M–$50M annual
- NAICS codes
- 332, 333, 336411, 336413, 541330, 541512, 541611, 541715, 561210
- Geography
- US-based, DoD supplier clusters (TX, FL, OH, CA, VA, MA, PA)
- Government data
- Handles FCI only — no CUI, no ITAR, no classified
- Tech stack signals
- Microsoft 365 (commercial), QuickBooks, basic MSP
- Contract footprint
- 1+ active DoD prime or sub award in SAM.gov / USAspending
Who's actually in the room.
Owner / President
- Owns
- Everything. Sales, ops, banking, and now compliance.
- Fears
- Losing the DoD contract that pays the lease. Personal liability on the affirmation.
- Measured on
- Contracts kept and won.
- Where to find them
- Local NDIA / APEX Accelerator (PTAC) chapters, manufacturing trade groups.
Office Manager / Controller
- Owns
- Vendor portals, SAM.gov registration, insurance certs, and 'whatever IT thing the prime is asking for now.'
- Fears
- Missing a renewal deadline and being told 'we can't issue the PO.'
- Measured on
- Zero late filings.
- Where to find them
- LinkedIn groups for govcon ops, APEX webinars, prime supplier portals.
Outsourced IT / MSP partner
- Owns
- Email, endpoints, backups for the contractor. Often the first to get the prime's email.
- Fears
- Being asked to sign something they don't understand, or losing the client to a 'compliance MSP.'
- Measured on
- Client retention; expand into compliance services.
- Where to find them
- MSP communities (Reddit r/msp, ChannelE2E, Pax8, ConnectWise).
When the buying window opens.
For each trigger, here's how to detect it for free. Set Google Alerts, RSS, or LinkedIn Sales Navigator job-change alerts and you'll see them before competitors do.
What they're losing sleep over.
- !No idea what FCI even is, or whether they actually handle it
- !Prime is threatening to drop them from the AVL if they can't show an SPRS score
- !Got a quote from a consultant for $25k–$60k and choked
- !Their MSP says 'we got you covered' but can't produce a single artifact
- !Affirming officer (often the owner) doesn't want to sign something they don't understand
- !Annual re-affirmation creep — last year was painful and they don't want to repeat it
- !Cyber insurance renewal is asking the same questions
What converts.
"Get to an SPRS-ready Level 1 score in a single working day, not a quarter."
Guided walkthrough of the 17 FAR 52.204-21 controls, evidence checklist, and the exact SPRS submission format — no consulting retainer required.
"Protect the contract that pays your bills."
Primes are auditing the AVL now. Show your buyer a current score and affirmation before they ask.
"An answer your MSP can actually deliver against."
Hand the workbook to your existing IT provider; we tell them exactly which artifacts to produce.
What you'll hear, and what to say.
"We're too small — CMMC doesn't apply to us."
→ If you receive any FCI from a prime — drawings, statements of work marked 'For Official Use Only,' shipping data, even some POs — Level 1 applies. The 17 requirements in FAR 52.204-21 are already in your existing contracts via the FAR clause; CMMC just makes them auditable.
"Our MSP handles all that."
→ Great — then this is a 2-hour exercise to document what they're already doing and produce the SPRS score and affirmation. If they can't, you've identified a gap before your prime does.
"We'll wait until the prime actually requires it."
→ Phase 1 of DoD's rollout started in 2025; primes are already adding L1 flow-downs to new subs. By the time it's in your contract, the prime expects the score in days, not months.
"What about a C3PAO?"
→ Level 1 is self-assessed — no C3PAO needed. The senior-official affirmation in SPRS is what makes it official. C3PAOs are only required at Level 2 for CUI handlers.
"We already have cyber insurance."
→ Cyber insurance is risk transfer; CMMC is contract eligibility. Without the SPRS score and affirmation, you lose the contract — and insurers are increasingly asking for the same evidence.
Copy. Paste. Replace the placeholders.
Six prompts tuned for this ICP. Replace {{placeholders}} with your real inputs. Each prompt names the AI engines it works best with.
You are a defense industrial base research analyst helping me qualify a CMMC Level 1 prospect.
Company: {{company}}
Website: {{website}}
Research and produce a one-page brief with:
1. Defense business signals
- Active or recent DoD prime/sub awards (search USAspending.gov and SAM.gov by recipient name and DUNS/UEI).
- NAICS codes they self-report and which map to DoD spend categories.
- Any Capability Statement, GSA Schedule, or SBA set-aside designations (8(a), SDVOSB, HUBZone, WOSB).
2. CMMC Level 1 relevance
- Likelihood they handle Federal Contract Information (FCI) but NOT Controlled Unclassified Information (CUI) — explain why.
- If they likely handle CUI, flag them as a Level 2 prospect instead and stop.
3. Trigger events in the last 90 days
- New contract awards
- News of prime supplier-portal changes
- Cyber incidents or breach disclosures
- Funding, M&A, or new exec hires (especially in IT, ops, contracts)
4. Buying committee
- Likely owner/president (LinkedIn URL)
- Office manager / controller / contracts admin
- IT lead or external MSP (if discoverable)
5. Outreach hook
- One sentence tying a specific trigger to the Opsfolio CMMC Level 1 self-assessment.
Return as markdown with section headers. Cite every external claim with the source URL.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Build me a list of 25 US small businesses that are strong candidates for CMMC Level 1 self-attestation.
Filters:
- Active DoD prime or sub award in the last 24 months (use USAspending.gov as the source)
- Employee count 10–100
- NAICS: 332710, 332999, 333515, 336411, 336413, 541330, 541512, 541611, 541715, 561210
- Geography: {{state_or_region}}
- NOT currently appearing in the Cyber AB Marketplace (so unlikely to already be engaged)
- NO public mention of holding a current SPRS score above 88
For each company, return:
| Company | UEI | NAICS | Est. employees | Most recent DoD award (date, amount, prime) | Owner/President name | LinkedIn URL | Best opening hook |
Sort by most recent award descending.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Write a 3-touch cold email sequence to {{first_name}} ({{title}}) at {{company}}.
Context:
- {{company}} is a small DoD supplier in {{naics_industry}}.
- Trigger event: {{trigger_event}} (e.g. "won a $1.2M sub from Lockheed last month").
- They are likely Level 1 (FCI only).
- Sender: {{partner_name}}, {{partner_title}} at {{partner_company}}.
Constraints:
- Touch 1: ≤90 words, plain text, one CTA = "worth a 15-minute look?"
- Touch 2 (day 3): ≤60 words, reframe around the prime's expectations.
- Touch 3 (day 7): ≤40 words, break-up note.
- No "I hope this finds you well." No "circling back."
- Reference the trigger event specifically.
- CTA in every touch points to: {{affiliate_link}} for a self-service Level 1 readiness check.
Return as three labeled blocks: SUBJECT + BODY for each.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Draft a LinkedIn outbound cadence to {{first_name}} ({{title}}, {{company}}).
Cadence:
1. Connection note (≤300 chars, no pitch): mention {{trigger_event}} or a mutual context.
2. Day-1 DM after acceptance (≤500 chars): one specific observation about their DoD work + one question about CMMC L1 readiness.
3. Day-5 DM (≤300 chars): share the link {{affiliate_link}} framed as "a 17-control self-check, not a sales call."
4. Day-12 DM (≤200 chars): polite break-up.
Tone: peer-to-peer, founder-friendly, never patronizing. Avoid jargon like "synergy," "leverage," or "circle back."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Generate a 15-minute discovery call script for a CMMC Level 1 prospect: {{company}}, contact {{first_name}} ({{title}}).
Structure:
1. Opening (60 sec) — confirm time, state the one reason for the call (their DoD subcontract exposure), ask permission to ask 5 questions.
2. Five qualifying questions:
- Which DoD primes are you currently subbing to?
- Has any prime sent you a CMMC flow-down letter or supplier survey in the last 6 months?
- Do you have a current SPRS score on file? When was it last updated?
- Who handles your IT today — internal or an MSP? Have they spoken to you about FCI/CUI handling?
- If a prime asked tomorrow for your Level 1 affirmation, how long would it take you to produce it?
3. Bridge to demo (60 sec) — based on answers, frame the self-service Level 1 assessment as "a guided 90-minute exercise, not a 3-month consulting engagement."
4. CTA — book a working session OR send the {{affiliate_link}} so they can start themselves.
Include branching logic: if they handle CUI, route to a Level 2 conversation instead.
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Act as a senior CMMC consultant. The prospect ({{company}}, {{title}}) just said:
"{{objection}}"
Respond in 2–4 sentences. Rules:
- Acknowledge the concern in their words.
- Cite the relevant authority (FAR 52.204-21, 32 CFR Part 170, DFARS 252.204-7012 / -7021) by section.
- End with a question that moves the conversation forward, not a pitch.
- Never sound defensive. Never say "actually" or "to be fair."
Rules:
- Be concrete and specific to {{company}}; no generic compliance fluff.
- Cite the regulation by section number where relevant.
- If you don't know, say so — do not invent contract numbers, names, or dates.Go deeper.
Authoritative public sources. Bookmark these — they're the source of truth your prospects' own teams are reading.
DoD CIO — CMMC Program homepage
The official source for CMMC scope, levels, timelines, and policy memos.
32 CFR Part 170 — CMMC Program final rule (Federal Register)
The binding text of the program rule. Bookmark §170.15 (L1 self-assessment) and §170.22 (affirmation).
FAR 52.204-21 — Basic safeguarding of covered contractor information systems
The 17 controls that ARE Level 1. Read it once; cite it in every email.
DFARS 252.204-7021 — CMMC requirement clause
The contract clause that operationalizes CMMC. Watch for it in flow-downs.
SPRS — Supplier Performance Risk System
Where Level 1 self-assessments and affirmations are submitted.
Cyber AB Marketplace
Search C3PAOs, RPOs, and other ecosystem players (and confirm a prospect isn't already engaged).
APEX Accelerators (formerly PTACs)
Free help for small DoD suppliers — partners can co-market with their local APEX office.
Project Spectrum
DoD-funded free resources, courses, and a CMMC readiness check small contractors already trust.
USAspending.gov
Free search of every federal contract — use to find recent DoD subcontract recipients in your region.
SAM.gov
Registered government contractors + active opportunities. Required for any DoD vendor.
When NOT to pursue
These prospects won't convert through the self-service flow.
- ×Handles CUI, ITAR, or classified data — they are Level 2 or Level 3, not L1
- ×Has no DoD revenue and no plan to pursue any
- ×Already has an active SPRS score updated within the last 12 months
- ×Already engaged with a Registered Practitioner Organization (RPO) or consultant