The high cost of CMMC 2.0 begs the question: are we paying for real security, or just theater? As the Cybersecurity Maturity Model Certification (CMMC) Title 32 rule officially goes into effect, this question weighs dark like a storm cloud over the Defense Industrial Base (DIB). While the Department of Defense aims to better secure its supply chain, small businesses face a stark reality: comply or die. But there might be hope.
On day one of CMMC Title 32, we sat down with Zach Walker of ATX Defense and Danny Holloway of Virtru to discuss what's next for the DIB. No punches were pulled, and revelations were made: like how ATX Defense recently achieved what many claimed impossible - a perfect CMMC assessment score using Google Workspace, shattering the conventional wisdom that Microsoft GCC High is the only path forward.
Read on as we unpack their candid conversation about the future of CMMC, and discover why traditional compliance wisdom might be ready for a shake-up.
ATX Defense's journey into CMMC began differently than most compliance stories. With a background in government cybersecurity and cyber warfare, including a decade in the intel community across NSA/CIA and Air Force, Zach Walker and his partner started ATX Defense about four years ago to help government organizations institutionalize software development. Their path to CMMC evolved naturally after becoming a Google partner and securing the first direct contract for Google Workspace with assured controls to the DOD in 2021.
Recognizing a significant gap in the market, they had an epiphany: small businesses in the defense industrial base needed better options for compliance. As Walker notes, they approached this not as compliance experts (despite his status as one of only 116 lead CCAs in the world) but as business owners who understand the real priorities: making payroll and keeping contracts. This practical perspective has shaped their approach to helping others navigate the CMMC landscape.
Danny Holloway brings two decades of experience serving the federal market, with a focus on defense and intelligence customers across small businesses, startups, and commercial technology companies. His perspective on CMMC is shaped by firsthand experience with compliance challenges, particularly from his time at professional services organizations. Holloway recalls a pivotal moment after a private equity transaction when his organization was told they had to migrate away from Google Workspace because "Office 365 was the only thing that offered security controls that would allow us to be in place for CMMC clients."
Fifteen years later, he reflects that this was likely never true, but the migration was nonetheless mandated, leading to significant operational disruptions - including team members being unable to see each other's calendars during the transition. This experience has given him unique insight into how compliance requirements can impact small startups that simply need to focus on their mission while maintaining security.
The state of the DIB has become increasingly concerning, with a steady decline in supplier numbers since World War II. This shrinkage directly impacts military readiness and our national security posture, particularly in critical areas like munitions production and supporting technologies.
"If you just look at the chart going back to World War 2, the number of suppliers that we had and then watching that shrink... I think that's a crisis in and of itself," notes Walker, reflecting on the current state of the DIB.
The introduction of CMMC requirements, while necessary for security, risks accelerating this contraction.
Small businesses, which form the backbone of the DIB, face mounting pressure to implement expensive compliance measures while maintaining operational viability. This challenge is particularly acute for innovative startups and specialized suppliers who provide crucial capabilities but operate on thin margins.
The challenge for the DIB as Walker puts it - “We have to get [contractors] to want to work with us.” The compliance theater, and the cost associated with it, makes that a whole lot harder.
The reality of a CMMC assessment, as experienced firsthand by ATX Defense, involves navigating 320 specific assessment objectives, 110 controls, and more. This comprehensive evaluation requires meticulous preparation and documentation, but it's not insurmountable with proper planning.
"It is a complete nightmare to go through an assessment," Walker candidly shares. "You have to do everything that you say in your system security plan for all 320 things, and you have to be able to show evidence of doing it."
For organizations that don't achieve immediate success, there's a clear path forward. With a minimum score of 88% and primarily missing only one-point controls, companies can implement Plans of Action and Milestones (POAMs) with a six-month window for remediation.
The key is thorough preparation and understanding that perfect compliance isn't required for certification—but systematic approach to security controls is.
ATX Defense's assessment experience highlighted this disconnect. As Walker pointed out, many of the 320 assessment objectives "have very little to do with security." He described requirements like change management processes that, while potentially good practice, often add bureaucratic overhead to simple operational changes that could have been handled with a straightforward email.
Holloway cuts to the heart of the issue: "Unless we have outcome-focused regulations instead of a set of checklists, we're consistently going to find ourselves just chasing compliance and no more." With foreign intelligence services and cyber actors constantly evolving their capabilities, simply meeting compliance requirements isn't enough to ensure real security.
The key lies in finding the right balance. As Walker, both a lead CCA and business owner, candidly puts it: "I hate compliance, and I hate compliance people... I'm the business owner, so, like, I get it. Like, you don't care about CMMC. You care about making payroll."
The CMMC compliance landscape has been dominated by a persistent myth: that Microsoft GCC High is the only viable path to certification. This assumption has led many organizations down an unnecessarily expensive path, potentially threatening the very existence of small businesses in the Defense Industrial Base. The reality, as demonstrated by ATX Defense's recent perfect-score CMMC assessment, tells a different story.
The numbers are concerning for small businesses. ATX Defense received a quote from a Microsoft Managed Service Provider for $250,000 for just five people, and that was just to get to a point where they could self-attest. The actual CMMC assessment, which comes later, is estimated by the DOD to cost about $100,000.
To put these numbers in stark perspective, Walker points out a critical statistic: "The army's median contract value for small businesses, again annual revenue, not profit... $88,000." This creates an impossible equation for many small businesses - how can they justify spending more than their annual revenue on compliance?
ATX Defense is one of many in a growing movement demonstrating that there's another way.
"We went through our own CMMC assessment from the Department of Defense a couple weeks ago, using Google Workspace," Walker states. "So I'm gonna say that again for all the people that tend to post on LinkedIn that it's impossible to use Google for CMMC. We passed the DOD CMMC assessment using Google Workspace with zero Microsoft products whatsoever."
Not only did they pass, but they achieved a perfect score with no deficiencies and no Plans of Action and Milestones (POAMs), completing their assessment in less than a third of the allocated time. The cost savings are significant – Google Workspace typically runs about 70% less than GCC High licensing costs.
As Walker notes, "No one was fired for buying IBM in the nineties, and no one's fired for buying GCC High today, but it probably wasn't the best option in the nineties, and it certainly isn't the best option today."
Many modern, smaller businesses already use Google Workspace effectively. For these organizations, being told they must migrate to GCC High represents not just a financial burden but also a significant operational disruption. As Walker observes, "Every time someone moves from Google Workspace to GCC High, an angel loses its wings."
What's vital to understand is that CMMC compliance doesn't mandate any specific platform or vendor. For example, email security requirements focus on outcomes rather than specific technologies. Google Workspace, when properly configured and supplemented with appropriate security tools, can meet these requirements effectively and at a fraction of the cost.
"Charlatan" - that's Walker's new favorite word in compliance, and for good reason. In the wild west of CMMC consulting, the barrier to entry is shockingly low: pay a fee, watch a four-hour video, and suddenly you're a "registered practitioner." This has led to a flood of self-proclaimed CMMC experts who've never actually been through an assessment themselves.
"If you haven't been through it - if you're not a CMMC certified professional, a CMMC certified assessor, or one of the 116 lead assessors like I am - you probably don't know what you're talking about," Walker states bluntly.
His advice: Look beyond the sales pitch. Check if your potential vendors have actual CMMC certifications, not just a registration badge. Real expertise comes from hands-on experience with the assessment process, not just theoretical knowledge.
Even more telling: if a vendor immediately pushes for a gap assessment without understanding your business, run. As Walker puts it, "I hate doing it because I take your money to tell you that you have to fix a lot of stuff. I could tell you that for free."
Holloway reinforces this point from his two decades of federal market experience. In the era of ChatGPT, he warns, "anyone can be an expert... spell and regurgitate information without thinking through critically and understanding why am I being asked to do this, what is the outcome I'm trying to achieve, rather than just how do I check the box."
The key is finding vendors who understand not just the compliance checkboxes, but the actual security outcomes your business needs to achieve.
Despite the challenges, there are compelling reasons for optimism about the future of the DIB and CMMC compliance. The Department of Defense has made significant strides in improving its approach to working with small businesses, particularly through initiatives like the Defense Innovation Unit.
"Outside of maybe world wars, there's never been a better time to work with the Department of Defense," Walker reflects, highlighting the positive changes in contracting vehicles and processes.
The growing recognition of small business value and the need for supply chain diversity is driving positive change. Initiatives like Small Business Innovation Research (SBIR) awards and rapid contracting vehicles demonstrate the DOD's commitment to maintaining a diverse and robust industrial base. While challenges remain, the path forward includes more opportunities for businesses of all sizes to contribute to national security while maintaining compliance.
As we navigate the early days of CMMC Title 32, it's clear that compliance doesn't have to mean choosing between security and survival. Small businesses have viable alternatives to traditional, expensive solutions, and the DIB is evolving to better support innovation and diversity. The key is finding right-sized solutions that match both security requirements and business realities.
For organizations beginning their CMMC journey, the message is clear: explore all options, verify vendor credentials, and remember that good security practices, not just compliance checkboxes, should drive your decisions. The path forward may be challenging, but with the right approach and partners, it's entirely achievable.