Convergence Radar Convergence Engine

← Feed

C

SPRS Sentry β€” $300/mo NIST 800-171/CMMC attestation-maintenance layer for micro DoD subcontractors

53/100

A subscription service that keeps sub-50-employee defense subcontractors award-eligible by maintaining their SSP, POA&M, annual NIST 800-171 self-assessment, and SPRS score submission β€” sold direct off public awardee rosters and white-labeled through MSPs.

Interesting but not urgent. Β· created 2026-07-10 06:03 UTC

public recordssaasfast cashlong-term

Scorecard

newness 4/10
convergence 4/10
demand evidence 2/10
existing spend 3/10
solo feasibility 8/10
speed to mvp 8/10
speed to revenue 6/10
distribution 7/10
competitive gap 4/10
expansion 7/10
founder fit 9/10

Opportunity brief

What changed
HYPOTHESIS (no source signals attached to this convergence): DoD's CMMC phase-in is converting the NIST 800-171 self-assessment from a one-time paper exercise into a recurring, award-blocking gate with an annual affirmation requirement in SPRS. This is established regulation (DFARS 252.204-7019/7020, CMMC 2.0 final rule) but it is asserted from general knowledge, NOT from ingested signals β€” the signals and demand_evidence arrays in this input are empty.
Why now
CMMC clause flow-down is being phased into new DoD contracts over the coming quarters, so micro-subcontractors face a hard eligibility deadline rather than a theoretical fine. INFERENCE: they are the last unserved cohort β€” incumbents chase $30-100k engagements with primes and mid-tier firms. Caveat (from lesson on enforcement slippage in the falsification criteria): CMMC timelines have slipped repeatedly for years; urgency may keep deferring.
Converging signals
NONE PROVIDED. The convergence references MSP-demand signals 2064/2070 (MSPs fielding requests for productized security documentation) but those signals were not included in this input, so they cannot be treated as evidence here. The entire demand case is currently hypothesis.
Customer pain
HYPOTHESIS: A machine shop with 12 employees and a $2M DoD sub-award has no security staff, does not know what SPRS is or guessed its score years ago, and discovers at recompete time that a stale/missing score makes it ineligible. Exclusion from its market, not a fine, is the pain. Unverified β€” the testable prediction (300 cold emails β†’ β‰₯8 discovery calls, β‰₯half admitting stale scores) has not been run.
Who pays
The subcontractor's owner/GM (sub-$10M revenue defense machine shops, fabricators, small suppliers handling CUI), and secondarily MSPs who serve them and want a white-label artifact package. Buyers are enumerable from SAM.gov/USASpending with contact info β€” a genuinely reachable list, which is rare.
Solved today
FACT-ADJACENT (general knowledge, uncited): CMMC consultancies and vCISOs at $30-100k engagements; DIY with NIST templates; some low-cost tools already exist in exactly this niche (Totem Technologies ~$100-500/mo, ComplyUp, FutureFeed). Many small subs simply self-attest a guessed score and hope.
Why current solutions are bad
Consultants are 10-50x too expensive for a 12-person shop; DIY produces a stale binder nobody refreshes; guessed SPRS scores now carry False Claims Act exposure under DOJ's Civil Cyber-Fraud Initiative (INFERENCE: this raises the cost of doing nothing). But note the low-cost tool gap is NOT empty β€” see competitors.
Proposed product
A $200-400/mo maintained-compliance subscription: system generates and keeps current the SSP, POA&M, policy artifact set, and annual self-assessment scoring worksheet; prompts/handles the SPRS score submission workflow and annual affirmation reminder; evidence binder always audit-ready. AI does document generation/refresh; founder does the repeatable submission workflow β€” the same government-portal-submission shape as his shipped FMCSA ELDT product.
MVP version
Not software-first. MVP = (1) pull 300 sub-$10M DoD awardees in NAICS 332xxx/336xxx from USASpending, (2) cold-email 'Is your SPRS score current? CMMC clauses are entering new awards' with a free score-currency check, (3) deliver the first 5 engagements manually using AI-generated SSP/POA&M templates, (4) only then productize the binder generator. 30-45 days, near-zero build cost.
30-day build
Run the outreach experiment exactly as the testable prediction specifies; book discovery calls; manually deliver 2-3 paid pilot assessments at $1,500-2,500 flat to validate willingness to pay and learn the artifact set cold.
60-day build
Convert pilots to $300/mo maintenance subscriptions; template the SSP/POA&M/policy generation into a repeatable AI pipeline; approach 5-10 MSPs from r/msp with a white-label version at wholesale pricing.
90-day revenue plan
Target 15-25 subscribers direct + 1-2 MSP channel deals = $5-10k MRR. Realistic given a forced deadline IF the demand hypothesis validates; if outreach conversion fails, kill by day 45 having spent almost nothing.
Distribution path
Cold outbound to a public, enumerable, obligated roster (USASpending/SAM.gov) β€” the founder's proven motion; plus MSP white-label channel; plus SEO/content on 'SPRS score' long-tail queries. No ad spend, no marketplace gatekeeper.
Pricing hypothesis
$1,500-2,500 initial assessment + $200-400/mo maintenance (annual refresh, affirmation calendar, artifact updates). Per-assessment plus recurring mirrors his per-upload ELDT model but with better retention economics.
Technical difficulty
Low-moderate. Document generation + workflow + reminders is standard micro-SaaS. SPRS submission itself goes through PIEE with contractor-side accounts β€” INFERENCE: the founder acts as delegated user or guides the customer's Affirming Official rather than fully automating a federal login; this is the same pattern he already executed for FMCSA.
Legal / regulatory risk
Moderate and manageable: the customer's official must sign the affirmation, and the vendor must never inflate scores (False Claims Act liability sits with the contractor, but a service that pencil-whips assessments invites being named). Mitigate with conservative scoring and clear engagement letters. No license/certification required to assist with self-assessments (C3PAO status only needed for third-party certification assessments, which this deliberately avoids).
Platform dependency
Dependency on DoD regulatory timeline, not on a platform ToS. Main systemic risk is CMMC enforcement slipping again, which mutes the deadline that drives conversion.
Founder fit
VERY HIGH (9). This is structurally identical to his proven FMCSA ELDT win: read a federal mandate, enumerate the obligated class from public records, build the submission/paperwork layer, charge per transaction/seat. Matches his lesson-confirmed best pattern (government-portal mandate, confidence 0.80), his public-records strength, and his demonstrated-value sales style. Industrial/machine-shop customer base matches his operational credibility.
Breakout potential
Good: the same 'public-roster forced-buyer compliance layer' engine extends to other mandates (other DFARS clauses, state contractor registries), and the MSP white-label channel scales without headcount. Not venture-scale; excellent lifestyle-SaaS scale.
Final recommendation
PURSUE THE $0 VALIDATION, NOT THE BUILD. The pattern is the founder's proven best shape and the buyer roster is public and reachable, but this brief contains no actual demand evidence β€” so the correct move is the 2-week outreach test (300 awardees, score-currency offer) before writing any product code. If β‰₯8 calls and stale-score admissions materialize, this is an A-tier fit worth a manual-first launch; if not, kill it having spent nothing but email time.
Next action
Pull 300 sub-$10M DoD awardees (NAICS 332xxx/336xxx) from the USASpending API, enrich with SAM.gov contacts, and send the 'Is your SPRS score current?' sequence this week; simultaneously verify signals 2064/2070 content and scrape r/NISTControls (via OAuth per Reddit lesson) for stale-score complaints.

Kill arguments (adversarial)

Competitors

β€’ Totem Technologies (link) β€” Low-cost CMMC/800-171 tooling + consulting explicitly aimed at small DoD contractors β€” closest incumbent in the exact price band; must differentiate on done-for-you maintenance vs. self-serve tool.
β€’ FutureFeed (link) β€” CMMC compliance-management SaaS sold to contractors and through MSP/consultant channel β€” already executing the white-label-via-MSP motion.
β€’ ComplyUp (link) β€” Self-service NIST 800-171/CMMC SaaS with low price point; validates willingness to pay at micro-contractor scale but also shows the software-only wedge is taken.

Source citations (facts)

No citations captured.

Actions