What changed
CMMC 2.0 enforcement is phasing into DoD contracts with real consequences (FACT: per the JD Supra source, 'requirements for compliance are looming, and the consequences are real'). The excerpt does not give specific dates; the phased 48 CFR acquisition-rule rollout timeline is inference from the CMMC framework, not from the provided text.
Why now
The mandate is moving from paper requirement to contract-award gate: primes are flowing CMMC clauses down to subs NOW, and a sub without a current SPRS score or with no SSP/POA&M becomes unawardable. Deadline pressure is set by contract cycles, not by the founder's marketing.
Converging signals
Three signals meet at one point: (1) a federal rule (CMMC 2.0 / NIST 800-171 assessment requirement), (2) a defined compelled filer class (every DIB contractor/sub handling FCI/CUI, down to small shops β tens of thousands of firms, ~80k+ by inference), (3) a named government portal (SPRS via PIEE) that requires a specific scored submission plus SSP/POA&M artifacts. Per the scoring rules, mandate+filer-class+portal IS the convergence.
Customer pain
A 12-person machine shop cannot parse 110 NIST 800-171 controls, compute the -203-to-110 SPRS score correctly, or write an SSP/POA&M. Consultants quote $15-50k. The alternative is guessing (False Claims Act exposure β DOJ Civil Cyber-Fraud Initiative has already settled cases over misstated scores; inference from framework, not in excerpt) or losing the contract when the prime asks for the score.
Who pays
The small sub-tier contractor itself (owner/GM signs the check), and secondarily primes' supply-chain teams who need their sub base compliant and MSPs/consultants who could white-label the tool. This is NOT government procurement β the buyer is a private small business under contractual compulsion.
Solved today
(a) $15-50k boutique cybersecurity consultants; (b) NIST's free self-assessment spreadsheet, misused and mis-scored; (c) existing GRC tools (Totem ~$100/mo, FutureFeed, ComplyUp/Exostar tier) that still assume a security-literate user; (d) doing nothing and hoping the prime doesn't ask.
Why current solutions are bad
Consultants price out the sub-tier tail entirely; the free spreadsheet produces wrong scores and no defensible SSP; incumbent tools are checklists, not interviews β they ask 'Do you have FIPS-validated cryptography?' where the target buyer needs 'Do your work laptops have BitLocker turned on? Show me.' Nobody serves the security-illiterate shop owner in his own language.
Proposed product
An interview-style wizard in plain shop-floor English: ~2-hour guided Q&A (with evidence prompts) β correct SPRS score computed per DoD scoring methodology β one-click export of (1) score + affirmation package formatted for SPRS entry, (2) auto-generated SSP mapped to the 110 controls, (3) POA&M with prioritized remediation and score-improvement forecast ('do these 5 things, gain 45 points'). Annual re-assessment reminder loop makes it recurring revenue.
MVP version
Web app: question bank mapping plain-language interview answers to the 110 controls and the DoD scoring weights, LLM-assisted SSP/POA&M document generation from the answers, PDF/Word export, Stripe checkout. No SPRS integration needed for v1 β the customer types the score into SPRS themselves with a step-by-step guide (SPRS has no public write API; 'submission on their behalf' is a later manual-service upsell, mirroring the founder's ELDT per-upload model).
30-day build
Build question bank + scoring engine (the DoD 800-171 assessment methodology is public); validate outputs against 2-3 real small subs recruited via manufacturing associations/NTMA chapters or the founder's industrial network; get one consultant to sanity-check a generated SSP.
60-day build
Launch at $995/assessment or $149/mo; sell where the panic is: prime flow-down letters (subs who just got one), CMMC LinkedIn groups, manufacturing association newsletters, and 2-3 MSPs offered a white-label/reseller cut.
90-day revenue plan
10 paid assessments or ~20 subscriptions = $10-30k. Each completed assessment generates a POA&M, which generates remediation questions, which the MSP channel monetizes β the tool becomes MSPs' intake funnel, and they sell it for you.
Distribution path
Prime flow-down pressure is the channel: subs act when a prime demands a score. Target NTMA/FMA/local manufacturing associations, DoD OSBP and APEX Accelerator (PTAC) counselors who advise exactly these firms and have no tool to hand them, plus white-label MSP resellers. Demonstrated-value sales: free score preview, pay to unlock documents β fits the founder's no-relationship-sales style.
Pricing hypothesis
$995 one-time guided assessment (vs $15k+ consultant anchor) or $149-299/mo including annual re-assessment, POA&M tracking, and affirmation reminders. Undercutting a consulting fee with software is the stated wedge.
Technical difficulty
Moderate and squarely in the founder's lane: forms/logic/scoring engine + LLM document generation + export. The hard part is domain correctness of the question bank, which is buildable from public DoD assessment methodology docs plus one paid consultant review (~$2-5k, affordable now).
Legal / regulatory risk
Real but manageable: auto-generated SSPs that misstate reality could expose CUSTOMERS to False Claims Act liability, and the tool must not present itself as certifying anything. Mitigate with attestation language ('you are affirming your own answers'), evidence prompts, and E&O insurance. The founder himself needs no license β compliance is the moat, not a barrier (per scoring rules, heavy_compliance not flagged).
Platform dependency
None that can deplatform him: SPRS/PIEE is a government system with no platform owner gatekeeping third-party prep tools (v1 doesn't even touch it directly). Dependency is regulatory continuation β CMMC has survived a decade of political cycles and is now in rule; risk of repeal is low (hypothesis).
Founder fit
Near-maximal on the stated thesis: regulation compels a defined class to file a scored submission into a named federal portal, and the founder has already shipped exactly this shape (FMCSA ELDT β Training Provider Registry, per-upload fee). Bonus: the buyer is small industrial shops β his native population (industrial ops, scrap, machine-shop credibility). Honest gap: he has no cybersecurity credential, so the product must borrow authority (consultant-reviewed methodology, CyberAB-registered-practitioner advisor) rather than claim it personally.
Breakout potential
Large: CMMC Level 2 evidence-prep upsell, annual re-affirmation subscriptions across tens of thousands of subs, white-label to MSPs/C3PAOs, and the same interviewβscoreβdocuments engine replicates to other mandated self-assessment regimes (state privacy laws, FAR CUI rule expansion to civilian agencies β hypothesis).
Final recommendation
PURSUE β this is the founder's thesis in its purest form (forced filer class + federal portal + priced-out small-buyer tail), with capital now available to buy the missing domain credibility. The differentiated wedge must be the plain-English interview + document generation for the sub-tier tail that Totem-class tools still overshoot, sold through prime flow-down panic and APEX Accelerator counselors. Validate the trust objection with 3 design-partner shops before building past MVP.
Next action
This week: pull the DoD 800-171 Assessment Methodology + CMMC scoping docs, draft 20 interview questions for the 5 highest-weight controls, and get 30 minutes with two real defense subs (via industrial network or APEX Accelerator) to test whether they'd pay $995 to replace a $15k consultant quote β and specifically probe the 'would you trust software with this?' objection.