The Army Contracting Command at Aberdeen Proving Ground, Maryland, has awarded eight small businesses competitive positions on a potential five-year, $49 million firm-fixed-price contract to support the Next-Gen Commercial Operations in Defended Enclaves (NCODE) pilot program — the Army's flagship effort to help small defense industrial base (DIB) companies achieve and maintain Cybersecurity Maturity Model Certification compliance without bearing the full cost individually. The contract was awarded on May 5, 2026, selected from a pool of 31 proposals, and runs through May 14, 2031.

The awardees

The eight companies that secured indefinite-delivery/indefinite-quantity positions on the NCODE vehicle are: ATX Capital Partners (doing business as ATX Defense), Beryllium InfoSec, Broadstone Tech (doing business as Cytex), David T Scott & Associates, Eccalon, Exostar, Security Centric, and Summit 7 Systems. Each received a separate contract number in the W9128Z-26 series. The awards are structured as a multiple-award IDIQ, meaning the eight firms will compete for individual task orders rather than sharing a divided ceiling. The Army has not disclosed per-awardee award values.

What NCODE does

NCODE addresses one of the most persistent problems in defense acquisition: small and mid-tier suppliers in the defense industrial base often lack the technical expertise, capital, and dedicated cybersecurity staff to independently satisfy NIST SP 800-171 and CMMC requirements. The result is a talent and compliance gap that creates both cybersecurity risk to controlled unclassified information (CUI) and a barrier to small business participation in defense contracting. The NCODE model resolves this by providing eligible small businesses access to a managed, government-verified secure cloud enclave operated by Verified External Service Providers — the NCODE awardees — that already meets the required standards.

Rather than each small business building and maintaining its own compliant environment, the VESP absorbs the infrastructure cost, submits to the required third-party assessments, and makes capacity available to multiple clients simultaneously. This "enclave-as-a-service" model spreads compliance cost across a subscriber pool while giving each subscriber the documentation trail needed to satisfy a DoD contracting officer's compliance inquiries. The pilot phase is designed for up to 1,000 small business participants, with the Army serving as the lead service and the marketplace expected to eventually expand to Marine Corps, Navy, Air Force, Space Force, the National Guard, and other defense agencies.

CMMC context

The NCODE awards arrive at a pivotal moment in the CMMC rollout. The DoD published the CMMC 2.0 final rule in September 2025, and Phase 1 implementation — covering Level 1 and Level 2 self-assessments — began on November 10, 2025. Beginning November 10, 2026, the DoD may begin conditioning contract awards on CMMC Level 2 assessments by accredited C3PAO organizations and Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments. That one-year runway has made 2026 a critical year for small suppliers to get their compliance programs in order before third-party assessors become a contractual gating requirement.

Summit 7 Systems, one of the eight awardees, is among the better-known firms in the CMMC ecosystem — the company has been a vocal advocate for small business compliance pathways and operates its own accredited assessment organization. Summit 7 CEO Scott Edwards said in a statement that NCODE helps smaller suppliers "remain part of the DIB while continuing to provide capabilities for warfighters," directly addressing the risk that CMMC compliance costs would effectively price small businesses out of the defense market.

Contracting structure and task order competition

As a multiple-award IDIQ vehicle, NCODE requires the Army and participating agencies to issue individual task orders and conduct fair opportunity competitions among the eight awardees for each package of work. This structure provides the government with pricing competition on task orders while giving the awardees a guaranteed pipeline of potential work. The Army has not published details on how it plans to price compliance services or whether task orders will be awarded on fixed-price or labor-hour terms — both are available under the vehicle's firm-fixed-price and T&M-eligible master contract framework.

The 31 offers received during the competition suggests strong industry interest in the managed compliance market. The Army's decision to award only eight positions — rather than the fifteen or twenty that appear on some similar vehicles — signals a preference for a manageable pool of well-vetted VESPs rather than maximum breadth of competition at the task order level.

What it means for contractors

  • Small DIB suppliers that handle CUI and are struggling with NIST SP 800-171 or CMMC requirements should monitor the NCODE marketplace rollout, which is expected to formally open for small business enrollment within six months of the May 2026 awards.
  • Small businesses that are subcontractors to prime contractors with CMMC clauses flowing down should ask their primes whether NCODE enrollment will satisfy the flow-down requirements — the answer may depend on how the prime's CMMC assessment scope is defined.
  • The eight NCODE awardees now have a funded vehicle to pursue task orders across Army, Marine Corps, Navy, Air Force, Space Force, National Guard, and other defense agencies — a significant addressable market for managed cybersecurity services.
  • Firms that were not selected but are interested in the VESP market should watch for subsequent NCODE solicitations as the program scales or consider partnering with awardees as subcontractors.

Sources