This is going to be unpopular.

The U.S. Government should be paying for any CMMC audits/certifications of SMBs under a certain size directly. The C3PAOs should bill the govt not the SMB. Otherwise, the govt is lying about wanting SMBs to provide services.

The cost projections that the govt has put forward highlights the fact that many small businesses won't be able to afford CMMC. The government could already be looking at the overhead rates and determine which ones aren't spending enough on the security. They have overhead rate information since it's already required. The govt could provide a warning notice that SMBs will lose their existing contracts and not be eligible going forward. They could go ahead and estimate how much money that the SMBs need to be making to break even. If someone is working at a loss, the business can state that upfront.

Also, the govt should be paying for MS GCC High including all of the tools like defender, intune, etc directly. The writing is on the wall. GCC High is the blessed way forward. After listening to the GRC Academy and reading about the Azure use in the DoD, it's pretty obvious that MS has the entire sector under their thumb.

Companies like Google, Preveil, Virtru, etc. are just nipping around the edges providing a piece of the puzzle muddying the waters. Google's GCPW doesn't even work on ARM.

GRC Acadmey #36 podcast
https://grcacademy.io/podcast/s1-e36-microsoft-365-gcc-high-the-inside-story-with-richard-wakeman/

Pro Public report
https://www.propublica.org/article/microsoft-white-house-offer-cybersecurity-biden-nadella