South Carolina's public institutions issued seven cybersecurity-related RFPs in the past 30 days, against a baseline of roughly 1.7 per month. The spike is not a reaction to a breach. It is a race against a federal compliance clock that, for a state with $3.5 billion in annual Pentagon contracts, could prove more disruptive than any single cyberattack.
The deadline driving all of it is November 10, 2026. That is when the Department of Defense's Cybersecurity Maturity Model Certification Phase 2 kicks in mandatory third-party assessments for any contractor or sub-tier supplier handling controlled unclassified information on Level 2 programs. Phase 1 went live on November 10, 2025, embedding certification requirements in new solicitations immediately. Any South Carolina supplier without a certified C3PAO assessment in hand by next fall faces disqualification from the contracts it has spent years winning.
The exposure is structural. South Carolina is the eighth-largest recipient of DoD contracts nationally, and its defense economy is concentrated not in government agencies but in factory floors: BMW's Spartanburg plant, Michelin, Boeing, Lockheed Martin, and hundreds of smaller suppliers that feed them. CMMC's flow-down requirement is the mechanism that makes this a statewide emergency. Prime contractors must verify that every sub-tier supplier is also certified. One non-compliant small manufacturer does not just lose its own contract; it creates a compliance gap that can jeopardize the prime's eligibility as well. SC Competes named CMMC the top near-term challenge for the state's 500-plus defense contractors at its March 2026 Spring Summit, where it launched a new statewide initiative, SC Defense, dedicated to navigating the compliance surge.
Source: NationGraph.
What the recent procurement activity reveals is that South Carolina is not relying on any single institution to solve the problem. The response is multi-vector and moving in parallel.
The most visible piece is Greenville Technical College's planned $41 million Center for Industrial Cybersecurity and AI, a 90,000-square-foot facility explicitly designed to serve the manufacturing workforce at plants like BMW Spartanburg and Lockheed Martin. The state committed $16 million in its FY2025-26 budget, and the college issued an architectural and engineering design RFP as it pursues the remaining funding. Greenville Tech cited IBM's Threat Intelligence Index finding that manufacturing has been the most-targeted sector for cyberattacks four years running. The center is a workforce pipeline answer to a supply-chain compliance problem.
The universities are working the certification side directly. Clemson University issued two separate CMMC RFPs in the March-to-April 2026 window, and the University of South Carolina's Orangeburg campus sought a C3PAO for CMMC Level 2 compliance. These are not academic exercises; they are institutions bringing their own contracts into compliance while simultaneously building in-house expertise they can extend to the broader defense supplier community.
On the government side, the state's critical infrastructure cybersecurity program, run through SLED, holds two active DHS State and Local Cybersecurity Grant Program awards totaling approximately $7.35 million, with the most recent $1.82 million award running through 2029. The FY2024 sub-award application cycle opened through SLED on March 20, 2026, with a May 15 deadline, meaning local governments and smaller institutions are actively competing for that money right now. In April, SLED's SC CIC program formalized a public-private partnership with Integer Technologies, a Columbia-based defense tech firm focused on the defense industrial base, with Integer's CEO invoking Governor Henry McMaster and Lt. Gov. Pamela Evette in the announcement. The executive branch is publicly aligned with the effort.
The difficulty for South Carolina is that it lacks the institutional depth that states like Virginia and Georgia have built around standalone cybersecurity schools and defense-adjacent research universities. The Greenville Tech center and SLED's federal grant pipeline are the primary public vectors for workforce and institutional readiness. That concentration means the November 2026 deadline will be tight regardless of how quickly the RFPs convert to contracts and the contracts convert to trained workers or certified assessors.
For a manufacturer in the Upstate or the Lowcountry currently holding a DoD sub-contract, the immediate signal to watch is whether its prime contractor has begun issuing CMMC flow-down clauses in purchase orders. According to recent guidance from legal and compliance analysts tracking CMMC implementation, primes are increasingly inserting those requirements now, ahead of the November deadline, to protect their own eligibility. Suppliers that have not started a gap assessment are already behind the timeline a third-party C3PAO assessment typically requires.
The next hard marker is November 10, 2026. What happens between now and then, measured in RFPs converted, certifications issued, and workers trained, will determine how much of South Carolina's $3.5 billion defense economy is still eligible to compete on the other side of it.
