Executive Summary

• CMMC now determines eligibility for DoD construction contracts. Verified cybersecurity controls are being written into solicitations as a condition of award for primes and subcontractors.
• Most construction firms are in scope. Common project data (design files, schedules, credentials, and project systems) can trigger CMMC requirements.
• Level 2 requires independent validation. Contractors handling Controlled Unclassified Information (CUI) must undergo a third-party assessment conducted by an authorized CMMC Third-Party Assessor Organization (C3PAO).
• Timing creates real business risk. Phased enforcement is underway and intersects with long bid cycles, multi year projects, and subcontractor relationships.

How CMMC Is Changing Eligibility for DoD Construction Contracts

For construction contractors pursuing U.S. Department of Defense (DoD) work, cybersecurity has become a direct factor in bid viability. Beyond traditional safety, bonding, and performance requirements, the DoD now expects contractors to demonstrate verified cybersecurity controls as a condition of contract award.

That expectation is formalized through the Cybersecurity Maturity Model Certification (CMMC) program, which embeds cybersecurity directly into DoD contracts for companies that design, build, repair, or maintain defense facilities and infrastructure. Rather than relying on policy statements or self attestations, the program ties validated security practices to eligibility for both prime and subcontract work.

With phased implementation already underway, CMMC is rolling into new and existing contracts. For construction contractors, cybersecurity readiness now influences bidding strategy, teaming arrangements, and continued participation in the defense construction market.

For a broader overview of CMMC requirements and certification levels, see Understanding CMMC: What Defense Contractors Need to Know.

Why Construction Contractors Fall Within CMMC Scope

CMMC applies to both prime contractors and subcontractors across the Defense Industrial Base (DIB), including construction firms. Even when cybersecurity is not a contractor’s core business, construction projects often involve access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Examples include:

• Design drawings and specifications for military facilities
• Access credentials, schedules, and logistics data
• Project management systems that store or transmit sensitive information
• Subcontractor data shared across project teams

When this information resides on contractor-managed systems or third-party platforms, CMMC requirements apply.

CMMC in Plain Terms

CMMC is a DoD-mandated cybersecurity assessment and certification program that verifies whether contractors have implemented required safeguards for FCI and CUI. Unlike prior models that relied largely on contractor representations, CMMC ties verified cybersecurity practices directly to contract eligibility.

The framework aligns existing requirements into a single enforceable standard across the defense supply chain.

Certification Levels and Construction Contractors

Most DoD construction contractors will encounter either Level 1 or Level 2 requirements.

CMMC requirements are now being incorporated into DoD contracts and have become a condition of contract award. Failure to meet the required CMMC level can result in loss of eligibility to bid or participate in defense contracts, including as a subcontractor.

Why Timing Matters for the Construction Sector

Phased implementation is now underway. CMMC requirements are now appearing in solicitations and contracts, marking the transition from policy guidance to active enforcement.

For construction contractors, these milestones often overlaps with long bid and award cycles, multi year project timelines, and layered subcontractor relationships. As a result, CMMC compliance affects not only IT systems, but also project planning, teaming strategies, and risk management decisions across the life of a contract.

Where Readiness Fits for Construction Contractors

CMMC readiness helps construction firms understand how cybersecurity requirements apply to their operations before certification becomes mandatory.

At Elliott Davis, a CMMC Readiness Assessment is performed by a coordinated team that understands construction operations, project workflows, and DoD expectations. Readiness efforts focus on:

• Identifying which systems and project data are in scope
• Assessing current practices against the applicable CMMC level
• Reviewing System Security Plans and documentation
• Prioritizing remediation based on project and contract risk
• Coordinating expectations with primes and subcontractors

For construction contractors, readiness often clarifies where cybersecurity responsibilities sit across field operations, corporate systems, and third party platforms.

A New Reality for DoD Construction Work

CMMC reflects a broader shift in how the DoD manages risk across its supply chain. Cybersecurity is now treated as a prerequisite for participation, not an administrative afterthought.

Construction contractors that address readiness early are better positioned to respond to solicitations, support prime contractor requirements, and maintain continuity across active and future projects.

We Can Help

Elliott Davis works with construction contractors in the DoD pipeline to support CMMC readiness through scoping, gap assessments, and planning support. Our focus is helping firms understand how CMMC applies to their operations and what steps support contract access as requirements continue to roll into DoD construction work.

Contact us today to start the conversation.

‍

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

If you own a small business or invest in one, the recent changes to the Qualified Small Business Stock (QSBS) exclusion under IRC §1202 could dramatically impact your tax strategy, exit planning, and investment structure.

Whether you're a founder planning a liquidity event, an early-stage investor looking for tax-efficient returns, or a growing company evaluating entity structure, these updates offer powerful new opportunities to reduce capital gains taxes and maximize after-tax wealth.

What Is QSBS and How Has It Changed?

The IRC §1202 QSBS exclusion allows eligible shareholders to exclude a portion, or even all, of their capital gains from federal tax when selling stock in a qualified small business. Historically, this exclusion required a five-year holding period and applied only to C corporations with gross assets of no more than $50 million.

Recent legislative updates under the One Big Beautiful Bill Act (OBBBA) have significantly expanded the scope and impact of QSBS tax benefits. Here’s what changed:

1. Tiered Gain Exclusion Based on Holding Period

For QSBS acquired after July 4, 2025, investors can now benefit from a tiered exclusion:

• 50% exclusion for stock held ≥ 3 years
• 75% exclusion for stock held ≥ 4 years
• 100% exclusion for stock held ≥ 5 years

Translation: You no longer have to wait five years to enjoy tax benefits as earlier exits are now available.

2. Increased Lifetime Gain Cap

• The per-issuer lifetime gain exclusion cap increases from $10 million to $15 million, indexed for inflation after 2026.
• Applies only to QSBS acquired after July 4, 2025.

Note: The gain cap is now the greater of $15 million or 10 times the aggregate adjusted basis of the QSBS issued by the corporation.

3. Expanded Company Size Threshold

• The gross asset threshold for QSBS eligibility increases from $50 million to $75 million.
• This change enables larger businesses, especially in capital-intensive sectors, to qualify.

Interplay: Immediate expensing under §§ 174 and 174A may help companies stay under the threshold even after raising substantial capital.

What Hasn’t Changed

• Stock must be acquired at original issuance.
• The issuing entity must be a domestic C corporation engaged in an active trade or business.
• The full 100% exclusion still requires a five-year holding period.
• QSBS gain exclusion remains non-preference for Alternative Minimum Tax (AMT), preserving its value for high-income taxpayers.

Strategic Opportunities for Business Owners and Investors

These changes offer a unique opportunity for small business owners and investors to rethink how they structure ownership, plan exits, and design equity incentives. Below are some of the most compelling ways to leverage the enhanced QSBS framework for tax efficiency and strategic growth.

• Accelerated Exits – Partial exclusions at years 3 and 4 allow for earlier liquidity without losing all tax benefits.
• Entity Choice Optimization – Partnerships and LLCs anticipating a sale should revisit whether a C corporation conversion could unlock substantial QSBS benefits.
• Executive & Employee Incentives – Design stock grants and options to take advantage of QSBS, enhancing recruitment and retention of top talent.
• Wealth Transfer Planning – Gifting QSBS before an exit can multiply the $15 million per-issuer cap across family members and trusts.
• M&A Advantages – QSBS eligibility can be a differentiator in M&A negotiations—buyers may pay a premium for targets with QSBS-qualified stock.
• Capital-Intensive Startups – With the asset threshold raised, more companies in tech, life sciences (excluding health), and manufacturing can now qualify.
• Cross-Border Structuring – International investors entering U.S. markets through domestic C corporations may now find QSBS a more attractive component of their tax strategy.

Commonly Asked Questions

1. Does QSBS apply to S corporations or LLCs?

No. QSBS only applies to C corporations. However, converting your entity or restructuring existing business units/assets may unlock eligibility.

2. Can I sell before five years and still get a tax break?

Yes. Under the new rules, you can get 50% or 75% exclusions at years 3 and 4.

3. What happens if I exceed the $15 million or 10X basis cap?

Once the cap is reached for a given issuer, no further exclusions apply for that issuer in future years.

We Can Help

At Elliott Davis, we specialize in helping businesses capitalize on QSBS opportunities. Our services include:

• Advising on entity restructuring and C corporation conversions
• QSBS diagnostics for current and planned investments
• Exit modeling under the tiered exclusion rules, including staged liquidity planning
• Supporting equity compensation design for executives and employees
• Buy-side and sell-side due diligence with QSBS integration
• Ongoing compliance monitoring for QSBS eligibility

Ready to explore how QSBS can enhance your strategy? Contact us today to start the conversation.

‍

Edit: Originally published on September 13, 2023. Updated to reflect recent developments.

The outcome of the 2018 Supreme Court decision in South Dakota V. Wayfair brought the discussion of nexus and nexus creating activities to the forefront for all businesses that operate under a remote business structure. By introducing the “economic presence” standard, the ability of state and local governments to impose tax obligations on business entities drastically increased while creating a more complex tax atmosphere.

Nearly every state with a sales tax has now enacted some kind of legislation on marketplace facilitators. These laws have eased certain sales tax collection responsibilities for remote sellers, but they have not eliminated risk. Definitions, exemptions, and reporting requirements continue to vary widely by state, and gaps between marketplace compliance and seller compliance remain common.

What Is a Marketplace Facilitator and How Do These Laws Shift Tax Responsibility?

As economic nexus laws expanded, states adopted marketplace facilitator laws that generally place sales and use tax collection responsibility on the marketplace rather than the seller. While statutory definitions differ, most states define a marketplace facilitator as a business that performs the following activities:

1. Contracts with sellers to facilitate the sale of a marketplace seller’s product through a marketplace for consideration.
2. Engages, directly or indirectly, in transmitting or otherwise communicating the offer or acceptance between the buyer and seller.
3. Does any of the following activities directly or indirectly, with respect to the seller’s products: payment processing services, fulfillment, or storage services, listing products for sale, setting prices, providing customer service, and accepting or assisting with returns or exchanges.

Does Marketplace Inventory Create Nexus Beyond Sales Tax for Remote Sellers?

While marketplace tax laws have provided taxpayers with some relief on the sales tax front, they do not entirely remove the challenges a remote seller may face. Most notably, inventory stored in a marketplace facilitator’s warehouse can result in a physical presence within the state, even when a taxpayer is not aware their goods are being held there. As pre-Wayfair legislation indicates, a physical presence establishes nexus and therefore can carry certain tax obligations with it, including income and/or franchise tax filing requirements.

This can create income and franchise tax filing requirements. Taxpayers may be required to file an income tax return in states where they would otherwise be eligible for protection from state income taxes. Although P.L. 86-272 may have applied previously, inventory-based nexus may now exceed that protection, depending on the state and the specific facts and circumstances.

Another significant development is the enhanced enforcement efforts that have resulted from technological advancements within the state revenue agencies over the past few years. As states continue to modernize audit tools and data sharing capabilities, marketplace data is more readily available to tax authorities. This has led to increased scrutiny of remote sellers whose filings, or lack thereof, do not align with marketplace activity.

Since nexus laws vary by state, there may never be a consensus about how third-party marketplace facilitator inventory impacts remote sellers’ state filing obligations. This lack of consistency will likely increase confusion and decrease compliance. However, recent rulings do provide some insight into how states are applying these rules in practice.

Notable Updates and State-Level Developments

Recent developments highlight a broader trend toward stricter interpretations of marketplace inventory as a nexus-creating activity:

• South Carolina: Between 2024 and 2026, South Carolina courts confirmed Amazon’s sales tax liability for third-party marketplace sales in 2016, affirming that marketplace facilitators were treated as retailers before Wayfair and upholding a $12.49 million assessment for uncollected first-quarter sales tax.

• California: California Office of Tax Appeals (OTA) holds that out-of-state businesses using Amazon’s Fulfillment by Amazon (FBA) program for inventory storage establishes nexus in California for sales, franchise, and income tax, regardless of bright line economic thresholds.

• Broader state trends: Numerous states have revised nexus thresholds and expanded marketplace facilitator enforcement, often applying a more aggressive view of inventory-based nexus.

Frequently Asked Questions

• Does selling through a marketplace eliminate my sales tax obligations? No. In most states, marketplace facilitator laws place responsibility for collecting and remitting sales tax on the platform for marketplace transactions. However, sellers may still have obligations related to direct sales, registration, or reporting.

• Do marketplace sales still count toward my sales tax or income tax nexus? Yes. Marketplace sales can still count toward nexus thresholds and create filing obligations, particularly in states where sellers have both marketplace and direct sales activity.

• Can marketplace inventory create income tax nexus? Yes. Generally, inventory stored in a marketplace facilitator’s warehouse can create physical presence nexus, even if the seller does not control or know the inventory’s location.

• What should a seller do if they are unaware of where their inventory is stored? Best practice is to review inventory logs provided by the marketplace facilitator and reconcile them with internal records. When these reports are not reviewed, sellers are often caught off guard by unexpected nexus exposure.

• Can a business be held liable even if it didn’t know its inventory was stored in the state? Yes. Lack of awareness does not eliminate nexus or related filing obligations.

• Does marketplace facilitator legislation eliminate the seller’s responsibility to collect and remit sales tax entirely? Not necessarily. Sellers remain liable for collecting and remitting sales tax on direct-to-consumer sales made outside the marketplace and may still have income and franchise tax obligations.

• How can sellers better manage this risk? Best practices include tracking marketplace inventory locations, reconciling marketplace reports to state filings, and periodically reviewing nexus assumptions.

We Can Help

Businesses operating through online marketplaces should periodically reassess their nexus profile, filing positions, and assumptions about compliance. Proactive review before a notice or audit can help identify exposure, reduce penalties, and support defensible positions across jurisdictions.

If you are unsure how these laws and business practices may affect you and would like to better understand your nexus footprint and overall tax obligations, reach out to our team to start the conversation.

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.