Multivac: NDAA §889 Compliance for IoT/OT — Full Evaluation¶
Date: April 2, 2026
Domain: IoT/OT Compliance for Defense Contractors
Score: 32/50 — CONDITIONAL GO (with critical revisions)
TL;DR¶
Real problem, strong timing, but the original memo has significant gaps and the name is a non-starter. The strongest angle is provenance + compliance evidence, not basic scanning. Competition is stronger than presented.
1. Name Problem: MULTIVAC is Taken¶
Critical Issue: "Multivac" is a registered trademark.
| Trademark | Owner | Category |
|---|---|---|
| MULTIVAC (US Trademark 73211007) | Multivac Sepp Haggenmüller SE & Co. KG | Industrial packaging, IoT services |
Evidence: - USPTO Record: Active registration - Multivac.com: $1B+ packaging company, active IoT services - Concept Reply partnership: Active smart services for industrial IoT
Implications: - Immediate SEO friction (brand confusion) - Legal risk (cease & desist likely) - Rebranding cost + timeline
Recommendation: Rename before anything else. Options: IoTGuard, DeviceSentinel, ComplianceIQ, DIBsec.
2. Competition Analysis¶
The memo claims "competition is weak" — this is inaccurate.
runZero¶
| Aspect | Details |
|---|---|
| Founder | HD Moore (creator of Metasploit) |
| Funding | $12M+ Series A |
| Section 889 | Active compliance content |
| Weakness | Discovery-first, no dedicated compliance workflow |
Phosphorus¶
| Aspect | Details |
|---|---|
| Focus | IoT security + CMMC compliance |
| Funding | Series B |
| Strength | Enterprise focus, compliance-first messaging |
Viakoo¶
| Aspect | Details |
|---|---|
| Focus | Camera/OT device inventory |
| Partnership | Siemens integration |
| Weakness | Narrow (cameras only) |
Giants (Claroty, Armis, Nozomi)¶
| Company | ARR | NDAA §889 Focus |
|---|---|---|
| Claroty | $144M | Enterprise only |
| Armis | $300M | Enterprise only |
| Nozomi | $74M | Enterprise only |
Verdict: Competition is real. "Nobody does this" is false. The differentiation must be specific — not "IoT scanning" but "NDAA §889 evidence + remediation for SMB DIB."
3. Market Size (Fact-Checked)¶
Original Claim vs. Reality¶
| Metric | Original Memo | Verified |
|---|---|---|
| IoT Security Market | $24-35B → $56-142B | ✅ Accurate (CAGR 18-27%) |
| DIB Organizations | 200,000+ | ✅ ~300,000 DOD contractors |
| CMMC L2 Required | 80,000 | ⚠️ Estimate (no public count) |
| CMMC L2 Certified | 431 | ✅ Plausible (DIBCAC data) |
| Compliance Cost | $70K-$250K | ✅ Industry standard |
Realistic SAM¶
Conservative estimate: $200-500M serviceable in Years 1-3, focused on: - SMB DIB contractors (CMMC L1-L2) - DoD subcontractors - Healthcare IoT (HIPAA)
Not: Global IoT security market (memo overreach)
4. The Real Wedge: Provenance + Evidence¶
Basic IoT scanning is commoditized. The defensible angle:
Not "what devices do you have?" but "can you prove these devices are compliant for NDAA §889?"
What This Means¶
- Device Provenance
- Trace OEM/whitelabel origin
- Identify banned manufacturers (Huawei, ZTE, Hytera, etc.)
-
Detect counterfeits
-
Compliance Evidence
- Generate audit-ready reports (SSP, POAM)
- Map to NIST 800-171 controls
-
Evidence packages for CMMC assessors
-
Remediation Workflow
- Not just "found a problem" but "here's how to fix it"
- Replacement recommendations
- Compliance timeline tracking
Why this matters: This is what runZero/Phosphorus don't do. It's the gap between "scanning" and "compliance."
5. Timing¶
Strong. CMMC enforcement began November 2025. Organizations are scrambling.
| Event | Date | Status |
|---|---|---|
| CMMC L2 Enforcement | Nov 2025 | Active |
| NDAA §889 Phase 3 | Jan 2025 | Active |
| DIB Awareness | Rising | High |
6. Risks¶
| Risk | Severity | Mitigation |
|---|---|---|
| Competition catches up | High (12-18mo) | Build evidence workflow fast |
| Long sales cycle | High | Start with consultants/MSPs |
| Regulatory changes | Medium | Diversify to healthcare/OT |
| Weak early moat | High | Focus on proprietary evidence templates |
| Trademark | Critical | Rename immediately |
7. Recommended ICP¶
Ideal Customer Profile:
- Who: SMB defense contractors (50-500 employees)
- Pain: CMMC L2 certification needed in 12-18 months
- Budget: $15K-$75K/year (not $250K)
- Current state: Manual spreadsheets, consultant-dependent
Go-to-Market:
- Partner with CMMC consultants (they need tooling)
- Target DoD subcontractors in specific verticals (e.g., manufacturing)
- Offer "compliance evidence package" not "scanning tool"
8. Scorecard¶
| Dimension | Score | Notes |
|---|---|---|
| Problem Severity | 4/5 | Real compliance pressure |
| Problem Frequency | 4/5 | Annual audits, continuous monitoring |
| Market Size | 3/5 | $200-500M realistic SAM |
| Existing Solutions | 2/5 | runZero, Phosphorus, Viakoo are real |
| Willingness to Pay | 4/5 | CMMC is mandatory, not optional |
| Buildability | 4/5 | Feasible with right focus |
| Founder Fit | ? | Unknown from memo |
| Timing | 5/5 | CMMC enforcement active |
| Defensibility | 3/5 | Evidence workflow is defensible |
| Total | 32/50 |
9. Questions for Founder¶
-
Target customer: Are you targeting SMB ($15K/yr) or enterprise ($150K/yr)? The pricing in the memo ($70K-$250K) doesn't match SMB budgets.
-
Founder background: What's your credibility with DIB contractors? Do you have existing relationships?
-
Evidence generation: Can you demo a compliance report that maps device findings to NIST 800-171 controls?
-
Competition response: If runZero adds compliance workflows in 6 months, what's your defense?
-
Regulatory risk: What if CMMC is delayed again or changed?
10. Verdict¶
CONDITIONAL GO — but only after:
- ✅ Rename the company (non-negotiable)
- ✅ Narrow ICP to SMB DIB ($15K-$75K range)
- ✅ Build evidence/remediation workflow, not just scanning
- ✅ Validate with 10 customer interviews
- ✅ Secure seed funding ($1M minimum)
Ranking: #4-5 in current pipeline — below Sovereign Site Brain, Cerberus, Vision Ops.