CMMC is coming, but concerns for small businesses persist under revamped rule

The Pentagon changed many aspects of the original Cybersecurity Maturity Model Certification program to help ease the burden on small businesses. But supporters of smaller companies in the defense industrial base still have plenty of concerns about the proposed CMMC rules.

The Office of Advocacy, an independent organization within the Small Business Administration, flagged its concerns in public comments on the CMMC regulations. Once effective, the Defense Department’s rules will require many defense contractors to have their compliance with cybersecurity standards certified through a third-party audit.

“Advocacy is principally concerned with the ability for small businesses to meet and comply with the standards and timelines set out in the CMMC program without further clarification and guidance documents from the DoD,” SBA Advocacy officials wrote in a Feb. 26 letter to DoD Chief Information Officer John Sherman.

DoD released the proposed CMMC rule for comment in December. Pentagon officials expect to finalize the rules later this year or in early 2025. The goal of the program is to ensure defense contractors are following cybersecurity standards meant to protect sensitive information.

In an April 26 webinar hosted by Geroge Mason University, Office of Advocacy Deputy Chief Counsel Major Clark emphasized his concerns with the costs of CMMC compliance.

“I hear quite often others saying that, well small businesses can recoup some of these costs from the government, which is not necessarily true, because most small business contracts are fixed price contracts,” Clark said. “They give a bid that is accepted. All of these other bells and whistles are not necessarily are allowed. And then the other aspect of this is many of the small businesses are subcontractors to the large primes. And these costs factors that they are saying can be recouped are not necessarily going to flow from that large prime down to that small business.”

Clark said the overall environment for small businesses is increasingly “treacherous.”

“It’s not that they don’t want to participate. It’s at what cost are they going to be able to participate? And how are they going to reap any type of profit?” he said.

The Pentagon revamped many aspects of the original CMMC program in late 2021, largely due to concerns about the cost of the program on small businesses. Under the current program, not all companies will have to get a third-party certification. And companies will be able to defer on instituting some cybersecurity requirements until a later date so they can still compete for defense contracts.

Still, DoD estimates that approximately 76,000 companies will need to get an audit from a CMMC third-party assessment organization (C3PAO).

Former Federal Chief Information Security Officer Grant Schneider agreed that implementing the cybersecurity requirements will be expensive for many businesses.

“It’s going to be burdensome, and it’s still going to be for most organizations, overhead costs that they’re going to have to bear,” Schneider said. “Certainly the program office has talked about the fact that they anticipate that these costs will be rolled in to rates from vendors, but how much do you roll in on your rate versus your competitor, when many things end up being a lowest cost technically acceptable? That is a concern that I think everyone’s going to need to be paying attention to.”

DoD will allow companies to create special IT “enclaves” for handling sensitive defense information. The idea is it would be less costly than implementing DoD’s cybersecurity requirements across a company’s enterprise network.

But SBA’s Office of Advocacy argues DoD needs to provide more details on the process for creating those special enclaves.

“The current rule does not provide clear guidance on the process to create enclaves, which would allow more small business subcontractors to participate in DoD contracts without meeting the full requirements necessary for the prime contractor,” SBA Advocacy officials wrote in their letter to DoD.

The office also wants more information from DoD on the role of C3Paos and the “indemnification a C3PAO has if a contractor or subcontractor is out of compliance.”

The Office of Advocacy also highlighted a concern among many CMMC stakeholders: whether there will be enough certified C3PAOs to handle the demand for certifications.

“Stakeholders raised concerns that if there are an insufficient number of C3PAOs to timely inspect every contractor before the rule is effective, then small businesses will be the last ones to be certified,” officials wrote in the letter. “Advocacy recommends creating a streamlined process to provide organizations with C3PAO certifications. . . . Particularly, there should be availability of C3PAOs for small businesses and ensure small business owners are not falling behind.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.