The Cybersecurity Maturity Model Certification (CMMC) program recently reached an important milestone, naming the first several certified third-party assessment organizations.
Kratos and Redspin made it through the CMMC maturity level 3 (ML3) assessment gauntlet performed by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIB CAC) and other administrative and personnel requirements.
“Reaching this step in getting the CMMC ecosystem up and running is a significant milestone and we look forward to authorizing additional C3PAOs in the coming days and weeks,” said CMMC-AB chief executive Matthew Travis in a release.
Insight by Tableau: Learn about the factors that are important for agencies to improving customer experience by downloading this exclusive executive briefing.
The naming of C3PAOs is the first step toward getting companies CMMC certified. The question now is whether vendors will decide it’s not worth the time or cost.
This is the potentially the case among electronic manufacturers.
A new survey from the IPC, an industry association representing electronic manufacturers, found nearly a quarter of all respondents said the cost and burden of CMMC may force them out of the defense industrial base (DIB).
About half of IPC’s 3,000 members are located in the U.S. and many are serving the DoD market.
Chris Mitchell, vice president for global government relations at IPC, said in an interview with Federal News Network that CMMC may lead to further contraction of an industrial base that has been shrinking over the last 20 years.
“This is important because we’ve already seen a considerable contraction and reduction in the number of electronics manufacturers here in the United States. To give you a sense of the kind of trajectory that we’ve been on as a country, over the last 20 years or so we have dropped from more than 2,000 printed circuit board manufacturers in the United States to fewer than 200. And that number is expected to decline further,” Mitchell said. “We were hearing from so many of our members that they were having anxiety about CMMC. It’s important to understand that electronics manufacturing generally is a thin margined business, so even small incremental cost increases can really effect a company’s competitiveness. As companies are beginning to undertake the assessments and do the other stuff necessary for certification, we were hearing from many of them that the costs were much larger than they had anticipated, and that there was continuing to be a lack of clarity about the requirements and what the timeline were.”
He added the combination of a shrinking industrial base combined with the costs and burden of CMMC could lead to the Defense Department facing a much weakened industrial base.
Taking this one step further, nearly every weapon system, every back-office process and every communication tool relies on the sector.
DoD’s January report to Congress on its industrial base capabilities underscored this problem.
“The dependence on foreign sources for semiconductor products continues to represent a serious threat to the economic prosperity and national security of the U.S., as much of the critical infrastructure is dependent on microelectronic devices,” the report stated. “This threat will become more pronounced as emergent technology sectors, such as Internet of Things (IoT) and AI, require commodity quantities of advanced semiconductor components.”
DoD also recognized the contraction in the market. The Pentagon said in the report that in the aerospace and defense sector, electronic equipment contributed 23% of total mergers and acquisitions’ deal value in the first half of fiscal 2020 about $15.4 billion. The most noteworthy of these mergers and acquisitions were the BAE Systems Inc. acquisition of Collins Aerospace-Military – Military Global Positioning System, and the Teledyne Technologies Inc. acquisition of Photonics Technologies SAS.
Mitchell said the potential impact isn’t just on the prime contractors, but the flow down to the subcontractors too.
“When it comes to the supply chain, there are already great strains on it. We had a call with an industry representative, not related to CMMC, and a big part of that discussion was the fact that we already are having a hard time sourcing parts, components, materials,” he said. “I think CMMC without some adjustments is likely to exacerbate these concerns.”
More than a third of the respondents say that CMMC will weaken the DIB, and 41% say the requirements will cause other problems in their supply chain. IPC received 108 responses from contract manufacturers, printed circuit board fabricators, original equipment manufacturers and suppliers who self-reported they are planning to undergo a CMMC assessment in the next five years.
Despite their concerns, IPC found some of its members, including original equipment manufacturers (OEMs), prime contractors and others already are beginning to implement CMMC.
Cost of CMMC is another obstacle for electronic manufacturers. The survey found most suppliers say they expect and are willing to spend upwards of $50,000 on CMMC readiness. Nearly one-third (32%) report that it will take them one to two years to prepare to undergo CMMC assessment.IPC found more than half of the suppliers say if implementation costs more than $100,000, CMMC would be too expensive.
“DoD’s own cost analysis estimated the cost of a CMMC Maturity Level 3 (ML3) certification to be more than $118,000 in the first year. This means DoD’s own estimate of CMMC compliance costs is too high for 77 percent of the IPC survey respondents,” IPC found.
DoD estimates the cost to obtain a CMMC level 3 certification to be about $118,000.
But Mitchell said that estimate seems to be low.
“Those companies that are going through that process are reporting much, much higher cost estimates in excess of $300,000 in some cases, and these are not large companies that we’re talking about,” he said. “I think the fear on our part is that as companies go through this process, the cost estimates are likely to increase, and as a result, the inclination to leave the defense market may increase as well.”
What the survey didn’t answer is just how big the DoD market is for these electronic manufacturers, and is it a big enough market for them to spend money on CMMC? For instance, the Center for Strategic and International Studies (CSIS) estimated that the Army would spend more than $5.6 billion on communications and electronics equipment last year. Overall, CSIS projected funding for communications, sensors and electronics to increase by 21% by 2022.
Is a $10-15 billion market big enough for these firms to spend a few hundred thousand each to play? Or is the potential not as attractive as the globalization of electronics sector means hundreds of billions more and DoD isn’t worth the trouble?
While IPC can’t necessarily answer it, it’s clear the dwindling number of contractors is concerning for both DoD and the industry at large.
The Defense Advanced Products Research Agency (DARPA), for example, initiated in 2017 the Electronics Resurgence Initiative (ERI) as a response to several technical and economic trends in the microelectronics sector.
Through the program, DARPA is funding work across seven areas, including accelerating innovation in artificial intelligence hardware to make decisions at the edge faster, mitigating the costs of electronic design and overcoming security threats in the hardware lifecycle.
Mitchell said IPC would like to see DoD provide more clarity and transparency around CMMC, particularly by addressing reciprocity with existing industry standards.
“There are many existing industry standards in place that have actually been doing a pretty good job of strengthening the security of the industrial base. IPC, in fact, has worked very closely with the Defense Department to establish IPC- 1791, which is a trusted supplier standard that also integrates into it cybersecurity requirements. Companies have now been working for more than two years in order to meet that standard and be validated. As a result, the printed circuit board and printed circuit board assembly industries are more robust today, are more secure today than they were two years ago,” he said. “We would love to see whether it’s in the context of CMMC, or apart from it. We would love to see DoD place greater emphasis on leveraging these standards. I think that they reflect an industry commitment to ensure that our industrial base is secure, both physically as well as cyber.”
Interestingly enough, DoD even refers to the IPC-1791 standard in its January report to Congress, saying “A strategy is currently under development and will require implementation by January 2023.”
Mitchell said IPC has shared the survey results with DoD, as well as lawmakers.
He said the goal is to use the data to help convince DoD to work more closely with industry to figure out how companies can earn the CMMC certification in a way that isn’t too burdensome and too costly. He said the other issues is to clarify how to gain compliance beyond hiring consultants.
“Let’s take every opportunity to try to leverage existing standards that are already in use by industry to figure out if we can fray some of the costs that way as well,” he said. “My understanding is that there is a desire to bring some uniformity across the entire industrial base. In many respects, if you talk to the industry, they think it’s a laudable goal. I think the challenge, of course, is that it isn’t just in the case of security, but both in terms of security and quality as whole, as well as a whole number of other areas. These companies are expending tremendous resources in order to have operations that are validated by one measurement or another. CMMC adds tremendous costs to businesses that are operating on the thin margins. So to the degree that we can leverage existing standards, we think that that’s a really good approach.”
IPC’s members’ concern over CMMC isn’t just one sector. While DoD has done a good job of talking about CMMC, the number of unanswered questions or what the path forward looks like is growing. DoD needs to make public how it will update its plan for CMMC based on Deputy Secretary Kathleen Hicks’ review that completed in May and squash some of the silly rumors that started to gain traction.