Department of Defense budget posture in review of the Defense Authorization Request for FY 2022
As cybersecurity becomes increasingly intertwined with national security, the risks and vulnerabilities associated with the cyber realm continue to replace historic concerns at the forefront of the priority list. Accordingly, the Department of Defense (DoD) issued an interim rule on 29 September 2020 amending the Defense Federal Acquisition Regulation Supplement (DFARS) to include new cybersecurity regulations aimed at protecting against cyber-attacks vis-á-vis more vulnerable contractors and subcontractors. The Cybersecurity Maturity Model Certification, or CMMC, enacts new policy and procedural requirements that small businesses and primes alike must implement in order to compete for DoD contracts. While most agree on the importance of adopting rigorous cyber defense, the five-tiered benchmark system has many within government and industry concerned on the costs, clarity, and implementation processes of CMMC.
On 24 June 2021, the Oversight, Investigations, and Regulations Subcommittee of the United States House Small Business Committee held a hearing on CMMC implementation and what it means for small businesses. Chairman Rep. Dean Phillips (MN-3), Ranking Member Rep. Beth Van Duyne (TX-24), and other members engaged in conversation with witnesses Jonathan T. Williams, Scott Singer, Tina Wilson, and Michael Dunbar regarding the relationship between small businesses and CMMC. In their respective statements and responses, the witnesses articulated DIB companies’ growing financial concerns, frustration on the general lack of clarity and communication, and apprehension towards needing potentially higher than necessary certifications based on their own size or due to DIB primes’ flow down privileges.
None of these issues are mutually exclusive; CMMC as a whole precipitates much overlap with preexisting regulations, such as NIST SP 800-171, along with some seemingly contradicting policies. More specifically, the transition from predating regulations to CMMC has, counterintuitively, made the process more difficult. Primarily, CMMC implements a shift from self-assessment to assessment by Third Party Assessment Organizations (C3PAOs). This aspect of the transition will undoubtedly mitigate cyber risks associated with noncompliance in the long run. However, in preparing for this assessment, contractors and subcontractors must still self-assess insofar as deciphering which Level of CMMC must be met to pass the audit and receive the certification. Accordingly, small businesses in particular fear losing out on a contract due to underestimating the appropriate Level or spending more than necessary due to overestimations.
The Levels are determined based on if, how much, and how sensitive a DIB company’s possession, storage, or transmission of Controlled Unclassified Information (CUI). On the basis of FAR clause 52.204-21, Level 1 comprises any company that does not engage with CUI but does possess Federal Contract Information (FCI). These regulations will not be imposed on DIB companies that handle solely Commercial-Off-The-Shelf (COTS) products. Level 2, which more so functions as a transitional phase than a major benchmark, integrates CUI-related regulations in order to prepare companies for future roles. As such, Level 2 consists of some NIST SP 800-171 requirements. Should a company possess CUI and/or have a DFARS clause in their contract, CMMC prescribes a minimum of Level 3. Level 3 maintains the requirements of NIST SP 800-171 along with 20 additional security standards. Like Level 2, Level 4 aids a company’s transition; in this case, companies must adopt enhanced security requirements essential for protecting highly sensitive CUI from APTs as required of companies at Level 5.
Discussion regarding distinctions between Level 1 and Level 3 dominated much of the hearing, as witnesses and members questioned why such a jump is necessary along with how small businesses will be able to maintain competitiveness after such a significant expenditure. Michael Dunbar, the President of Ryzhka International LLC who testified on behalf of the HUBZone Contractors National Council, explained to members that a jump from Level 1 to 3 would likely incur over $100,00 overall excluding the $15,000-20,000 the company already spends on cybersecurity annually. Dunbar’s estimate contrasts starkly to those given by the DoD, which Jonathan T. Williams quoted as approximately $26,000 to complete the 20 additional practices required by Level 3 and $29,000 to be assessed by a C3PAO. In discussing these estimates, Williams, a Partner at PilieroMazza PLLC and representation for government contractors, stated that DIB companies will most likely spend roughly $130,000 to account for all aspects of CMMC and that DoD grossly overestimated the status and extent of small businesses’ current compliance.
Beyond CMMC-specific costs, witnesses described how an addition of any new market factor risks the vitality of small businesses within the DIB. Tina Wilson, the Chief Executive Officer of T47 International, Inc., reemphasized the extent to which moving from Level 1 to Level 3 would incur exacerbated growing pains for companies such as hers, specifically when in conjunction with costs such as ISO, SBA 8(A), and woman-owned small business certifications. Accordingly, the subcommittee members struggled to understand how economically feasible CMMC is as it stands and how the government could aid small businesses through the transition; Representative Daniel Meuser (PA-09) stated that “it seems that some of the focus on compliance with these mandates is even truncating [their] actual ability to focus on actual cybersecurity.” Members and witnesses concluded the hearing by positing suggestions for streamlining and strengthening communication regarding and explanations of CMMC for small businesses.
As CMMC continues to establish itself as a norm within the DIB, NDIA and its divisions and affiliates continue to inform and aid small businesses through the transition. For a more detailed breakdown on these policies and processes, join NDIA and AIA at the Industrial Security Summer Webinar to hear from executive-level security leadership and policymakers as they address major government security topics including but not limited to CMMC. For more on The Pitfalls of Factoring in Security and CMMC Costs, Addressing Solicitation, Contract Performance After CMMC, and other important insights into CMMC, visit National Defense, NDIA’s Business & Technology Magazine.