Skip to Content


Statement of the Hon. Dean Phillips on CMMC Implementation: What It Means for Small Businesses

Cyber-attacks have the potential to threaten public safety and undermine the American economy and national security. The early months of 2021 provided harsh reminders of this fact. Over the past 6 months, hackers and other malicious actors have held an oil pipeline for ransom, breached the nation’s largest transit network, and attacked private companies to obtain sensitive customer data.


According to the Council of Economic Advisors, malicious cyber activity cost the U.S. economy between $57 Billion and $109 Billion in 2016. With our society’s reliance on technology and digitization growing, there’s no doubt that cyber-attacks will only become more prevalent moving forward. Recognizing the urgency of cyber threats, the Department of Defense has taken steps to protect sensitive defense information from attacks aimed at the over 300,000 companies that compose the Defense Industrial Base.


One of these efforts has been the creation of the Cybersecurity Maturity Model Certification. The CMMC is a framework that seeks to improve the protection of different types of sensitive unclassified information through the implementation of a unifying security standard across the DIB. The CMMC framework consists of a tiered system, with a series of processes and practices at each level. The program was designed based on numerous cybersecurity standards and frameworks.


CMMC relies on third-party certification to assess the relative cybersecurity maturity of DIB companies. Thus, when the initiative is finally implemented, and all contracts have requirements incorporating a specific CMMC level, only those contractors who have achieved the required CMMC level through the certification process will be eligible for an award.


The need for cybersecurity is unquestionable. It’s vital that companies in the DIB become more resilient and prepared for cyber-attacks. With that said, the CMMC initiative has the potential of driving many small businesses out of the defense industrial base. Therefore, we must get it right. To this end, it is important to pay attention to the numerous red flags small businesses have raised about the initiative. For example, many small businesses are concerned about the significant costs associated with CMMC compliance.


Guarding against cyberattacks can be cost prohibitive for many small businesses. Firms that seek to abide by CMMC must purchase new hardware and software, replace outdated technology systems, and pay the costs of initial certification and maintenance among other expenditures. Small businesses often run on thin margins, and the cost of CMMC has the potential to leave many small firms in the sector without a chance to compete for government contracts.


Many small businesses also don’t have the capacity to deal with the complexity of the initiative. Employees at small enterprises often wear many hats and have limited regulatory or compliance resources. This means that independent firms will be forced to turn to outside specialists for help navigating the program. For many small contractors, this is not feasible.


According to department plans, the DOD will implement the CMMC initiative on select contracts between FY2021-2025. In addition, in March, DOD initiated an internal assessment of CMMC partially guided by an effort to manage cybersecurity costs for small businesses.


This is a timely hearing, as it allows us to take a closer look at this program and its implications for small businesses. There’s no doubt that contractors working with the DOD must have adequate systems to handle cyber threats. At the same time, we cannot allow program requirements to drive small businesses out of the Defense procurement space.

Back to top