Washington, D.C.— Today, the House Small Business Committee Subcommittee on Oversight, Investigations, and Regulations, led by Chairman Dean Phillips (D-MN), held a hearing examining the Cybersecurity Maturity Model Certification (CMMC). The CMMC is the Department of Defense's (DOD) latest initiative to increase cybersecurity preparedness across the defense industrial base (DBI). The hearing gathered small business owners and experts to investigate the program's substantial compliance challenges for small firms.
"The need for cybersecurity is unquestionable. It's vital that companies in the DIB become more resilient and prepared for cyber-attacks," said Chairman Phillips. "With that said, the CMMC initiative has the potential of driving many small businesses out of the defense industrial base. Therefore, we must get it right."
DOD created the CMMC framework to improve the protection of different types of sensitive unclassified information by implementing a unifying security standard across the DIB. CMMC consists of a tiered system that was designed based on numerous cybersecurity standards and frameworks. Many small businesses in the sector contend that the program imposes onerous and expensive mandates that make it hard for small firms to participate. Firms that seek to comply with CMMC must purchase new hardware and software, replace outdated technology systems, and navigate the resource-intensive certification process.
The hearing gave subcommittee members the chance to hear directly from experts and business owners about the challenges CMMC poses for small contractors and the state of cyber-security preparedness for small businesses in the sector.
“From my experiences discussing CMMC with small businesses, one of the biggest areas of concern is that there remain more questions than answers on key aspects of the initiative,” said Jonathan T. Williams, Partner at PilieroMazza PLLC in Washington, DC. “In particular, small businesses are concerned about how much CMMC will cost what CMMC level DOD agencies and prime contractors will require of small businesses, and how much time it will take to obtain the certification.”
“Those of us that work with NIST SP 800-171 and CMMC all day may start feeling like we know it but for those that don’t it is a daunting set of Acquisition Regulations, Export Control Regulations and cybersecurity contract clauses,” said Scott Singer, President of CyberNINES in Madison, WI. “I have seen Primes flow-down pages of requirements to a small business along with pointing them to their website for more. We need to make this process easier for them.”
“While unknown as of today, what has been communicated to the entire Defense Industrial Base, is that if you don’t have the CMMC at the basic level, you will not be eligible for federal contracts,” said Tina Wilson, Chief Executive Officer of T47 International, Inc. in Upper Marlboro, MD. “Many small businesses may not even be aware of this new requirement and that failure to obtain certification means ending contract work as a service provider to the Department of Defense. These companies will not be able to make employee payroll and the dream of having a meaningful business to take care of the business owner family could also end.”