The Pentagon’s draft CMMC rule doesn’t exempt small firms from the security standards for defense contractors and subcontractors, but that doesn’t mean they won’t receive any help meeting the requirements.
The Pentagon’s proposed updates to the Cybersecurity Maturity Model Certification — or CMMC — program will require both large and small firms that handle sensitive military information to comply with the same basic cyber requirements, but that doesn’t mean small businesses will be squeezed out of Department of Defense contracts, experts said during a conversation hosted by Washington Technology on Wednesday.
The CMMC program — which launched in 2020 and was updated in 2021 — works to ensure that the more than 70,000 companies that do business with the Pentagon are taking the steps necessary to secure controlled unclassified information. Known as CUI, this type of government data is still considered sensitive and in need of protection.
DOD released its proposed CMMC rule update on Dec. 26, which outlined a tiered security model for companies depending on the level of sensitive information involved in their work. The department plans to accept public feedback on its proposal through Feb. 26, with the final rule expected to be released before the end of the year.
Smaller contractors and subcontractors have faced difficulties in the past complying with CMMC, and experts acknowledged the inherent difficulties DOD faces in mandating enhanced security while ensuring that small firms can still work with the department.
Matt Travis, CEO of the Cyber AB, the nonprofit accreditation body for the CMMC program, said DOD’s proposed rule “shouldn’t really be surprising,” adding that the department “reached out to a lot of stakeholders internally and externally to try to get to the point where they are.”
Travis said, however, that DOD is “not in a very enviable position” when it comes to the requirements for small businesses, noting that these companies often maintain or manage valuable information and still need to adhere to stringent security standards.
“[DOD is] responsible for protecting this information or having this information protected, and if they give small businesses a lesser standard then our adversaries will know that's where we're going to go to get this information,” he added.
Eric Crusius — a partner with Holland & Knight — echoed that sentiment, saying that “the department was very clear that these are the requirements, this is the standard, and if you're going to do business with the Department of Defense, you must conform to the CMMC standard.”
He added that he expects there to be a number of side discussions during the public comment period “on how small businesses might interpret these requirements vis-à-vis their own business outlooks,” as well as a focus on ways of helping smaller firms recoup their cyber-related costs.
“I think it's really important that they have very similar cybersecurity protections as the large businesses do, but yet, they're not in the same financial position to absorb those costs — at least initially,” Crusius said.
Travis also noted that DOD “has a number of programs and entities that are in a position to help small businesses,” although he said it is likely “that any additional incentives or support mechanisms for a small business will come outside the rule.”
“I suspect we'll be hearing more on some initiatives that may be applicable to CMMC that don't go through the formal rulemaking process,” he added.
Industry and government representatives have previously cited the need for smaller firms to preemptively align their cyber practices with relevant security standards available from federal agencies, including the National Institute of Standards and Technology, to better meet CMMC’s requirements.