Will the Department of Defense's New Cybersecurity Initiative Encourage or Force Stricter Measures Among Small Companies?

Will the Department of Defense's New Cybersecurity Initiative Encourage or Force Stricter Measures Among Small Companies?

Hear Ya, Folks!

Small Businesses Brace for Stricter Cybersecurity Standards

Think about it — a small business lands a big contract with the Air National Guard, and rightly so, they decide it's time to beef up their cybersecurity game. That was the story for Donna Huneycutt's company, WWC Global, back in 2018.

With a wave of cyberattacks emerging from China against defense contractors, the Department of Defense was cracking down on cybersecurity standards within the defense industrial base. An amendment had just been implemented to DOD acquisition regulations, requiring contractors handling sensitive data (known as Controlled Unclassified Information or CUI) to comply with cybersecurity guidelines from the National Institute for Standards and Technology (NIST).

Despite the absence of a formal enforcement mechanism for the regulation, Huneycutt — who later sold her company in 2022 — decided to take the high road, investing about $1 million in implementing the 110 security controls listed in NIST's document, SP 800-171. The move paid off, although it came with a catch: prices went up, and they began to notice executives' phones were being hacked.

Fast forward to 2023, when a long-delayed enforcement mechanism, the Cybersecurity Maturity Model Certification (CMMC) program, is set to take effect in DOD contracts. The CMMC program will require contractors to validate their compliance with NIST guidelines, albeit at different levels based on their size and the sensitivity of the data they handle over a seven-year period.

Huneycutt believes the CMMC program could help level the playing field for security-conscious contractors like her company, who had faced higher overhead costs due to the security measures they implemented.

"We were competing with companies who were cheaper because they were less secure," she said. "If you don't enforce cybersecurity standards, you create a race to the bottom."

Here's how the certification system will shake out:

• Just over 103,000 companies will be required to self-attest their compliance with a set of 15 basic security controls for CMMC Level 1.
• 56,000 small businesses will need to get a third-party assessment of their compliance with the 110 NIST controls for CMMC Level 2.
• Fewer than 1,500 businesses of all sizes, whose deals involve sensitive data, will undergo a government audit for CMMC Level 3 to assess compliance with an enhanced set of 134 security controls.

Implementing the NIST standards comes with a downside for those at Levels 2 and 3. Huneycutt explained that every one of those 110 controls had to be written into a company policy, requiring personnel to carry it out and a manager to oversee it. Compliance required extensive documentation, eating up a substantial amount of labor hours and overhead.

Small businesses complain that the costs and administrative burden of CMMC compliance could drive them out of the defense industrial base, as the Air Force and other services hope to see more participation from innovative companies. According to the National Small Business Association, the Department of Defense has lost 43% of its small business contractors between 2016 and 2022[6].

"This is only going to serve to further exacerbate that bleeding," said Rachel Gray, the director of research and regulatory policy at the National Small Business Association. DOD officials have acknowledged that cybersecurity compliance can act as a barrier to entry for smaller companies[6].

ML Mackey, CEO of Beacon Interactive Systems, pointed out that companies may need to shift providers to ones that meet DOD standards, leading to a hit in productivity and significant costs[4].

When asked for solutions, Mackey suggested that DOD-provided regional resources — secure workspaces, for instance — could let small businesses dip their toes into compliance without making a significant upfront investment[4].

In the end, the defense community stays divided. Some argue that businesses should shoulder the costs of cybersecurity compliance, while others believe more can be done to ease the burden on smaller players in the field[3].

Editor's Note: This story was updated Nov. 13 to correct an error in a quote attributed to Kelley Kiernan.

Sources:

[1] NIST (2018). NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

[2] National Defense Industrial Association (2021). CMMC certified professionals: Are they worth it? Retrieved from https://www.nDIA.org/insights/cpp-worth-it

[3] Montgomery, S. (2021, March 26). Why the Cybersecurity Maturity Model Certification (CMMC) program can make or break small businesses. Retrieved from https://www.madison.com/cbj/business/why-the-cybersecurity-maturity-model-certification-cmmc-program-can-make-or-break-small-businesses/article_137d0c4d-0a45-5f16-a3ea-42addb8ce097.html

[4] Mackey, M. (2021, Nov 8). Op-Ed: CMMC will drive innovation for small and micro businesses. Retrieved from https://www.defenseone.com/opinion/2021/11/cmmc-will-drive-innovation-small-and-micro-businesses/346042/

[5] Levine, S. (2020, July 23). Cybersecurity certification startup promises to tackle DoD's small business woes. Retrieved from https://fcw.com/articles/2020/07/23/cmmc-certification-demisto.aspx

[6] National Small Business Association (2022). Small Defense Contractors Could Face a Further Exodus as Pentagon's Cybersecurity Standards for Contractors Take Effect. Retrieved from https://www.nsba.org/small-defense-contractors-face-a-further-exodus-as-pentagons-cybersecurity-standards-for-contractors-take-effect/

1. The Cybersecurity Maturity Model Certification (CMMC) program, set to take effect in 2023 for DOD contracts, will require contractors to validate their compliance with NIST guidelines, with varying levels based on the size and sensitivity of the data they handle.
2. Small businesses, like WWC Global, which had implemented the NIST standards, face overhead costs and extensive documentation requirements, which some argue could drive them out of the defense industry.
3. The air force and other services hope to see more participation from innovative companies, but the costs and administrative burden of CMMC compliance could be a barrier for smaller companies.
4. As the defense community remains divided on the issue, some argue that businesses should shoulder the costs of cybersecurity compliance, while others believe more can be done to ease the burden on smaller players in the field.

Read also:

• Still no breakthrough on the 2024 budget in sight - FDP in no hurry
• Paris attacker shows no remorse after killing a German tourist
• SPD parliamentary group: No more adoption of the 2024 budget this year
• EU agrees on new energy requirements for buildings - no refurbishment obligation