Will DOD's new cyber rules crush small business?

Contractors will soon have to get cyber certified to do business with the Defense Department. But there's early concern that the Cybersecurity Maturity Model Certification framework would block DOD's efforts to leverage startups.

Alexander Major and Franklin Turner, partners and co-leads for government contracts at McCarter & English LLP, told FCW that the rules could have a negative impact on small businesses and startups.

"Until we see the whole scope of who it's going to apply to and why it's going to apply to them, it could impact a lot of small companies," Major said.

And because this standard, as it is now presented, would broadly include any company in the DOD supply chain, that opens up more companies that would have to comply -- or risk losing business.

Katie Arrington, DOD's chief information security officer for the Office of the Undersecretary of Defense for Acquisition and Sustainment, told reporters at the CMMC draft release Sept. 4 that it should only cost a few thousand dollars.

Turner said that estimate was "utterly foolish" and that the new certification could "likely be an impediment" to small businesses and startups simply due to resource constraints.

The pair agreed that a unified and unwavering cyber standard was needed because the National Institute of Standards and Technology guidance "is not enough."

"This is the first, quasi-granular look at the standards that are actually going to be required of contractors," Turner said. "I think it tells contractors they need to get moving because this is going to come out, it's going to be a standard, that's going to be incorporated into solicitations within the next year, ideally, if [DOD] is true to its word.

With NIST, Major stressed, "that's just the beginning of the puzzle. We tell clients all the time that it's great you're 800-171 [compliant], but congratulations you're still susceptible to ransomware" because the guidance does not direct companies to have a backup.

CMMC also adds four control families -- asset management, cybersecurity governance, recovery and situational awareness -- that NIST doesn't include.

But as things stand now, Turner said contractors could stand to lose a lot of money.

"Right now, I think a lot of companies are in a state of coordinating with their IT folks, their lawyers about how to best approach this," Turner said.

As for future trends, Major and Turner said they worry that competition could be affected if compliance costs drive small business out of the defense market. But once the standard is out, the hope is that companies can adjust to it, Major said.

"The Department of Defense really needs to find a dynamic standard that it expects its contractors to meet. This isn't an easy problem to fix, but there needs to be a standard, and changing it every one to two years is not helpful to anyone," he said.