Small businesses ask Congress to focus CMMC on primes and DOD

enterprise security (Omelchenko/ 

Small businesses are lobbying Congress for a more lenient process to meet the Defense Department's unified cybersecurity standard for contractors, called the Cybersecurity Maturity Model Certification (CMMC) program.

Jonathan Williams, a partner at the Washington, D.C.-based law firm PilieroMazza, told lawmakers much of small businesses concerns could be assuaged if DOD and prime contractors shoulder the burden.

The key to keeping costs and concern down is for DOD to stay true to its word and for most defense industry base companies to meet CMMC Level 1, Williams told lawmakers during a House Small Business Committee hearing on CMMC's implementation on June 24.

"That's not guaranteed but if we can keep as many small businesses as possible at Level 1 that will strike the right balance between ensuring that these small businesses have at least the basic cybersecurity protections in place but allow them to avoid...the significant additional cost when you go from a Level 1 to a Level 3," Williams testified.

"Many small businesses will be unable to compete if more than a Level 1 is required."

DOD officials have described Level 1 as covering basic cyber hygiene practices, such as using multi-factor authentication. Organizations that achieve Level 1 would be permitted to handle, store or transmit federal contract information, which isn't for public release, according to DOD's assessment guide.

Those at Level 3 can handle controlled unclassified, or sensitive, information if the contract calls for it and are described as being able to provide "increased assurance to the DOD" and protect sensitive information that may flow "with its subcontractors in a multi-tier supply chain."

The hearing comes as DOD undergoes an internal review on its compliance with the CMMC standards alongside a review on the program itself and . It's been proposed that CMMC eventually expand to federal civilian agencies and departments or even other technology areas if successful with DOD. But questions remain on how much security compliance brings and at what cost.

Williams said putting more responsibility on the government and prime contractors, such as making sure DOD contract clauses inhibit prime contractors from imposing more stringent CMMC requirements on subcontractors beyond the subcontract's scope of work.

CMMC could also add flexible approaches to prevent subcontractors from having to put controlled unclassified information on their networks, he said, as doing so increases the security needs.

But there was also a call for leniency for small businesses and the organizations who would be assessing their cyber fitness on DOD's behalf.

Williams suggested CMMC certifying organizations called C3PAOs be required to "fast-track" small business applications in line for award for a contract.

But for Scott Singer, the president of CyberNINES, a consulting company based in Madison, Wisc., requirements should be looser for companies and organizations that want to be among the first certified assessors. (Only two companies have been authorized so far.)

"To get more C3PAOs through the process, I recommend there be a relaxation for the initial C3PAOs -- assess candidate C3PAOs to Maturity Level 1 or 2 now and require Level 3 in the future," said Singer, whose company is one of more than 160 companies that have applied to become a C3PAO and is going through the approval process.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected