chevron-down Created with Sketch Beta.

Public Contract Law Journal

Public Contract Law Journal Vol. 50, No. 3

The Price of a Cybersecurity Culture: How the CMMC Should Secure the Department of Defense’s Supply Chain Without Harming Small Businesses and Competition

Aleksey House

Summary

  • Discusses Department of Defense (DoD) cybersecurity requirements and the Cybersecurity Maturity Model Certification (CMMC), the new and evolving certification framework that provides a “unified cybersecurity standard” for the DoD’s acquisitions
  • Analyzes problems with the Current CMMC Model and Implementation Schedule
  • Argues that DoD can implement the CMMC by facilitating communication across the supply chain and providing assistance to small businesses to achieve optimal understanding and participation
The Price of a Cybersecurity Culture: How the CMMC Should Secure the Department of Defense’s Supply Chain Without Harming Small Businesses and Competition
Westend61 via Getty Images

Jump to:

Abstract

The Department of Defense released the final version of its landmark cybersecurity certification program on January 31, 2020, titled the Cybersecurity Maturity Model Certification. The new program features a third-party audit requirement based on a multi-level certification framework that is intended to strengthen the cybersecurity hygiene of all defense contractors included in the Department of Defense’s (DoD) supply chain. The program was quickly established and introduced in response to the growing concerns over threats of cyber-crime. There is a high cost of compliance with this new certification program and it will greatly impact the ability of many businesses to compete, especially small businesses. This Note explores the policy tensions between two of the DoD’s goals: creating a stricter cybersecurity regime and preserving small businesses’ ability to compete for defense contracts.

I. Introduction

Cybersecurity is an issue that “stands front and center for the Pentagon.” About $600 billion, or one percent of global domestic product, is lost through cyber theft each year. The state and private actors involved in this cyber-crime target the Defense Industrial Base (DIB) “to close [the] capability gaps” between themselves and the United States. Furthermore,“[t]he aggregate loss of Controlled Unclassified Information [(CUI)] from the DIB sector increases risk to national economic security and in turn, national security.” The loss of CUI is not the only threat posed, as only 10,000 out of the 300,000 companies that make up the Pentagon’s supply chain have cybersecurity requirements at all.

The current cybersecurity regulations are implemented in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 (DFARS 7012) and the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. These regulations provide that companies must “safeguard covered defense information, report cyber incidents[,] and facilitate damage assessment.” Despite these regulations, a large portion of the (DIB) does not comply with DFARS 7012. Currently, forty-four percent of prime contractors do not have system security plans from their subcontractors, and are not in compliance with DFARS 7012; likewise, only five percent of prime contractors have taken corrective action against their subcontractors, allowing the risk of cyber-crime to continue unchecked. The National Defense Industrial Association (NDIA) published a report in 2020 that revealed alarming facts about the declining health and readiness of the defense industrial base. Among the NDIA’s most shocking findings: the defense industrial security score for 2019 would be the equivalent of a C grade.

As the NDIA report neatly illustrates, the current regulatory scheme is not working. While at first the federal government was slow to respond to these growing and increasingly adaptive cyber threats, it has recently unveiled a new cybersecurity initiative that specifically addresses the cyber hygiene of all government contractors within the defense industrial base.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) new and evolving certification framework that provides a “unified cybersecurity standard” for the DoD’s acquisitions. The CMMC framework was created in “recogni[tion] that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.” The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) reports that the DoD “is committed to working with the [DIB] sector to enhance the protection of [CUI] within the supply chain.” Along with this commitment, the DoD aims to instill “a culture of cybersecurity throughout all aspects of the business is essential to mitigate risks and minimize impacts if a cyber breach occurs.”

The CMMC represents a “major shift” in “DoD supply chain cybersecurity policy.” First, contractors will be audited by independent Third-Party Assessment Organizations (C3PAOs) to obtain certification, rather than through self-certification. Second, the CMMC includes five maturity levels that range from basic cyber hygiene to advanced cyber hygiene. Finally, all defense contractors and lower-tiered subcontractors will be required to achieve CMMC certification, not just those contractors or subcontractors that have access to controlled unclassified information. This is a significant change for defense contractors who were not required to comply with the existing cybersecurity requirements before the CMMC.

The DoD initially attempted to implement the new CMMC framework on an aggressive schedule—less than a year after introduction of the model. Instead of creating a unified standard applicable to all defense contracts through a formal rulemaking process, the DoD began to partially implement the CMMC by including the new requirements in ten pathfinder projects in December 2020 before any formal revisions were actually made to DFARS. Each contract involved about 150 subcontractors, none of which were certified. Yet the training and assessment guides for Level 1 and Level 3 were not even released until the end of November 2020. Eventually, the DoD “issu[ed] an interim rule” to implement NIST SP 800-171 and the CMMC framework on September 29, 2020, that became effective November 30, 2020.

In a 2019 forum discussion, Ellen Lord, the former Undersecretary of Defense for Acquisition and Sustainment said, “When it comes to working on defense contracts . . . cybersecurity standards are non-negotiable and can’t be traded as part of contract negotiation, as are things like cost, quality[,] or schedule.” The CMMC “is only the first line of defense for contractors’ overall cybersecurity program,” and the “CMMC will evolve over time” in order to respond to new threats as the landscape changes. Yet, Lord also stated the DoD will not put small contractors out of business because the DoD needs them. Under the current CMMC implementation scheme, the DoD cannot achieve both goals, because small businesses cannot afford CMMC compliance.

Recognizing that compliance will be expensive, the DoD announced that the costs of obtaining certification “will be considered an allowable, reimbursable cost and will not be prohibitive.” But the cost allowability function is almost useless to small businesses since most do not utilize cost-reimbursement contracts. It is still unclear to what extent the DoD “plans to reimburse contractors” for CMMC compliance costs and “how the reimbursement will occur.” Furthermore, contractors are not eligible to bid for contracts until they receive the proper level certification from the C3PAOs. This presents a problem for small businesses who do not have the resources to get certified and cannot be reimbursed by the government beforehand.

This Note explores problems that small businesses will face due to the CMMC’s aggressive implementation timeline. Additionally, this Note proposes various solutions to alleviate the policy tensions between preserving competition for small businesses and securing the DoD’s supply chain. These solutions include small business assistance programs, such as funding options and cost exemptions, alongside a slower approach to CMMC implementation to ensure program effectiveness and uniformity. Part II examines the framework, details, and requirements of the CMMC model. Next, Part III addresses the problems with the current CMMC model and outlines the concerns of industry participants, including a reduction in competition, a possible shortage of suppliers, and a lack of clarity around the requirements. Finally, Part IV suggests that a slower and more formal implementation of the CMMC would solve some of these problems and allow industry input to find a balance between the policy tensions and makes recommendations on how the DoD can and should assist small businesses in preparing for CMMC implementation through training and funding programs.

II. Background: The Immaturity of the Cybersecurity Maturity Model Certification

Nearly a year after the final version of the CMMC was released, many questions still remain unanswered and the DIB continues to struggle to implement the CMMC. This Part explores the details of the CMMC framework and the various requirements it imposes on defense contractors. The following Part explains how the DoD’s rapid implementation plan for the CMMC has led to various unanswered questions and fails to account for the unique issues facing small businesses.

In addition to providing a unified cybersecurity standard with a verification system, the CMMC framework also “includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.” The CMMC framework combines various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933, and others into one unified standard for cybersecurity requirements. The purpose of the CMMC is to streamline the existing cybersecurity standards because the current practices are inconsistent, and contractors have struggled to secure their supply chains as a result.

Further, the DoD will no longer accept self-certification and will now require third-party verification before contractors are considered eligible to bid on contracts. “The CMMC . . . builds upon [the] existing regulation . . . based on trust by adding a verification component with respect to cybersecurity requirements.” The DoD’s goal is to develop a more robust and unified enforcement mechanism to measure a defense contractor’s ability to safeguard the CUI handled in the performance of all the DoD contracts.

In lieu of self-certification by contractors, the DoD established an independent accreditation body to manage the C3PAOs. In January 2020, the DoD created the CMMC Accreditation Body (AB), made up of members from the DIB, the cybersecurity community, and the academic community. This body is responsible for setting the auditing standards and overseeing the training, quality and administration of the C3PAOs. Based on these standards and guidelines, the C3PAOs will then audit defense contractors to verify that they are meeting the certification program’s requirements, which include “the most rigorous standards for protecting [CUI] and non-federal networks.”

More specifically, the CMMC model implements five levels of maturity ranging from basic cybersecurity controls at Level 1 (Basic Cyber Hygiene) to highly advanced practices at Level 5 (Advanced). The DoD will make an assessment for each acquisition to determine the required level of CMMC certification. The purpose of this tiered approach is “to reduce the cybersecurity burden on contractors and suppliers performing low-risk efforts, while at the same time ensuring that [the] DoD has the flexibility to impose more stringent requirements for higher-risk acquisitions.” Before granting CMMC certification, the C3PAO will perform an audit of the contractors to determine what certification level the contractor will receive based on its compliance with the CMMC requirements; this certification is valid for three years before a renewal is required.

The model consists of seventeen domains, which are sets of capabilities based on cybersecurity best practices, including how to protect controlled unclassified information. Most of these domains are particularly new, as the majority of them “originate from the . . . Federal Information Processing Standards (FIPS) Publication 200” security-related areas and the NIST SP 800-171 control families. Each domain is separated into capabilities, described as “achievements to ensure cybersecurity objectives are met within each domain.” Within each capability, achievements are further broken down into practices and processes. Practices evaluate technical activities that must be performed, while processes evaluate the extent to which those practices are instituted within the company.

CMMC Version 1.02 provides a general description of the multi-level framework, including a brief overview of the focus for each level:

CMMC Level 1

Processes: Performed

Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic Cyber Hygiene

Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).

CMMC Level 2

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

Processes: Managed

Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Practices: Good Cyber Hygiene

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.

It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Practices: Proactive

Level 4 focuses on the protection of CUI from [Advanced Persistent Threats (APT)] and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

CMMC Level 5

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

CMMC Version 1.02 also provides a matrix to illustrate the concepts of practice and process maturity for each domain. Additionally, the current model notes that adherence to CMMC processes and practices is cumulative. This means that when a practice is introduced in a certain level, it is a required practice for all levels above as well. For example, for a contractor to achieve Level 3 certification, all the practices and processes defined in Levels 1–3 must be achieved. Similarly, an organization must meet both the practices and processes within that level and below across all of the domains to reach a specific certification level. For example, an organization that achieves Level 3 on practice implementation and Level 2 on process institutionalization would be certified at CMMC Level 2.

Although the DoD has not provided the same amount of detail regarding Levels 4 or 5, CMMC Version 1.02 did indicate that the cybersecurity activities at these levels are modeled after NIST SP 800-171B (now NIST SP 800-172). “Special Publication 800-171B [was] proposed in June [2019] in response to ‘advanced persistent threats’ from foreign adversaries such as China, Russia, North Korea[,] and Iran.” Regardless, the Pentagon has stated that it is pushing forward with certifying contractors and that it cannot afford to hold off.

While CMMC Version 1.02 clarified some questions and provided more detail on the various Levels of compliance, significant questions remain unanswered. For example, the uncertainty in the definition of Covered Defense Information or how contractors should define information system boundaries have not yet been addressed. According to practitioners, the answers to these questions can “radically alter the steps a contractor must take” to comply with NIST SP 800-171. Additionally, the National Institute of Standards and Technology (NIST) stated that it intended for SP 800-172 to apply only to a very small portion of contractors, somewhere around 0.5%. Likewise, it is unclear whether the DoD intends the same for CMMC Levels 4 and 5.

Additionally, there remains confusion among the industry regarding what constitutes CUI. This confusion stems from the inconsistent definitions and conflicting guidance that is provided across the DoD contracts. More questions include:

[H]ow the [DoD] and its auditors will handle the immediate influx of contractors requiring certifications; the specific criteria for determining the certification level necessary to perform a contract; how the department and its accreditation body will ensure consistency of third-party audits; and how it will address the impact on commercial item and small business contractors, which ordinarily do not obtain significant cost recovery under reimbursable contracts with the government.

III. Problems with the Current CMMC Model and Implementation Schedule

This Part discusses the problems and challenges that CMMC implementation will present to small businesses within the defense industrial base. Specifically, this Note suggests that the only effort that the DoD has made to alleviate these challenges—cost allowability—is insufficient to assist small businesses since many do not use cost-reimbursement contracts to begin with. Instead, the DoD must offer new funding solutions such as cost exemptions, one-time subsidies, and training assistance programs to facilitate more detailed communication and better preparation for CMMC compliance.

A. Competition and Logistical Challenges: An Aggressive Implementation Schedule Will Disrupt the DoD’s Supply Chain Due to Unnecessary Competition Restrictions and a Shortage in Certified Suppliers

While the CMMC is intended to push contractors to strengthen their security standards and increase visibility into the DoD’s supply chain, “it could also render a significant chunk of the Pentagon’s contractor pool ineligible for its most sensitive projects.” A very low number of the 300,000 contractors that will require certification have state-of-the-art cybersecurity. Moreover, the Office of the Secretary of Defense estimates that “the majority of them are at the lower end” of the CMMC scale.

Overall, “[t]he CMMC [framework] introduces a significant number of new controls and requirements,” and “[e]ven the most sophisticated of contractors will likely find compliance difficult and the continued maturation of the model will make compliance with [the] DoD’s ambitious deadlines a challenge across the DIB.” This challenge is further exacerbated by the complete lack of guidance. “[N]o insight” has been provided “into how [the] DoD will determine the CMMC certification level required for each contract solicitation or whether it intends to standardize a process.” The only information that the DoD has provided thus far is that the “program manager[] will also be taught how to determine which companies need to meet certain cybersecurity levels.”

This presents logistical challenges that will also impact existing contracts. For existing contracts, the DoD “plans to insert the certification requirements during renegotiations” beginning with high-priority contracts, such as major weapons programs. According to NDIA Director Corbin Evans, “They will essentially go contract by contract for renegotiations if they are multi-year contracts . . . . Then they’re going to roll this out starting . . . with the most sensitive contracts and then moving . . . all the way down to apparel supplies.” The working estimate for the number of companies that will need to be certified is over 300,000, “with a very high percentage of those companies in the micro-, small-, and mid-size range.” Defense industry associations, other industry officials, and policy specialists have voiced their concerns about the potential impact the CMMC will have on suppliers such as the possibility of shortages, particularly if smaller companies are unable to meet the strict requirements. Yet the DoD is “pushing forward” with “the aggressive schedule . . . to begin implementation of the landmark contractor certification program” throughout 2021.

Industry participants had doubts regarding the implementation schedule from the start. “Corbin Evans . . . said achieving compliance across the estimated 300,000 companies in the [DIB] by late 2020 may be unrealistic.” The “[Professional Services Council (PSC) has] urged [the] DoD to pursue a ‘more gradual implementation plan’ so all companies can get certified ‘in a timely manner.’” The PSC’s letter to the DoD stated that “[s]ufficient resources need to be established in order to certify all companies by the implementation deadline to ensure equal access to the early bidding process and a competitive market.” The AIA even suggested that the DoD should publish an implementation plan “that defines how the certification of an estimated 300,000 companies will be accomplished.” However, industry officials also believe there is no time to waste on improving cybersecurity practices across the defense industrial base given the prefiltration of cyber threats.

Further, recent discussions have brought attention to the policy tensions facing the defense industrial base as they move forward with CMMC implementation. Some industry officials report that they understand and are sympathetic to the security concerns but “are worried about the negative impacts of rolling this out department-wide and essentially pushing people out of the [DIB].” Katie Arrington, the Chief Information Security Officer for the Assistant Secretary for Defense Acquisition, acknowledged these concerns but defended the CMMC program, stating that “[w]ith [seventy percent] to [eighty percent] of our data living on my contractors’ networks, I don’t have a choice but to worry about how they’re doing it.” She dismissed concerns about the cost of CMMC compliance, saying “[g]ood riddance” to the “vendors that think the cost of compliance will be prohibitive.”

In response, defense contractors point to numerous compliance challenges, including high costs for a low return on their investment, and a lack of guidance how to actually comply with CMCC standards. For most contractors, these costs stem from investments in “human resources, training employees[,] and allocating the personnel to map out and formalize internal IT policies.” Moreover, it still remains unclear how contractors will be reimbursed for costs associated with compliance.

Regardless of the certification level required in the contracts or the timeline of implementation, the CMMC costs too much for small businesses attempting to contract with the DoD. These cost barriers will likely exclude many businesses from competing since they will be unable to afford certification. This means fewer firms will be competing for each contract, leaving lucrative defense contracts open only to larger, wealthier businesses.

B. Small Business Competition Concerns: The CMMC Will Have Severe Consequences for Many Small Businesses’ Ability to Compete

The DoD states that it “maximize[s] opportunities for small businesses to compete for DoD prime contracts and subcontracts,” and Ellen Lord stated that the DoD does not want to lose those small companies. But the CMMC will almost certainly result in the DoD losing small business contractors. Overall, small businesses are twenty percent less likely than larger businesses to have implemented the current cybersecurity measures. This lower level of implementation can be explained by various factors, including cost, and a “lack of experienced personnel to implement secure practices.” However, noncompliance is almost a given because many small businesses would most likely fail to meet the CMMC requirements.

In light of these concerns, three of the largest defense industry associations have expressed their broad support of the CMMC but have also pushed back on specific elements. Likewise, the Small Business Administration (SBA) urged the DoD “to subject the CMMC to a formal rulemaking process.” According to the DoD, “The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.” However, the costs of obtaining high levels of CMMC certification will almost certainly “produc[e] market entry barriers and limit[] competition.” This could impact those contractors in the DoD supply chain that cannot afford to obtain a high-level certification. In other words, small businesses may not be suitable or even eligible “for many or most contracts” if they are only able to achieve low level certifications. There is currently no overlap between the levels that are economically feasible for small businesses and the levels that are actually sufficient for contracting with the DoD under the new requirements.

From a contractor’s perspective, Michael Flavin, Director of IT Sales at Saalex Information Technology, worried that “these new requirements will largely affect small businesses because they may not be able to handle the financial burden associated with completing the certifications.” Just to receive a gap analysis from a consultant for a DoD contractor with twenty employees could cost between $25,000 and $50,000. This is simply not something that every contractor will be able to afford. The CMMC website says businesses will be disqualified if they do not obtain the proper certifications. Flavin noted, “‘[Small businesses] can’t bid on it’ or recompete for contracts . . . [which] really could suck the lifeblood out of a company.”

Achieving “CMMC complian[ce] could be more expensive than the Pentagon anticipated . . . and it remains to be seen who will ultimately bear the cost—contractors or the government.” According to Director Corbin Evans, it will cost about $250,000 to obtain Level 3 compliance. Other expenses contractors will face include the costs of an in-house IT staff to keep up with the requirements through “subscription services that are required for compliance with a number of these controls, such as active encryption software.” In addition, “[c]ontractors will also have to pay to have their cybersecurity systems inspected and certified by” the C3PAOs, and the cost of this is still unknown.

These consequences are problematic because small businesses play a “significant role . . . in the U.S. economy and as a critical component of the [DIB].” Many contractors and subcontractors are small businesses, and the DoD has not provided any clarification on the certification level required for subcontractors. Similarly, it is still unclear whether the prime contractor is responsible for making this determination or if all subcontractors must meet the level assigned to a particular contract regardless of the data that flows to those subcontractors.

The current implementation plan could also “have a tremendous negative impact” on [the DoD’s ability to “achieve[] its statutory annual procurement goals for small businesses.” Specifically, “[twenty-three] percent of the total value of all prime contract spending is required to be awarded to eligible small businesses.” The inability of small businesses to compete will restrict competition and could ultimately lead to far fewer set asides for small businesses. Beyond the cost obstacles that CMMC presents to small businesses, it also remains unclear how, or if, contractors will be able to challenge the restrictive certification and decisions made.

IV. Balancing the DoD’s Goals: The DoD Can Implement the Robust Cybersecurity Regime by Facilitating Communication Across the Supply Chain and Providing Assistance to Small Businesses to Achieve Optimal Understanding and Participation

In the following section, this Note suggests how the DoD can lessen the severity of CMMC implementation and mitigate the consequences for small businesses by providing one-time subsidies to cover initial certification costs, collaborating with all industry participants to create and provide low-cost cybersecurity services, and facilitating communication across the entire supply chain through standardized training and assistance programs. The DoD should also increase communications and access to resources such as training and assistance programs and provide funding solutions in order to prevent the exclusion of small businesses from competition.

A. Securing Small Business Certification: The DoD Can Help Small Businesses Prepare for CMMC Implementation and Preserve Their Ability to Compete for Contracts by Providing More Funding and Assistance Programs

In an effort to assist small businesses in preparing for CMMC implementation, the DoD should encourage more communication across the supply chain to achieve a unified standard, collaborate with universities and other organizations to create training programs that provide low-cost cybersecurity services, and offer funding solutions such as cost-exemptions and one-time subsidies to cover certification costs.

According to Ellen Lord, the DoD “[U]nderstand[s] the challenge to small companies.” Lord also stated, “We are not going to put small companies out of business. We need them.” Additionally, the CMMC’s website contends that the CMMC should be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.” These encouraging statements simply do not prepare small businesses for the reality that they are going to be hit hard by the CMMC’s swift and costly implementation. The CMMC inherently excludes small businesses from a cost perspective and renders many of them ineligible to compete as a result. Cost-allowability is not going to be of much help either since many of the “DoD small prime and subcontractors operate on firm fixed price contracts.” Further, most small businesses “ordinarily do not obtain significant cost recovery under reimbursable contracts with the government.” Therefore, while the DoD is clearly aware of the unique needs of small businesses, it must do more than offer kind words if it wants to protect small businesses.

First, the DoD should increase communication and access to resources available to the lower-tier and smaller members of the defense industrial base. The DoD should begin facilitating more detailed discussions with contractors as soon as possible to explain what they can do to prepare for compliance and inform them about costs and procedures so that they may plan to comply with the CMMC. The DoD should also consider making resources available to help contractors achieve and maintain compliance, such as assistance programs, one-time subsidies or cost exemptions. For example, pairing individual compliance requirements with communications about risk and reward strengthens the case for implementation, facilitates open communication between all levels of the supply chain, and better prepares the contractors.

Prime contractors can also contribute by taking on a mentor role to support smaller businesses throughout the certification process. The DoD envisions that both prime contractors and industry associations will act as a “help desk” for the smaller businesses to enable them to achieve compliance. Some industry officials have suggested that the “[p]rimes should routinely and broadly share best practices, cost-saving efforts, and methods of cyber regulation compliance with not only their supply chain, but with their competitors.” All members within the DIB, both large and small, must work together to increase their level of preparedness to deter, defend and recover from cyber-attacks.

Next, the DoD should increase efforts to help small businesses prepare for CMMC implementation by collaborating with universities and other organizations to create training programs that provide low-cost cybersecurity services to small businesses. This collaboration would result in a standardized training program for the most common certification requirements, which are expected to be Levels 1–3. These partnerships could also assist in streamlining the certification process by ensuring that all contractors are receiving the same cybersecurity standards and services.

In addition, the DoD should also offer one-time subsidies to small businesses to help cover the costs of certification up to Level 3, including initial consultations with third-party vendors. Providing the financial resources initially will reduce the cost barriers small businesses will face to obtain certification. Because certifications will then be valid for three years, contractors will have time to prepare and adjust for future certification requirements. “The [NDIA] has [also] issued a report that emphasizes the important role that insurance companies can play in helping smaller businesses get certified” and avoiding “potential supply shortages.” The NDIA announced in the report that “[d]etailed guidance is provided to help small and mid-sized businesses identify value for them in coverage.”

B. Achieving CMMC Maturity: A More Gradual Implementation Will Reduce the Competition and Supply Chain Challenges and Protect Small Businesses

Although it is true that most contractors should already be enforcing some sort of cybersecurity regime, the truth of the matter is they are not. More specifically, of the 300,000 companies that make up the Pentagon’s supply chain, “about 290,000 of those have no cybersecurity requirements whatsoever.” Given that most contractors are not prepared, rushing the CMMC implementation could ironically result in cyber infrastructure that is more vulnerable since contractor personnel will not be adequately trained or informed on how to comply with the CMMC requirements. Rushing implementation will defeat the goals of a unified standard and streamlined certification process so the DoD should slow it down and adopt a more gradual implementation by adopting a formal rule to ensure effective understanding and enforcement.

According to Arrington, the full CMMC framework will not debut until 2025. Still, the DoD “plans to tighten its policies as digital warfare becomes more prevalent.” Likewise, the DoD has also expressed a desire to continuously revise the model to rapidly address new and evolving threats. This means that any contractors that are still trying to catch up with compliance and associated costs based on the recent interim rule will already be disadvantaged and “have a difficult time staying ahead of the curve,” especially “as the model continues to evolve.” This strategy seems inefficient, and achieving a unified standard seems unlikely if the model continues to change before contractors even have time to plan and adjust to the evolving CMMC requirements.

Moreover, the DoD should fix the inconsistencies in the definitions of CUI and other conflicting guidance across the DoD contracts before fully implementing the CMMC because one of the main goals of the CMMC is to establish a unified standard. There are various discrepancies and conflicts between the current regulations that the CMMC has not yet clarified. The NDIA and the AIA have explained that “[t]he ability for government and contractors throughout the supply chain to identify CUI is ‘foundational’ to determining cybersecurity requirements.” While a more exhaustive and uniform definition of CUI is still in development, regulations laying out the requirements for protecting it have been included in contracts since late 2018.

Although the CMMC is intended to streamline and unify cybersecurity requirements in order to create one cohesive standard, “Levels 4 and 5 continue the practice of including multiple controls for certain practices.” Instead of simplifying guidance, this merely “increas[es] the possibility of conflicting guidance.” Moreover, standards that are pulled from NIST SP 800-171 in some cases appear to have been incorporated into the CMMC on a modified or a partial basis. For this reason, even those contractors that have implemented sophisticated cybersecurity controls in line with the standards set forth in NIST publications should closely review these requirements and how they been defined in the CMMC to ensure that they will be in compliance.

In order to streamline the certification process and achieve a unified standard, the DoD should adopt a more gradual implementation schedule. This will permit industry officials to clearly define and explain what is expected and required of defense contractors. Additionally, this implementation approach will benefit small businesses because it will give them more time to secure the resources required to obtain certification. A more gradual approach to CMMC implementation will also help facilitate increased communication among all industry participants. In turn, this will lead to a more cohesive understanding of the CMMC framework and will allow the DoD to effectively secure the entire supply chain with a truly unified standard.

V. Conclusion

Given the threat of cyber-attacks, it is beyond dispute that cybersecurity should be the fourth evaluation criteria for all new defense contracts. A stricter and more robust cybersecurity regime is long overdue, and it is critical that contractors within the defense industrial base do more to protect CUI. Likewise, the DoD can no longer trade cybersecurity in exchange for other considerations like cost and time. However, the DoD’s commitment to the current plan of CMMC implementation has the potential to significantly reduce many contractors’ ability to participate in defense contracts, namely that of small businesses.

The current implementation of the CMMC is on track to exclude many, if not most, small businesses from defense contract competition. In order to avoid this problem and to preserve competition, the DoD must offer funding solutions and assistance programs to small businesses. In addition, the DoD should adopt a slower, more formal implementation to ensure uniformity across all defense contracts, which is a crucial part to securing each link in the supply chain.

The policy tension the DoD is facing between strengthening our cybersecurity standards and preserving small business’ ability to compete can be alleviated through funding solutions and slower implementation. Above all, the DoD must begin working with all contractors, small and large, to prepare the entire supply chain for full implementation of the CMMC.

    Author