Small business owners warned members of Congress on Thursday that uncertainty over the costs and timeline of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program could push their enterprises out of the defense industrial base.
In testimony given to a House Committee on Small Business subcommittee, they also raised concerns over the department’s communication strategy for the scheme, saying it has allowed information to trickle out through social media, rather than contacting affected contractors directly.
“There is no consistent method or message from DOD,” said Michael Dunbar, a small business president who testified on behalf of HUBZone Contractors National Council. “A lot of small businesses have been ignored.”
CMMC will require third-party certification that contractors meet a five-tiered range of security controls. Critics say that the cost of meeting those standards could fall unfairly on small businesses because they have fewer resources to deploy on cybersecurity than large defense firms.
Dunbar said during the hearing that much of the communication around the implementation of the scheme had been conducted through LinkedIn and urged the DOD to formalize its communication with industry with official policy documents.
“It’s basically been kept to a very small group of people that are running all of this and then we get told later on what is happening,” he said.
In testimony, the CEO of professional services contractor T47, Tina Wilson, warned that uncertainty over costs and the implementation timeline for the regime had left many small businesses fearful of being shut out of the defense industry.
“The fear could be real,” she told lawmakers. T47 provides policy procedures and analysis services to agencies within the DOD.
Jonathan Williams, a partner at law firm PilieroMazza, warned that the DOD must clarify which of the five levels of CMMC contractors would qualify for. He noted also that one potential avenue for reducing the cost of certification to small businesses would be to ensure prime contractors are largely responsible for ensuring subcontractors adhere to cybersecurity requirements.
“If we can keep as many small businesses as possible at level one, that will strike the right balance,” Williams told the committee.
The attorney said also that the DOD must explain how it intends to meet a self-imposed 2026 deadline to make CMMC a requirement in all contracts.
In response to the concerns, subcommittee Chair Rep. Dan Meuser, R-Penn., called for the creation of a platform through which the DOD can hear concerns over the implementation of the scheme.
“I think we can conclude that these measures are overly harsh and we do need to create a forum to have this discussion with DOD,” he said.
The hearing on Thursday came after electronics manufacturer trade group IPC earlier this week published a study that found 24% of industry respondents anticipate being pushed out of the defense industry due to the costs and burdens of CMMC.
A separate report published by the Alliance for Digital Innovation on Tuesday also warned about the risks of implementing “expensive but emerging requirements that are not ‘fully baked’” in the federal acquisition space.
“A clear example is the rush to impose the emerging standards of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements into civilian agency procurements,” the study said.