Department of Defense to address small business concerns as part of CMMC program review

A DOD spokesperson says the agency will also launch a public media campaign to improve program communications.
Department of Defense, DOD, Pentagon
(DOD / Lisa Ferdinando)

The Department of Defense (DOD) has said it will address concerns that that the Cybersecurity Maturity Model Certification (CMMC) will impose additional costs on small businesses, as part of an ongoing internal review.

A spokesperson on Monday told FedScoop that the agency will “look for avenues” to reduce the cost of the accreditation scheme for small enterprises, while retaining the program’s focus on reducing supply chain risk.

“The CMMC Program Office greatly appreciates the perspectives presented at the hearing and has taken this information seriously.

“CMMC does recognize and understand the concerns of small businesses and fully anticipate the majority of these companies to only require CMMC Level 1 which are the requirements that have been laid out under FAR 52.204-21 released in 2016.”

“During our internal review the program will look for avenues in which to reduce the costs to small businesses while keeping the integrity of the cybersecurity requirements,” the DOD spokesperson said.

Critics of CMMC say it represents an unfair burden for smaller enterprises because they have less money available to spend on compliance costs than larger federal contractors.

The response comes after a House Committee on Small Business subcommittee last Thursday heard from companies that said they are struggling to understand the new compliance regime and worry the costs will run them out of the federal market.


CMMC requires third-party verification of contractor’s compliance to a set of cyber standards that has five tiers. Level one is the lowest level of controls, requiring basic cybersecurity, and level five mandates expensive systems to protect from nation state-backed attacks.

The Department of Defense is also working to provide more official information about its new contractor cybersecurity compliance program, in response to additional complaints from small business about a lack of information and clear communication about the scheme.

In comments to FedScoop, the DOD spokesperson said one component of the review would be to develop a public media campaign to disseminate information about the program.

An internal review of the CMMC accreditation program was ordered by the deputy secretary of defense in March. DOD previously said the review is a policy review typical after changes of administration, and that it will focus on finding ways to improve DOD policies for small business.

The Government Accountability Office is also reviewing the program with an eye toward DOD’s communication with industry and small business impact. That review is expected to last until the fall.

Latest Podcasts