Small businesses are lobbying Congress for a more lenient process to meet the Defense Department's unified cybersecurity standard for contractors, called the Cybersecurity Maturity Model Certification (CMMC) program.
Jonathan Williams, a partner at the Washington, D.C.-based law firm PilieroMazza, told lawmakers much of small businesses concerns could be assuaged if DOD and prime contractors shoulder the burden.
The key to keeping costs and concern down is for DOD to stay true to its word and for most defense industry base companies to meet CMMC Level 1, Williams told lawmakers during a House Small Business Committee hearing on CMMC's implementation on June 24.
"That's not guaranteed but if we can keep as many small businesses as possible at Level 1 that will strike the right balance between ensuring that these small businesses have at least the basic cybersecurity protections in place but allow them to avoid...the significant additional cost when you go from a Level 1 to a Level 3," Williams testified.
"Many small businesses will be unable to compete if more than a Level 1 is required."
DOD officials have described Level 1 as covering basic cyber hygiene practices, such as using multi-factor authentication. Organizations that achieve Level 1 would be permitted to handle, store or transmit federal contract information, which isn't for public release, according to DOD's assessment guide.
Those at Level 3 can handle controlled unclassified, or sensitive, information if the contract calls for it and are described as being able to provide "increased assurance to the DOD" and protect sensitive information that may flow "with its subcontractors in a multi-tier supply chain."
The hearing comes as DOD undergoes an internal review on its compliance with the CMMC standards alongside a review on the program itself and . It's been proposed that CMMC eventually expand to federal civilian agencies and departments or even other technology areas if successful with DOD. But questions remain on how much security compliance brings and at what cost.
Williams said putting more responsibility on the government and prime contractors, such as making sure DOD contract clauses inhibit prime contractors from imposing more stringent CMMC requirements on subcontractors beyond the subcontract's scope of work.
CMMC could also add flexible approaches to prevent subcontractors from having to put controlled unclassified information on their networks, he said, as doing so increases the security needs.
But there was also a call for leniency for small businesses and the organizations who would be assessing their cyber fitness on DOD's behalf.
Williams suggested CMMC certifying organizations called C3PAOs be required to "fast-track" small business applications in line for award for a contract.
But for Scott Singer, the president of CyberNINES, a consulting company based in Madison, Wisc., requirements should be looser for companies and organizations that want to be among the first certified assessors. (Only two companies have been authorized so far.)
"To get more C3PAOs through the process, I recommend there be a relaxation for the initial C3PAOs -- assess candidate C3PAOs to Maturity Level 1 or 2 now and require Level 3 in the future," said Singer, whose company is one of more than 160 companies that have applied to become a C3PAO and is going through the approval process.