Have a story idea
Have a story idea? Send it to us here.
Source : Rawpixel, U.S. Soldiers of the 82nd Airborne Division
December 19, 2024
Author : Alex Bustillos
The Department of Defense (DOD), headquartered in the Pentagon, is preparing to launch its Cybersecurity Maturity Model Certification (CMMC) program.
The CMMC is made up of a set of rules meant to strengthen the cybersecurity of subcontractors working for the DOD. Starting December 16, 2024 companies handling sensitive defense information have been required to meet strict CMMC requirements to qualify for new contracts.
While the program seeks to improve national security, it has sparked concerns across the defense industry, especially among smaller subcontractors who face significant financial and operational hurdles.
Under the new guidelines, contractors must achieve a designated cybersecurity level- ranging from basic practices at Level 1 to more advanced protections at Level 3- based on the sensitivity of the information they handle. These levels will be specified in contract solicitations, and certification will be required before a contract is awarded. Companies must upload proof of compliance into the Supplier Performance Risk System (SPRS), a DOD database, and maintain their certification through regular assessments.
The CMMC rules aim to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from cyber threats, but the rollout has raised questions about its impact on businesses.
Small businesses are among the most vocal critics of the CMMC program. Many report struggling with the costs of implementing the required cybersecurity measures. These expenses include upgrading systems, hiring experts, and undergoing assessments, which can strain already limited budgets.
The Small Business Administration (SBA) has voiced its concerns, warning that the financial burden could deter small businesses from pursuing defense contracts. While the DOD has introduced measures to ease these challenges- such as aligning requirements with National Institute of Standards and Technology (NIST) guidelines and allowing flexibility in certain assessments- critics argue these efforts fall short.
The new rules also create complexities for joint ventures. For unpopulated joint ventures- where individual members handle the work- the DOD clarified that each partner managing CUI or FCI must meet the required CMMC level. This could place additional burdens on smaller joint venture members, particularly those in mentor-protégé arrangements under the SBA.
Contractors face potential legal risks if they fail to comply with the CMMC rules. Under the False Claims Act (FCA), companies could face penalties if they falsely certify compliance. Affirming Officials, who are responsible for attesting to a company’s CMMC level, must ensure accuracy in their declarations. Any discrepancies in certifications or assessments could result in hefty fines or even disqualification from future contracts.
The Department of Justice has made it clear that cybersecurity noncompliance will remain a priority under its Civil Cyber-Fraud Initiative. As a result, contractors must exercise diligence when preparing for CMMC certification to avoid legal pitfalls.
The implementation of CMMC is expected to bring a rise in bid protests. Pre-award protests may arise if contractors believe a solicitation’s required CMMC level is misaligned with the scope of the work. For example, a company could challenge a contract requiring Level 3 certification if it feels the project only warrants Level 1.
Post-award protests could also become common if losing bidders suspect that the winning contractor failed to meet the necessary CMMC requirements. These challenges may disrupt procurement processes and delay contract awards.
The CMMC program is also poised to impact mergers and acquisitions. Changes to a contractor’s IT infrastructure resulting from M&A activity could invalidate prior certifications. Companies involved in such deals must reassess their cybersecurity systems and ensure compliance to avoid disruptions in their defense contracts.
The CMMC rollout signals a shift in how the defense industry approaches cybersecurity, but it comes with growing pains. While the DOD has pledged to minimize financial burdens through phased implementation and outreach programs, many contractors remain wary.
For defense subcontractors, particularly small businesses, getting through the CMMC program will require careful planning, investment, and legal oversight.
Category : Federal Government