NDAA amendment seeks clarity over cost of CMMC for small businesses
Jackson Barnett
A new amendment to the fiscal 2022 National Defense Authorization Act would require the Department of Defense to give Congress an estimate of how much new cybersecurity regulations are expected to cost small businesses.
If enacted, it could further increase scrutiny of the Maturity Model Certification (CMMC), which is already under review by the Department of Defense and the Government Accountability Office. The amendment was offered by chairman of the small business Oversight, Investigations, and Regulations Subcommittee, Rep. Dean Phillips, D-MN.
“The need for cybersecurity is unquestionable. It’s vital that companies in the DIB become more resilient and prepared for cyber attacks,” said Phillips said during a June hearing on CMMC’s impacts to small businesses that work with the DOD. “With that said, the CMMC initiative has the potential of driving many small businesses out of the defense industrial base. Therefore, we must get it right.”
Under current proposals, the new regime would require every contractor that works with DOD to pay for a third-party assessment of their networks against a five-tiered model. Small contractors have argued that they will be unfairly penalized by such rules, because larger enterprises are able to absorb the additional compliance costs more easily.
If included in the final law, the amendment would require a report on the costs, how many businesses would be driven from the market and explanations for how DOD will mitigate “negative effects to small business concerns,” according to the bill text.
Industry leaders have expressed concern about the potential costs of the program. In an interview with FedScoop on Thursday, former DOD acquisition chief Ellen Lord played down the concerns, arguing that said cybersecurity remains a key priority for every sector amid the continued rise in cyberattacks.
Gloss