(Adds Defense Department comment in seventh paragraph.)
The defense industry is eagerly awaiting the results of the Biden administration’s internal review of a Trump-era cybersecurity standard, and some small defense companies and industry groups say the new cyber requirements could cost the industry billions of dollars more than the Pentagon’s initial estimates.
The cost of compliance could drive one in four suppliers to stop doing business with the Defense Department, according to one study—potentially a major blow to small defense companies and the Pentagon’s ability to do business with small innovators.
The Cybersecurity Maturity Model Certification, or CMMC, would require every company in the Pentagon supply chain to pass regular security audits or risk losing their eligibility for government contracts. The requirement could affect hundreds of thousands of companies.
The cost of compliance “remains the largest and most prevalent concern across our membership,” Corbin Evans, director of strategic programs at the National Defense Industrial Association, told Bloomberg Government in an interview. The government has pledge to pay back some, but not all, of the costs associated with the audits.
NDIA, a trade group representing defense companies, is one of about 850 companies and organizations that filed an official statement with the Pentagon on the CMMC in late 2020.
The CMMC has been on hold since March, when Deputy Defense Secretary Kathleen Hicks initiated an “internal assessment” of the program. Initially scheduled to last 30 days, the defense industry’s wait for guidance has now stretched into August. And with the department still in search of a Senate-confirmed official to run its vast acquisitions complex, the wait will likely continue until late in the year.
“We anticipate the review to be completed in late 2021, at which point the Department will communicate any anticipated changes to the CMMC program to industry and other stakeholders,” Pentagon spokeswoman Jessica Maxwell told Bloomberg Government in an email.
“During our internal review, DOD will look for ways to reduce the costs to small businesses while keeping the integrity of the cybersecurity requirements,” Maxwell told Bloomberg Government in an email.
A Herculean Undertaking
The Pentagon’s proposed cybersecurity requirement is aimed at countering industrial espionage by foreign intelligence services, which Pentagon officials argue erodes the U.S. military’s technological advantage over potential rivals.
“The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens both economic and national security,” Maxwell said.
The move also comes amid a growing sense that the military’s current approach to securing its supply chain isn’t getting the job done. Defense contractors and their suppliers are nominally required to adhere to a set of minimum cybersecurity requirements. But compliance is expensive, especially for small businesses. It’s also largely on the honor system: suppliers are only required to self-attest that they’re following the rules. Meanwhile the Pentagon lacks the resources to perform nearly enough spot checks to verify that companies stay compliant.
Facing a crowded marketplace and with business priorities competing for scarce internal resources, many defense suppliers face pressures to spend the bare minimum on cybersecurity, leaving them more susceptible to attack.
The Trump administration introduced the CMMC in 2019 under the leadership of Katie Arrington, a senior Pentagon acquisition official. Under the CMMC, every company in the DOD supply chain will need to undergo cybersecurity audits, performed by a certified third party, every three years. Any company that handles sensitive information—estimated at about 30% of suppliers—will need to complete a far more rigorous and expensive audit. Failing to pass could cost companies their eligibility for government contracts.
In September 2020, the Pentagon outlined an ambitious plan to implement the certification by Oct. 1, 2025. On that day, according to the DOD’s interim rule on supply chain security, every new contract solicitation will require CMMC certification.
But with roughly 220,000 companies in the defense supply chain—roughly three-quarters of them small businesses—the goal of auditing every single supplier by then amounts to a Herculean undertaking.
The DOD will need roughly 8,000 third-party auditors working around the clock to certify enough companies to meet the 2025 deadline, according to Scott Singer, a cybersecurity practitioner who testified before the House Small Business Committee in June. To date, only three have received accreditation from the Pentagon and the CMMC’s independent regulatory body.
‘Much, Much Higher’ Costs
Officials have sought to reassure small suppliers that the majority will need to complete only a basic, Level 1 CMMC assessment, which the department estimates at about $3,000 per company. But that cost balloons to around $118,000 for a Level 3 assessment for any supplier that handles sensitive data, according to the DOD’s estimate.
All told, the Pentagon estimates put the total cost of CMMC implementation at roughly $6.5 billion annually, or about $93 billion over the life of the program. The program could cost small businesses alone $23.3 billion over its first 10 years.
The department’s forecasts are unrealistically low, according to Evans.
“We’re seeing costs that do not align with that estimate,” he told Bloomberg Government. “We’re seeing costs much, much higher.”
NDIA members report spending between two and five times more to implement the Pentagon’s interim cybersecurity rule than they anticipated based on DOD guidance, he said.
The DOD announced in June 2019 it would reimburse companies for certain CMMC compliance costs, including consulting and assessment fees, through any contracts requiring the certification. But what the DOD won’t cover are the costs associated with getting up to speed with its minimum security standards—investments companies should have already made, according to the department’s contracting rules.
There is a gap between what suppliers will need to spend to get compliant and what the Pentagon will actually reimburse them for under the interim rule, said Kate Growley, a partner specializing in cybersecurity and compliance with law firm Crowell & Moring, in an interview. This is creating a “disconnect” between government and industry about the expected costs of the program.
On the one hand, established defense contractors with the resources to invest in cybersecurity can seek repayment for upgrades they’ve already made. On the other, the suppliers most in need of assistance—many of them small and mid-sized businesses—can’t be reimbursed for cybersecurity investments they haven’t already made.
“It’s something we’re obviously hoping is addressed in the final rule,” she said.
The Pentagon’s cost estimates also rest on the assumption that only about 30% of suppliers handle what’s known as controlled unclassified information, or CUI. CUI encompasses a potentially broad spectrum of information, from strategy documents, to emails, to financial data—all of which could be targets for cyber spies.
“There remains significant confusion, especially among small businesses, around what information actually qualifies as CUI,” Growley said. It’s a key question, she said, because whether or not a company handles CUI determines the type of assessment needed and the cost of that assessment.
If the true share of companies handling CUI is higher than the 30% estimate, as a June 2021 report suggests is the case, the corresponding demand for more expensive Level 3 assessments will drive up the overall cost of the CMMC program. The report, commissioned by IPC, a trade association representing electronics manufacturers, suggests that even if the DOD’s estimates are accurate, the cost of compliance could force one in four companies to exit the DOD market.
Although the Pentagon has offered to reimburse defense suppliers for CMMC compliance costs, it can’t refund small businesses for their most valuable resource: their time, according to Patrick Carberry, a manager with Amivero, a small technology services company.
“If it’s $118,000 in consulting costs, it’s five or ten times that just in the opportunity cost of needing to have people in the organization spend time on it,” Carberry said in an interview. He didn’t know exactly how much CMMC certification would cost Amivero, but expected it would be in the “tens of the thousands of dollars.”
Amivero is a woman-owned small business based in Reston, Va., with 29 employees. Even though defense contracts make up only a small share of its federal business, Amivero will still need to complete a CMMC audit.
“Obviously making a large investment like that is possible, but it will come at the cost of doing something else,” he said. “This just adds another layer of complexity and consideration to the investments we’re making in the organization.”
To contact the reporter on this story: Chris Cornillie in Washington at email@example.com