CMMC rules present difficulty for small suppliers

It’s here, it’s real, and it’s not necessarily your friend.

That’s how some smaller suppliers are treating the Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) requirements. Enforcement is now tied to the outcome of third-party cybersecurity audits—prior to the new rule change, companies were expected to self-assess compliance—which has boosted the difficulty of meeting security standards.

According to Rob McCormick, CEO of cloud computing company Avatara, there’s little chance that the federal government will bend on the requirements, making compliance a necessity to win and fulfill government defense contracts.

“We’ve been involved in some processes where we’re trying to get the government to give people a little bit of leeway, and they’ve been unyielding on it,” McCormick said. “They’re taking it seriously.”

What about the little guy? That’s translating to some challenges. Reuters reported in February that government contractors are leaning on small suppliers to comply with the rules, something that’s presenting hurdles for companies that find it hard to address more regulations.

Margaret Boatner, VP of national security policy at the Aerospace Industries Association, told Reuters that the CMMC may have a deleterious effect on the supply chain if there’s no give on the side of the federal government.

“Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing ⁠them to reconsider—if not exit—the defense marketplace altogether,” Boatner said.

It’s hard for suppliers to line up with the regulatory goals, McCormick said, in part because current solutions don’t fit into a standardized, simple approach. Not every small company can meet sophisticated security standards.

“There are just so many degrees of freedom, so much complexity, even for small companies, and not a lot of control,” McCormick said.

Changing demands. Part of the problem, Huntress CISO Chris Henderson said, is the third-party audits.

“When you look at how CMMC is being implemented, requiring the third-party audit of those controls, that made people have some tough conversations internally about, ‘Is this a sustainable business practice for us, or should we go more private market and let the Department of Defense contracts fall to other organizations?’” Henderson said.

For small businesses, adjusting processes to meet CMMC regulations could become an expensive endeavor. Outsourcing or reconfiguring systems are both time- and cost-prohibitive. The profit might not be enough to justify the expense and lead to bigger companies taking a bigger share of DOD contracts.

“I think we’ll see a consolidation of the industry where it may squeeze out the smallest of the players, but hopefully they have exits through those consolidations that don’t land them at a bad spot after that,” Henderson said.