Cybersecurity has become an issue of growing political importance over the course of the past several decades. While the commonality of the internet and home computers was once novel, it has since been vastly outdated and made banal by the presence of technology like smartphones, cryptocurrency, and AI. In this new digitally-minded age, it has become all the more pertinent that digital information be protected, and thanks to a new certification program, these concerns may soon be assuaged.
Congress and small business advocates are working on a series of fixes for a new Department of Defense cybersecurity certification program they fear will otherwise significantly discourage smaller, nontraditional defense suppliers from bidding on Air Force and other defense contracts. On Capitol Hill, there is currently a draft bill that would create a tax credit to cover part of the cost of compliance for the smallest companies. Some advocates are also suggesting that Small Business Administration loans might be available to help businesses cover the upfront costs.
The History of the CMMC
The long-delayed Cybersecurity Maturity Model Certification program, or CMMC, was finalized this year. According to Rachel Grey, the director of research and regulatory policy for the National Small Business Association, the requirements will start appearing in defense contracts by the end of next year. Simply put, it is designed to ensure that defense contractors handling unclassified but still sensitive data, known as Controlled Unclassified Information, comply with cybersecurity guidelines from the National Institute for Standards and Technology (NIST). However, advocates are concerned that the comparatively high costs of compliance may discourage smaller, more innovative companies from competing for defense contracts.
“The costs of compliance risk shutting small businesses out of the defense industrial base,” said Grey, noting that investment in CMMC compliance must be made upfront before any contract award.
The Small Business Cybersecurity Act of 2024, proposed by Representative Scott Fitzgerald (R-Wis.), would allow companies with fewer than 50 employees to deduct 30 percent of their compliance costs, up to a maximum of $50,000, from their annual tax bill.
Attorney Robert Metzger said Fitzgerald’s office developed the bill after discussions with the Senate Small Business Committee staff and the DOD Chief Information Officer. Metzger has acted as a volunteer liaison on the legislation between Capitol Hill and the Pentagon for almost two years.
The Plethora of Defense Contracts on the Line
According to DOD figures, over 56,000 small defense contracting businesses will eventually be required to get a third-party assessment of their compliance with the NIST cybersecurity standards, Metzger said. If all of them could claim the maximum allowable credit, the tax revenue lost would amount to $2.83 billion. However, if the credits were only available to the smallest companies, those with fewer than 50 employees, the cost would be reduced to $1.04 billion.
“The objective here was to start with something that would be significantly helpful to the companies most in need while being … fiscally prudent, administratively responsible and focused solely on new costs” coming directly from CMMC compliance, he said. “You don’t want it to be open to waste, fraud, abuse, or gaming.”
Rewarding the Right People
“I think it’s important to have a limited tax credit measure to help those who need it most and to focus that help upon the new costs that CMMC requires. And I think if it’s done prudently, it should have a fair chance of success. Beyond that, I take a cautious approach to expanding the size of the credit, who may claim the credit, or for what,” he said.
Metzger added that implementing such a large and ambitious program within the DOD would take continuing leadership attention and called for forming a steering group.
“These things don’t just execute themselves,” he said. “You need leadership. You need management, oversight, administration, process, training, policies, guidance, instructions, and we’re just at the start of all that.”
Given all the different players, Metzger argued, “It seems to me necessary that, under the leadership of the Deputy Secretary of Defense or even the Secretary, you need a CMMC executive steering group to essentially oversee this and make sure that we don’t just thrust it upon a big industrial base and hope for the best, because hope is not really a great substitute for planning.”
