“The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many small to mid-sized businesses (SMBs) struggle to meet the standards, putting them at risk of losing crucial contracts.” In this Cybersecurity Desk column, Joe Coleman, cybersecurity officer at Bluestreak Compliance, a division of Bluestreak | Bright AM™, raises the alarm if small to mid-sized heat treaters neglect compliance standards and guides companies through the minefield of cyber threats facing all SMBs.
Read more Cybersecurity Desk columns in previous Heat Treat Today’s issues here.
Despite an increasing cyber threat landscape, many small to mid-sized businesses (SMBs) in the Department of Defense (DoD) supply chain remain unprepared for compliance with NIST SP 800-171 R2 and CMMC 2.0. The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many SMBs struggle to meet the standards, putting them at risk of losing crucial contracts. Surveys suggest that nearly 70% of SMBs are unready for the new requirements, and the real figure could be even higher due to some businesses inaccurately reporting compliance by inflating their assessment scores.
Understanding CMMC 2.0
CMMC 2.0 simplifies the original five-tier framework into three levels:
- Level 1: Basic cyber hygiene for contractors handling Federal Contract Information (FCI).
- Level 2: Advanced practices for those working with Controlled Unclassified Information (CUI).
- Level 3: Stringent requirements for contractors involved in national security projects.
Compliance is mandatory for any contractor bidding on DoD contracts, including those working indirectly for federal contractors and subcontractors. SMBs should anticipate customers clients inquiring to inquire about their compliance as these standards will soon impact their business relationships. Achieving compliance is a lengthy process, typically taking 12 to 18 months.
Low Readiness and Risks
The lack of readiness among SMBs threatens both business continuity and national security. Many smaller contractors lack the resources and expertise to meet CMMC 2.0’s standards. Given the defense sector’s reliance on a wide variety of contractors, this gap could create widespread repercussions.
Financial Implications of Non-Compliance
Compliance with CMMC 2.0 can be financially burdensome. Implementing measures such as multi-factor authentication, encryption and continuous monitoring can be costly, especially for businesses with limited resources. The lack of in-house cybersecurity expertise compounds this issue, requiring companies to hire or train specialized personnel, further increasing costs.
Failing to comply with CMMC 2.0 could result in losing valuable DoD contracts, which can be a significant portion of SMB revenue. Such losses could lead to layoffs, revenue declines or even business closures.
Challenges to Compliance
Several challenges contribute to the widespread unpreparedness among SMBs:
- Unclear timelines: Uncertainty surrounding DoD’s compliance timelines complicates planning and prioritization for SMBs.
- Complexity of requirements: While CMMC 2.0 simplifies the original framework, its specific requirements remain difficult to interpret for many SMBs, particularly in identifying necessary security measures.
- Resource limitations: The cost of achieving and maintaining compliance strains smaller businesses, which often lack the budgets for the required technology and expertise.
- Lack of cybersecurity expertise: A shortage of qualified personnel poses a significant obstacle, as demand for cybersecurity professionals is high across industries.
Government Support Initiatives
To help SMBs, the DoD has introduced various programs, including training, grants and educational resources. A phased implementation timeline also provides additional preparation time. However, industry experts suggest that further support, such as tax credits or subsidies, could help SMBs offset the costs of compliance. Clearer guidance from the DoD would also be beneficial in helping businesses navigate the certification process.
Path Forward for SMBs
To secure future contracts, SMBs must prioritize cybersecurity. This involves conducting internal risk assessments, identifying vulnerabilities, and creating compliance plans. Partnering with cybersecurity experts or managed service providers can help SMBs develop cost-effective strategies. Additionally, leveraging government resources and adopting critical security measures early will better position SMBs for CMMC 2.0 certification.
Conclusion
The widespread lack of preparedness for CMMC 2.0 poses significant risks to both SMBs and the defense supply chain. As deadlines approach, proactive measures from both businesses and the government are necessary to close the readiness gap and ensure the continued participation of SMBs in the defense sector.
About the Author
Cyber Security Officer
Bluestreak Consulting
Source: Bluestreak Consulting
Joe Coleman is the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
For more information: Contact Joe at joe.coleman@go-throughput.com.
