On Feb. 26, ABC joined the U.S. Chamber of Commerce and eight other groups in submitting comments to the U.S. Department of Defense on its Cybersecurity Maturity Model Certification (CMMC) Program proposed rule, which would require federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures in order to maintain eligibility for performing and winning new federal awards.

The organizations called for more clarity (e.g., definitions), expressed concerns about costs and asked questions regarding capacity and other process and organizational issues.

The comments urged flexible implementation of CMMC program requirements. The comment letter pointed out that, “According to the proposed rule, the defense industrial base, or DIB, consists of 221,286 entities. Of these, the DOD expects that 76,598 will be subject to a Level 2 Certification Assessment, of which 56,789 (74%) are small businesses. The complex CMMC Program would apply to all these entities. Our associations believe that it is essential that DOD builds in flexibility in the administration, application, oversight, and enforcement of the proposed rule. Such flexibility would benefit DOD and the thousands of businesses subject to the CMMC Program. The circumstances of every business differ. The CMMC Program contemplates applying one complex rule, with even more complex accompanying documentation to all these businesses.”

The letter further discussed avoiding harm to small defense contractors. The letter states, “Our associations believe that the proposed rule would discourage many small and disadvantaged businesses from bidding on DOD construction projects. We are concerned about the likely adverse economic impact of the CMMC Program on promoting (sub)contracting between small businesses in the construction industry and DOD.”

In addition, it states, “The decline in small business participation in federal contracting directly correlates with increasing federal regulatory burdens. Surveys of ABC’s membership have found that small business contractors often choose to bid on private sector and state or local government contracts that feature more regulatory clarity and less regulatory burdens, which mitigate expenses related to compliance.”

Background on the Proposed Rule

On Dec. 26, 2023, the DOD published a proposed rule that would require federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures in order to maintain eligibility for performing and winning new federal awards.

The new requirements would apply to all contractors and subcontractors that process, store or transmit information on contractor servers that meet the standards for Federal Contract Information or Controlled Unclassified Information. Requirements vary from a self-assessment of compliance with cybersecurity measures to triennial assessment and certification of compliance by third-party contractors or the DOD, dependent on the data involved in a specific contract. More than 200,000 companies in the DIB could be affected by the rule.

On Jan. 30, 2024, ABC urged the DOD to extend the current 60-day comment period deadline of Feb. 26 in order to provide adequate time for ABC to analyze the substantial proposed rule, solicit member feedback and provide meaningful input on the proposal. ABC argued a 30-day extension from the current deadline will be vital to ensure that the DOD can receive thorough input from all stakeholders affected by this proposed rule.

On Feb. 8, Inside Cybersecurity reported that the DOD “turned down a request from industry groups to extend the comment period” for 60 days. Thereafter, on Feb. 9, ABC joined a coalition letter urging the DOD to reconsider its publicly reported decision to not extend the comment period and to instead extend it either 30 or 45 days—a middle-ground approach. The DOD did not issue a response.