If you were in Lockheed Martin’s offices in 2009 you may remember seeing a number of unfamiliar, well-dressed people milling about. In hushed tones people would ask what was going on. Only later would we find out the well-dressed people were federal agents. They were there because it was discovered that the Chinese had infiltrated Lockheed Martin’s unclassified networks and had stolen sensitive (but not classified) design data for its new F-35 fighter aircraft. In 2014, the Chinese officially unveiled its J-31 aircraft. The unveiling was shocking in that the airplane looked almost identical to the US F-35.
The US Department of Defense (DoD) could no longer avoid a serious issue. While all Federal Information Systems have to go through a formal process to validate they are secure, systems hosted by defense contractors had no similar arrangement – until now. The Cybersecurity Maturity Model Certification (CMMC) is now a requirement for all 350,000 or so DoD contractors and their subcontractors. CMMC defines a uniform set of security controls and a formal security audit process for all companies that do business with the DoD.
While CMMC has the laudable goal to improve the security of the Defense Industrial Base, it unfortunately creates an economic disparity. To understand the economic issues, we need to review some economic history.
George Stigler was born in 1911 in Seattle, Washington. He earned an MBA from Northwestern University in 1932. While doing his graduate studies there, he developed a deep interest in economics and received a PhD in Economics from the University of Chicago. He later developed his Economic Theory of Regulation, “which says that interest groups and other political participants will use the regulatory and coercive powers of government to shape laws and regulations in a way that is beneficial to them.” It was this body of work that earned him the Nobel Prize in Economics “for his seminal studies of industrial structures, functioning of markets and causes and effects of public regulation.”
In 1968 he developed his definition of “barriers to entry“, which he stated as “A cost of producing that must be borne by a firm which seeks to enter an industry but is not borne by firms already in the industry.” Simply put, a barrier to entry makes is more difficult for companies to enter an industry due to regulatory burdens, costs to enter, or other hurdles.
CMMC creates a significant barrier to entry for companies that are looking to work with the DoD. These barriers are from both regulatory and cost considerations:
Barrier 1: Companies need to be CMMC compliant upon contract award.
The Department took into consideration the timing of the requirement to achieve a CMMC level certification in the development of this rule, weighing the benefits and risks associated with requiring CMMC level certification: (1) At time of proposal or offer submission; (2) at time of award; Start Printed Page 61507or (3) after contract award. The Department ultimately adopted alternative 2 to require certification at the time of award.https://www.federalregister.gov/d/2020-21123/p-25
Some will say, “Yes, but the expenses of implementing CMMC are allowable costs” – that is, they can be billed back to the DoD. This is true, but for new companies that want to break into DoD contracting, they can’t recoup these costs unless and until they win a contract. Therefore, they bear all the risk of becoming compliant. Further, attempting to recoup these costs may make them non-competitive with incumbents from a pricing standpoint.
Barrier 2: There is a significant cost for new entrants to achieve CMMC compliance.
So what are the costs of the new rule? Let’s look at DoD’s own estimates. CMMC Level 1 is the most basic certification standard, meant for companies that do not process Controlled Unclassified Information (CUI). The only sensitive information they process is the information in their DoD contract – that is, Federal Contract Information (FCI). For a CMMC Level 1 entity, DoD says:
Contractors pursuing a Level 1 Certification should have already implemented the 15 existing basic safeguarding requirements under FAR clause 52.204-21. Therefore, there are no estimated nonrecurring or recurring engineering costs associated with CMMC Level 1. DoD estimates that the cost for a small entity to support a CMMC Level 1 Assessment or recertification is $2,999.56.https://www.federalregister.gov/d/2020-21123/p-94
To translate, it is expected that small businesses have already implemented all these required controls. Therefore, they will need to spend $3,000 for what is purely a paperwork exercise.
CMMC Level 3 certification is applicable for companies that process CUI. Without getting into too many details, CUI is a catch-all for dozens of information types. What does DoD say about CMMC Level 3 costs?
Contractors pursuing a Level 3 Certification should have already implemented the 110 existing NIST SP 800-171 security requirements. Therefore, the estimated engineering costs per small entity is associated with implementation 23 new requirements (20 CMMC practices and 3 CMMC processes). The estimated nonrecurring engineering cost per entity per assessment/recertification is $26,214. The estimated recurring engineering cost per entity per year is $41,666.
DoD estimates that the cost for a small entity to support a CMMC Level 3 assessment or recertification is $51,095.60.https://www.federalregister.gov/d/2020-21123/p-101
Again, the DoD is assuming that small businesses already have implemented a large percentage of these required controls, so the $51,000 certification cost is again mostly a paperwork exercise. Unfortunately, the $26,214 estimate for certification is significantly lower than what is being seen in practice, since it does not account for all the policy and program requirements. I have spoken to several colleagues who are performing assessment readiness activities. They estimate costs actually start at a minimum of $50,000.
The good news for incumbent defense contractors and subcontractors is that DoD has confirmed that the costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the accrediting organization will be considered an allowed cost (i.e., it can be charged back to the government). Unfortunately, new entrants bidding on defense contracts have no guarantee they will be awarded a contract, but will need to be CMMC compliant upon contract award. This means they need to incur the cost to attain an acceptable security posture and then get certified prior to contract award. And of their costs won’t be reimbursed if they don’t win the contract.
CMMC creates a big barrier to entry for companies that want to enter the defense industry, particularly small companies, and gives an enormous advantage to incumbent companies that bear no compliance cost risk. Smaller, more creative companies in hot areas such as AI and analytics will simply choose not to bid on DoD contracts. This will have the effect of reducing competition and stifling innovation in the defense industrial base.
Industry and Defense agencies need to work together to find solutions that enable small businesses to cost-effectively achieve CMMC compliance so the DoD gets the advanced technology it needs.