What Small Business Contractors Need to Know About CMMC

HomeBlogBlogWhat Small Business Contractor...

More than 300,000 businesses in the military-industrial base need to implement the Pentagon’s latest cybersecurity policy. The Cybersecurity Maturity Model Certification (CMMC 2.0) does not discriminate between small, mid-sized, and large corporations. The U.S. Department of Defense (DoD) announced it would publish an interim CMMC 2.0 rule in March, with small business contractors seeing it in their agreements soon after. Small business owners may view the federal government’s mandate as overkill. But Robert Metzger, who reportedly inspired CMMC with the startling “Deliver Uncompromised” report, recently explained why small business contractors need to adopt the measure and understand the CMMC Requirements. 

“We know that adversaries will seek the so-called low-hanging fruit and mount attacks against less well-defended companies. The problem is that for smaller businesses, (NIST Special Publication 800-171) can be daunting, intimidating, frustrating, confusing and expensive,” Metzger reportedly said at the Washington Technology CMMC Summit. “But we cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically.”

With the mandate fast approaching, small businesses would be well-served to take proactive steps in preparation for CMMC 2.0, such as scheduling a cybersecurity gap assessment. A managed IT firm with CMMC 2.0 expertise can provide scalable support. These are things small business contractors need to know about the mandate and why they would be wise to act with a sense of urgency.

How Do CMMC 2.0 Levels Apply to Small Businesses?

There are reportedly more than 300,000 organizations that benefit from lucrative DoD contracts. The bulk of these companies provides materials and services in support of direct military defense contractors that design and build equipment and technologies.

The enemies of Democracy finance some of the world’s most notorious hackers to breach systems at every level. Even the most determined advanced persistent threats understand few cybersecurity gaps persist among corporations that handle top-secret information. That’s why they target small and mid-sized outfits — “low-hanging fruit,” as Metzger stated — in hopes of uncovering scraps of information that expose the greater national security picture. These are the types of digital information they are trying to steal.

  • FCI: Federal Contract Information is not intended for public disclosure. Although not necessarily a danger itself, FCI can be used as a piece of the national security puzzle. It may provide clues for rogue nations to discover significant policies and initiatives.
  • CUI: Controlled Unclassified Information is created by the government. It may have been linked to the DoD, making it essential to protect. Stolen CUI can be used to learn military activities and potentially place the men and women who serve in harm’s way.

Of the three CMMC 2.0 levels, small businesses must comply based on the type of FCI or CUI the operation stores and transmits. A small technology company with five employees may need to meet the expert cyber hygiene requirements of Level 3. By that same token, a small business of 100 employees could fall under the basic cyber hygiene of Level 1. Business professionals who are unsure about the requirements are advised to contact an accredited CMMC Third Party Assessment Organization (C3PAO) to conduct an audit.

What are CMMC 2.0 Benefits for Small Businesses?

Even when a government mandate is well-intentioned, there’s a tendency to view it as just another expense or, well, a hassle. This holds particularly true of small business leaders who consider their seemingly peripheral contributions inconsequential.

We know that advanced persistent threats do target companies on the outskirts of the military supply chain to infiltrate federal agencies. The SolarWinds software breach of 2020 proved skilled hackers could penetrate thousands of organizations in this fashion, including the U.S Treasury Department. But to hit a little closer to home, small businesses may want to consider CMMC 2.0 as a way to harden their posture for the following reasons.

  • Forty-six percent of all breaches affect businesses with fewer than 1,000 employees.
  • More than 60 percent of small and mid-sized businesses were targeted in 2021.
  • Upwards of 82 percent of ransomware attacks were leveled against small and mid-sized companies in 2021.
  • More than one-third of ransomware victims employed fewer than 100 people.
  • Small business employees experience social engineering attacks 350 percent more than big corporations.

Verizon’s 2021 Data Breach Investigations Report indicated that even garden variety hackers are targeting small businesses at an increased rate of 61 percent. Symantec’s 2016 Internet Security Threat Report indicated that the number was only 34 percent in 2014 and 18 percent in 2011. It’s easy to see which way the cyberattack trend is heading.

Should your operation get plucked like the “low-hanging fruit,” small business losses typically range from $120,000 o $1.24 million. Needless to say, an organization compromised by hackers will likely lose profitable DoD contract work. And the reputational damage drives companies into bankruptcy.

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business,” Metzger reportedly said. “Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors.”

The good news is that CMMC 2.0 delivers the hardened defense small businesses need to deter low-level hackers and advanced persistent threats alike.

How to Get Started with CMMC 2.0

The first step toward robust cybersecurity calls for a gap assessment. An accredited C3PAO reviews best practices and internal cybersecurity policies and thoroughly vets the small business network for vulnerabilities. Once the data has been analyzed, company leaders receive a report highlighting weaknesses and offering solutions. Not only will you possess a roadmap to CMMC 2.0 compliance, but you can stop being an easy target.

Sedulous Consulting Services is an Approved C3PAO Candidate firm. We perform gap assessments and can help you harden your cybersecurity posture. Contact Sedulous Consulting Services today.