New compliance standards have made safeguarding information from cyber attacks a far more expensive challenge for Alabama’s defense contractors, and many small businesses could be priced out of eligibility for future government projects that bring in about $7 billion annually to Madison County alone.
Small businesses with less than 100 workers could pay $100,000 upfront for outside help protecting data and continue to spend a third that much annually to remain compliant with the Cybersecurity Maturity Model Certification 2.0. Larger firms could be spending hundreds of thousands for cyber protection annually.
“It’s a paradigm shift. And it’s a big pill to swallow,” said Amy Edwards, sales director for Summit 7, a Huntsville-based cyber security service that has been helping Department of Defense contractors navigate the complicated CMMC that rolled out a few months ago.
Understanding and implementing DoD requirements to protect information is now beyond what a small IT staff can handle, she said, as it will need a team of trained personnel dedicated to CMMC compliance. And it’s clear many small businesses will need financial aid as part of that, she added.
What’s at stake?
Alabama businesses in 2020 were awarded more than 75,000 DoD contracts worth more than $8.2 billion. Madison County, supporting Redstone Arsenal commands, led the way with 8,786 contracts totaling more than $6.6 billion. Since 2000, Alabama has brought in $148 billion in defense work, with Madison County accounting for $103 billion.
The CMMC intends to simplify a previously released set of cyber security directives from the National Institute of Standards, labeled NIST SP 800-171. Released in 2017, it focused on protecting two sets of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The critical change with CMMC is that previously, DoD contractors could self-assess their systems. Now if they manage information related to national security, they must get third-party assessments by authorized auditors. Failure to comply will prevent bidding on a future contract or contracting through a prime.
Cyber intelligence services warn that the vast majority of DoD contractors, most of which are small businesses, are far from reaching compliance.
In the future, increased costs of CMMC compliance can be factored when bidding on defense contracts. But those costs are not applicable to existing contracts businesses are operating under. Larger businesses may have the ability to absorb losses to pay for compliance now. But smaller ones, particularly those whose DoD work is not the primary revenue stream, are in jeopardy of losing future DoD contracts.
“I definitely have talked to companies, that are really small, that are giving up,” said Chandler Hall, cyber security evangelist for Sentar, a Huntsville-based cyber intelligence company that helps businesses assess security risks and solutions.
Among those struggling the most to justify paying the cost of compliance are contract manufacturers and machine shops, Hall said. Some businesses that initially showed serious interest in Sentar services backed off completely after realizing costs, he added. While others have scraped together money to apply a “Band-Aid” approach that still leaves future questions, Hall said.
The need for tougher cyber security is apparent. An estimated $600 billion in DoD intellectual property is stolen annually thru cyber thefts, such as ransomware, malware, social engineering and phishing. The number of incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team rose from 5,503 in 2006 to 67,000 in 2014.
A primary concern of the CMMC is Controlled Unclassified Information (CUI). CUIs are government-created or controlled data that is not classified information. Because CUIs have fewer controls compared to classified information, CUIs are an easier target for cyber attackers, thus significant risks to national security.
A primary concern of the CMMC is Controlled Unclassified Information. While not classified as secret or top secret, the Department of Defense has increased the requirements and controls on how CUI data is handled and stored. All federal agencies are also implementing plans to follow suit. Because CUI traditionally had fewer controls compared to classified information, CUI data has been an easier target for cyber attackers, resulting in the theft of our most advanced weapon systems by foreign adversaries. CMMC compliance is the primary approach to reducing this ongoing risk to national security.
Hall shared one example he encountered of how CUIs can be security risks: An HVAC company in Hawaii sold the Navy basic commercial air conditioning units. That seems fairly routine, but in preparing for the job, the HVAC company also received emails with blueprints of ductwork to Navy buildings, and the Navy wouldn’t want those in the wrong hands.
Shannon Fields, co-owner of NTA, Inc., a Huntsville engineering firm, said he supports improving cyber security and its urgency, but CMMC is essentially an unfunded mandate, complicated by not knowing what the government expects and no clear directions for achieving compliance.
NTA, which has about 175 employees supporting DoD aviation and missile commands, created a new IT position to help manage CMMC’s challenges.
Besides hiring more personnel, Fields said he expects NTA will need to upgrade to a more expensive software, such as Microsoft Office 365GCC High, which he estimates is at least a $50,000 investment. And that’s just one of multiple software applications that come into play, he added. And then there are indirect costs, such as decreased worker productivity that usually accompany learning new systems, he added.
“In the short run, we’re going to lose money, a significant amount of money,” Fields said.
Kurt Lessmann, co-owner of Huntsville-based Trideum, agrees with Fields that CMMC is a doubled-edged challenge in both costs and uncertainty.
“They’re telling us it’s required, but they still haven’t told us exactly what it means,” he said. “But we’ll be tested on it.”
Trideum, which has well over 300 employees supporting the Army in capacities such as test/evaluation, training and rapid prototyping, formed an IT task group to study CMMC and to develop a strategic long-term execution plan. It proposed a budget estimate in the range of “hundreds of thousands of dollars,” and Trideum still has lots of unanswered questions.
The CMMC is intentionally vague, said Summit 7’s Edwards.
“The government does it on purpose,” she said. “They don’t tell you how to build the latest greatest jet fighter. They tell you this is what we want the jet fighter to do. Well, they’re doing the same thing to defense contractors, saying ‘Hey, we want your IT system to be able to protect data. These are the things it must do but were not going to tell you how to do it.’”
So while the government cannot require contractors to use the most secure level of Microsoft 365, it can require platforms to meet a certain standard, Edwards said.
At this point in the process, there are few choices for high-security software and cloud storage, which means less competition and higher prices. Since there are almost 300,000 defense contractors nationwide, the same shortage/higher price also applies to services like Sentar and Summit 7 that all those contractors are seeking. Demand has escalated for trained personnel to assess the gaps or help safeguard against cyber threats and certified auditors who can assure the DoD that their contractors are CMMC compliant.
Hall said costs for cyber security services ought to decrease as the industry staffs up and more companies earn the required credentials that Sentar has obtained. In 2015, the DoD rolled out the first phase of increased security measures in a Defense Federal Acquisition Regulations Supplement; prices started out higher until more competition became available.
“When DFARs assessments began in 2015, (assessment) cost was $50,000 to $80,000, but those dropped in price every year, ending up around $20,000 to $30,000,” he said after more security service providers entered the field.
The CMMC released in November is the second version of the directive first released in 2019. Version 2 helps simplify the process and thus reduce costs of beefing up cyber security, Hall said. And those revisions were the result of feedback from the defense industry, he said.
Edwards added that while CMMC 2.0 shows the DoD understands the challenges its contractors face, the government is still faced with growing cyber threats to national security, and therefore it must “assume a high level of cyber security maturity and resources, even if it exceeds current staffing levels.”
Summit 7 can take a client through the entire process of evaluation, licensing, platforming, implementation and ongoing maintenance. Clients can choose parts instead of the whole, but Edwards said she stresses clients opt for the entire package.
Most company computer networks are a patchwork of upgrades from the time of their infancy till now, she said, and that’s not going to hold up as cyber security measures increase each year.
“If you already have latent virus and malware, you just inherit all the existing problems,” Edwards stated. “It’s like patching a roof. You can patch and patch and patch … but you can’t keep repatching forever. Eventually, you have to rip the old roof off and rebuild it.”
The complexity, age and size of existing IT networks determine how long Summit 7’s evaluation and implementation of requires but generally, it’s six to 12 months to reach compliance levels, she advised.
Depending on the size of the small business, Summit 7 charges $50,000 to $100,000 to assess and configure a system into compliance, another $30,000 to $50,000 to take client through the entire certification process and then $25,000 to $30,000 annually afterward to maintain the system.
That’s a steep price for a business much smaller than Trideum, Lessmann said, and likely too daunting for potential firms to warrant the startup risk.
“Just the thought of that barrier to get into DoD market is huge,” he said, noting he started Trideum 17 years ago with just two partners. “And the irony is it’s right at a time where a lot of our military leaders are saying we need innovation from our small business. Well guess what. You’re not going to have access to them because they can’t afford to be CMMC compliant as a small startup.”
According to Hall, CMMC costs present perhaps the biggest challenge North Alabama’s economic base has faced in decades. And without some form of government relief, the financial challenge for many small businesses will be too great. However, he said, that’s also an opportunity for Alabama lawmakers to give its DoD contractors a competitive edge against other states by acting now.
States such as Georgia, Virginia, California and Washington already have passed legislation offering matching fund grants and tax breaks to help contractors afford remain eligible for DoD work. Alabama has no such proposals in the works, Edwards said, and legislators will need to move quickly to protect the billions of dollars from leaving the state.
The CMMC initially gives DoD contractors until October 2025 to achieve compliance. The government is considering incentives to award those who can complete the process by next fall. Since contractor challenges with CMMC already led to one revision, could the government extend the compliance timeline?
That’s possible, Edwards said, particularly for segments of defense industry deemed lower risk. But she also expects missile defense to get DoD’s highest priority and thus push for quicker compliance than other military sectors.
To learn more about how CMMC came to be, watch, “The Fascinating History of CMMC as Told by Jacob Horne.” Horne, Summit 7’s Chief Cybersecurity Evangelist, is a leading expert in cybersecurity regulations and federal contract legislation.
Don’t miss out! Subscribe to our email newsletter to have all our smart stories delivered to your inbox.