MSGI Congressional Hearing Recap - House Small Business Committee Hearing "CMMC Implementation: What It Means for Small Businesses"

 MSGI Congressional Hearing Recap

Committee: House Small Business Committee, Subcommittee on Oversight, Investigations, and Regulations

Hearing Title: CMMC Implementation: What It Means for Small Businesses

Subcommittee Chair: Representative Dean Phillips (D-MN)

Ranking Member: Representative Beth Van Duyne (R-TX)

Date: June 24, 2021

Witnesses

Mr. Jonathan T. Williams
Partner
PilieroMazza PLLC
Testimony

Mr. Scott Singer
President
CyberNINES
Testimony 

Ms. Tina Wilson
Chief Executive Officer
T47 International, Inc.
Testimony 

Mr. Michael Dunbar
President
Ryzhka International LLC
*Testifying on behalf of the HUBZone Contractors National Council
Testimony 

Main Issues Discussed

Cost of CMMC Implementation

• Chair Phillips (D-MN) Questions:
• Mr. Williams, the cost of CMMC can be burdensome, how can we strike a balance with cost and protecting cybersecurity?
• Response: Keep as many small businesses as possible at Level 1. The businesses will have adequate protections but will avoid the costs of Level 3. We need a controlled approach where small businesses don’t have to take on Level 3 information.
• Are there funding streams to help small businesses?
• Response: I am not aware of any, but it is a great idea. Smaller firms cannot afford the investment up front. Existing mentor protégé programs work very well, mentors can help with CMMC.  
• Ms. Wilson, what is your experience with CMMC?
• Response: I learned about it when attending an industry day, I understand how it works in a broader perspective. T-47, my business, must secure a specialist because CMMC is very complex.  

Overlapping Requirements

• Ranking Member Van Duyne (R-TX) Question:
• Mr. Dunbar, do you believe the CMMC duplicates any standards that are already present?
• Response: Yes, it is built on an existing standard. The reason behind CMMC is there was no third-party assessment. Why create an existing standard? Why not add on the third-party assessment to an existing standard?
• Rep. Evans (D-PA) Question:
• Ms. Wilson, can you mention just a few other certifications you have to comply with?
• Response: We have invested in the ISO certifications, SBA’s annual 8(a) certification, WOSB certification, defense counterintelligence security certification. The CMMC process has been the most challenging because there is no transparency.

Lack of Transparent Information on CMMC

• Ranking Member Van Duyne (R-TX) Questions:
• Mr. Dunbar, where do you get the information on CMMC? How can we make it easier?
• Response: We get the information from LinkedIn. There is no consistent message or method coming from the Department of Defense (DOD). Even the CMMC FAQ page is not streamlined. 
• Is there a role for the SBA?
• Response: There should be a role for the SBA. I think the DOD has sidelined them in the same way that small businesses have been ignored.
• Mr. Singer, what is the penalty if a business doesn’t comply?
• Response: You are out of business with the DOD.
• Can you point to one or two things that would make understanding this easier for small businesses?
• Response from Mr. Singer: The prime contractors need to step up and play a bigger role, they have the resources and the teams to do so. There needs to be more support for the whole supply chain.
• Response from Ms. Wilson: To ensure that everyone has the same information there needs to be a concerted effort across all industries. 
• Response from Mr. Williams: Regarding the flow down of information, the prime contractor has a lot of power. The challenge is that the questions are not being answered on the main issues. 
• Response from Mr. Dunbar: A lot of small businesses work from home now. Small businesses will be subject to home inspections, the risk of this is incalculable. Small businesses need the ability to protect themselves. 
• Rep. Evans (D-PA) Question: 
• Mr. Dunbar, what is your recommendation to businesses just learning about CMMC?
• Response: I don’t have an answer. We are trying to find the information, which has not been clear.
• Response from Mr. Singer: It is important for companies to find reputable partners to help them through the process. I think Level 3 businesses, such as small manufactures, are just now starting to understand this. Businesses that qualify as Level 1's may not understand that CMMC will affect them yet.

Determining Levels for Small Businesses 

• Rep Evans (D-PA) Question: 
• Mr. Wilson, what would be the ideal way for small businesses to be taken care of?
• Response: Offer up costs to pay for Level 1 and Level 2 certifications. This way, DOD has some level of comfort. The other businesses can go out and secure other levels if needed. 
• Rep. Meuser (R-PA) Questions: 
• Mr. Dunbar, what is the DOD’s feedback on if Level 1 is satisfactory? What do they say about you, and suppliers like you, regarding Level 1?
• Response: Part of the problem is that we aren’t hearing a lot. We don’t know if we will we need to keep chasing technology as we go along. 
• What is the cost difference from Level 1 to Level 3?
• Response: 10 to 20-fold cost difference.
• How much more secure is Level 1 to Level 3?
• Response: From where I am currently, I am secure. 
• Rep. Hagedorn (R-MN) Question:
• Mr. Dunbar, wouldn’t it make more sense if the government imposed reasonable standards?
• Response: I agree, the key word is the definition of reasonable, DOD believes that these numbers are reasonable. My company has 6 people, this is not reasonable. 
• Chair Phillips (D-MN) Question:
• Mr. Singer, how likely is full CMMC implementation by 2026 when there is such a lack of assessors?
• Response: It will be very difficult to get there with the current progress of 100 provisional assessors and 2 C3PAOs. The timeline is very stretched, we need more than 8,000 assessment team members to make this happen. There needs to be flexibility for the third-party assessors. Not everyone needs to be at Level 3. There needs to be an understanding of risk to the supply chain. 
• Mr. Williams, how concerned are you that the CMMC initiative will be adopted by civilian agencies and become a baseline?
• Response: It is certainly a possibility. I would view what is happening at DOD as a trial.