HUBZone Contractors National Council - Cyber Maturity Model Certification (CMMC)

Madison Services Group, on behalf of the HUBZone Contractors National Council, is pleased to announce a huge win for small business contractors, the result of months of advocacy. The Department of Defense (DoD) has released the “Cybersecurity Maturity Model Certification (CMMC) 2.0” – the updated version of the Department’s effort to enhance cybersecurity practices of its federal contractors. Many of the changes made by the DoD come as a result of the Council’s efforts over the past two years to highlight challenges/propose solutions to increase compliance and affordability for small contractors.

Michael Dunbar, President of Ryzhka International, testified on behalf of the Council in a June hearing on CMMC implementation and what it means for small businesses. He highlighted the need for cost transparency, streamlined standards and establishing clear communication on CMMC efforts, amongst others. In response to the hearing, the Small Business Committee Members introduced a bipartisan amendment that was included in the House-passed FY2022 House National Defense Authorization Act (NDAA) that exempts contracts awarded to small businesses classified as tier 0 from category management or successor strategies for contract consolidation.

• Floor #337 – Requires DoD Report impact of CMMC on small businesses. Requires DoD to submit a report on the impact of the Cybersecurity Maturity Model Certification (CMMC) on small businesses within 120 days. The report must include estimated cost burden for each CMMC level, anticipated decrease in number of small businesses as a result of CMMC and how the DoD plans to mitigate the negative effects to small businesses resulting from CMMC. [Reps Phillips (D-MN), Van Duyne (R-TX)] 

Our efforts in elevating the voice of defense industrial base resulted in changes in CMMC 2.0, specifically laid out by DoD to “reduce the burden for small businesses by: streamlining requirements at all levels, eliminating CMMC-unique practices and maturity processes; allowing companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs that do not involve information critical to national security to perform self-assessments rather than third-party assessments; and providing additional flexibility through the allowance of plan of actions and milestones (POA&Ms) and a waiver process.”

Thank you to all of our members and strategic partners that have added their voice to our efforts, and we look forward to continuing this important policy work through our new Secure Supply Chain Consortium.