Feasibility of SMBs in the Defense Industrial Base

Posted on by

Introduction

The feasibility of small to medium-sized businesses (SMBs) within the Defense Industrial Base (DIB) is largely dependent on their ability to achieve Cybersecurity Maturity Model Certification (CMMC) Level 2 by early 2025. This certification is essential for securing and renewing contracts with the Department of Defense (DoD), driven by the need to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from cybersecurity threats. 

By early 2025, many DoD contracts, especially those involving CUI, will mandate CMMC Level 2 certification. This requirement is part of a phased implementation strategy by the DoD, with full enforcement expected by fiscal year 2026. The DoD provided an estimate that about 80,598 entities will be affected by the CMMC Level 2 requirements. Of these, it is anticipated that around 95% (approximately 76,598 entities) will need to obtain certification from a Certified Third-Party Assessor Organization (C3PAO) due to the involvement of Controlled Unclassified Information (CUI) in their contracts, rather than relying on self-assessment alone (Venable LLP; The National Law Review; InterSec). 

Achieving CMMC Level 2 involves meeting 320 assessment objectives outlined in NIST SP 800-171a, posing a substantial challenge for SMBs with limited cybersecurity resources. The DoD has estimated that the cost for small defense contractors to achieve this certification is around $104,670 (Prevail), covering third-party assessments and ongoing compliance efforts. However, real-world scenarios suggest that the actual costs may vary significantly (Atlantic Digital, Etactics). The transition to CMMC 2.0, announced in November 2021, has simplified the certification process by reducing the levels from five to three, thereby easing some administrative burdens on smaller businesses. Nonetheless, maintaining certification remains a challenge for SMBs. The high demand for certified assessors as the compliance deadline nears further emphasizes the need for early preparation. 

While the path to CMMC Level 2 certification is demanding, it offers an opportunity for SMBs to strengthen their cybersecurity posture and secure a position in the defense contracting landscape. The ability of these businesses to navigate these requirements will be crucial for their continued participation in the DIB and the resilience of the broader defense supply chain. For SMBs unsure whether CMMC Level 2 is necessary, it is essential to check their contracts for DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This clause, enforced since 2016, mandates that contractors implement the security requirements specified in NIST SP 800-171 to protect Covered Defense Information (CDI) and report cyber incidents to the DoD. Additionally, contractors must perform a self-assessment of their cybersecurity posture, resulting in a Supplier Performance Risk System (SPRS) score, which must be submitted to the DoD. Achieving CMMC Level 2 ensures compliance with these rigorous standards, emphasizing foundational and advanced cybersecurity practices crucial for securing sensitive information and supporting national security. 

Operational and Technical Feasibility

Compliance with CMMC Level 2 requires alignment with NIST SP 800-171 standards, which specify security requirements for nonfederal information systems, and are essential for protecting CUI (NIST). Organizations must assess whether their processes, workforce, and systems can support the demands of CMMC Level 2. The Center for Development of Security Excellence (CDSE) highlights the need for a well-prepared workforce and robust processes (CDSE). Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) underscores that a comprehensive approach combining technological solutions with staff training is vital for CMMC Level 2 compliance (CISA); thus, SMBs need to establish the necessary cybersecurity infrastructure, invest in cybersecurity technologies, and workforce training and development to meet these standards.

Economic Feasibility

The economic feasibility of achieving CMMC Level 2 certification is a major concern for SMBs in the DIB. Government estimates for certification costs often underestimate the full scope of expenses. A thorough cost-benefit analysis must account for initial assessment costs and recurring expenses for maintaining compliance.

Initial Assessment Costs 

According to the DoD, “a Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations)” (in Defensescoop). However, real-world examples show significant variation in initial assessment costs, from $30,000 to $381,000 (Etactics). For a small organization requiring a basic 4-person, cloud-only setup, Atlantic Digital (ADI) has been quoted $30,000, whereas larger organizations face costs closer to $100,000. These figures cover assessments by a C3PAO but exclude costs for technology upgrades, staff training, and long-term compliance (Atlantic Digital). 

Cost Considerations 

  1. Technology and Infrastructure Upgrades: Essential upgrades can be costly. For instance, engineering costs for CMMC Level 3, which builds on Level 2, range from $490,000 to $21.1 million (Farmhouse, Dewpoint). These figures, while for Level 3, highlight the substantial investments needed even at Level 2. 
  1. Staffing and Outsourcing: Hiring specialized staff or consultants is often necessary. External consultant costs can start at $60,000 annually, rising to $150,000 and beyond for comprehensive support (Atlantic Digital). 
  1. Operational Costs: Ongoing expenses include training programs and upgrades: 
Operational Costs 
KnowBe4 for training $9,072/year  
Endpoint upgrades $1,000/user  
DocuSign $3,000/year  
External Certificate Authority (ECA) $500/user  
Privileged User Training $400 /Privileged User annually.  
Password Vault $96/Privileged User annually 
  1. Migration and Implementation Costs: Medium-sized companies have spent over $1 million annually over three years for cloud migrations and an additional $240,000/year for consulting, staff augmentation and compliance maintenance (Atlantic Digital). 
  1. Additional Costs: SMBs with on-premises CUI handling may face extra costs for printing, upgrades, infrastructure improvements, and physical security (Atlantic Digital). 

In short, the financial burden of achieving and maintaining CMMC Level 2 compliance can be significant for SMBs. While federal estimates provide a starting point, actual costs can be much higher. A comprehensive approach, including detailed cost estimations and leveraging cost-effective services, is essential for SMBs to navigate these economic challenges. 

Atlantic Digital has published a blog post detailing the expenses associated with CMMC certification and discussing why the government often underestimates these costs.

Legal Feasibility

Adherence to DoD cybersecurity and data protection regulations is crucial to avoid legal and financial repercussions. The Defense Counterintelligence and Security Agency (DCSA) emphasizes that compliance is essential for continued participation in DoD contracting opportunities (DCSA, InterSec). Non-compliance could result in loss of contracts and financial penalties.

Schedule Feasibility

The March 2025 deadline for CMMC Level 2 presents a significant challenge due to the limited number of Certified Third-Party Assessment Organizations (C3PAOs). As of July 2024, about 56 C3PAOs are available, each capable of handling 1 to 10 assessments per month, resulting in an estimated 504 to 5,040 assessments before the deadline. This assessment capacity may be insufficient to meet the needs of the many small and medium-sized businesses (SMBs) seeking certification, given the rigorous and resource-intensive nature of the CMMC assessment process. The high demand emphasizes the need for timely scheduling and thorough planning (CyberAB, Taft Privacy & Data Security Insights; MxD; CMMC Audit Preparation; PreVeil). 

Typical timelines for achieving CMMC Level 2 certification range from 6 to 12 months, depending on factors like existing cybersecurity posture and resource allocation. Organizations without existing cybersecurity measures may require 18 to 24 months to achieve certification (CMMC Audit Preparation; ECURON; InterSec).

Market Feasibility

The global cybersecurity market is projected to expand from USD 190.4 billion in 2023 to USD 298.5 billion by 2028, with a compound annual growth rate (CAGR) of 9.4% (MarketsandMarkets). This growth is driven by the increasing frequency and complexity of cyberattacks, along with the rising demands placed on businesses, governments, and individuals to enhance their cybersecurity measures. The U.S. Department of Defense (DoD) has allocated approximately $401 billion—nearly 49% of its total $842 billion Fiscal Year 2024 budget—for contract obligations (Defense Comptroller). This budget includes a historic $170 billion for procurement, the largest ever (Federal Budget IQ), aimed at acquiring the weapons, equipment, and services necessary to maintain and improve military operational capabilities. DoD Defense Industrial Base (DIB) contractors are integral to these procurement efforts, underscoring the critical importance of robust cybersecurity measures.  

In that vein, CMMC Level 2 requirements are mandated for all DoD contracts involving FCI or CUI, with exceptions only for contracts that exclusively pertain to commercial off-the-shelf (COTS) items. The DoD anticipates that 220,000 companies -the DIB encompasses roughly 300,000 companies (DoD)- will be affected by CMMC requirements in general, and CMMC Level 2 applies to over 80,000 entities (about 36%) of those contractors (Wiley, Blank Rome). Achieving CMMC Level 2 certification not only aligns with the DoD’s significant emphasis in cybersecurity but also presents substantial opportunities for certified businesses within both the broader cybersecurity market and the DoD’s defense sector (USFCR).

Financial Impact of Non-Compliance

Failing to achieve the required CMMC certification by the early 2025 deadline could lead to significant financial losses for all contractors. The potential revenue loss includes: 

  1. Immediate Revenue Loss: Government contractors often rely heavily on a few key contracts. The value of these contracts can range widely, but for many small businesses, a single contract can be worth anywhere from $100,000 to several million dollars annually. 
  1. Dependency on DoD Contracts: Many DIBs primarily serve the DoD. Failing to get certified could result in losing most or all of their revenue. For example, if a business has $1 million in annual revenue from DoD contracts, failing to certify would mean losing this revenue entirely. 
  1. Future Opportunities: The lack of CMMC Level 2 certification will make businesses ineligible to compete for an estimate of over $100 billion of the larger $401 billion budget allocated for DoD contract obligations. 

Benefits of Compliance

Achieving CMMC Level 2 certification provides several key benefits for small and medium-sized businesses (SMBs), including: 

  1. Regulatory Compliance: Ensures adherence to stringent cybersecurity practices required by the DoD, thereby enhancing the credibility and market positioning of SMBs.  
  1. Market Opportunities: Opens doors to new opportunities with other federal agencies and commercial entities, supporting business continuity and growth. 
  1. Competitive Edge: Prevents the loss of DoD contracts and supports long-term resilience by complying with CMMC requirements. 

(USFCR)

Conclusion

In sum, the feasibility of SMBs in the DIB hinges on their ability to meet CMMC Level 2 certification by March 2025. Achieving this certification presents both challenges and opportunities. Financially, SMBs must navigate significant costs, including assessment fees, technology upgrades, and ongoing compliance expenses. Operationally, preparing for certification requires robust cybersecurity infrastructure and staff training. By strategically planning and leveraging cost-effective solutions, SMBs can enhance their chances of achieving certification and securing their place in the defense contracting ecosystem. The benefits of compliance include enhanced market opportunities, competitive advantage, and alignment with national security goals. The upcoming deadline underscores the importance of timely and proactive measures to ensure continued participation in the DIB. 

To support SMBs in this critical endeavor, Atlantic Digital (ADI) offers specialized services to help businesses achieve CMMC Level 2 certification efficiently and cost-effectively. ADI provides expert guidance through initial assessments, gap analyses, and tailored cybersecurity solutions, ensuring that SMBs meet the stringent requirements necessary to maintain or secure DoD contracts. By partnering with Atlantic Digital, SMBs can not only overcome the financial and operational challenges of CMMC certification but also strengthen their cybersecurity posture. This partnership enables SMBs to remain competitive in the DIB and capitalize on the vast market opportunities that come with compliance. For more information on how Atlantic Digital can assist your business in achieving CMMC Level 2 certification, visit Atlantic Digital.

References

  1. Air & Space Forces Magazine. (2024). Pentagon: 2024 Budget is ‘First and Foremost‘ About Procurement.  
  1. Atlantic Digital. 2024. Internal records. 
  1. Blank Rome. (2024). https://www.blankrome.com/publications/understanding-basics-cmmc-level-2 
  1. CDSE. (2024). Center for Development of Security Excellence (CDSE). Cybersecurity (cdse.edu) 
  1. CISA. (2024). CMMC 2.0 Program Overview.  
  1. CMMC Audit Preparation. (2024) CMMC Compliance FAQs – Organizations seeking certification (cmmcaudit.org) 
  1. CyberAB. (2024). CyberAB 
  1. Compliance Island. Compliance Island Total Cost Estimator 2023.xlsx. 
  1. Defense Comptroller. (2024) Financial Summary Tables. Under Secretary of Defense (Comptroller) > Budget Materials > Budget2024 
  1. Defense.gov. (2024). DOD Harnessing Emerging Tech to Maintain Enduring Advantage.  
  1. Dewpoint. (2024). CMMC in 2024: The Basics, Costs, and Timeline 
  1. DCSA. (2024). Controlled Unclassified Information (CUI) Protocols.  
  1. Defensescoop (2024). Pentagon reveals updated cost estimates for CMMC implementation 
  1. DoD. (2024). Defense Industrial Base Cybersecurity Strategy 2024.  
  1. ECURON. (2024). CMMC Certification Process and Timeline – ECURON 
  1. Etactics (2024) CMMC 2.0 Certification Cost: An Accurate Assessment — Etactics 
  1. Farmhouse Networking. 2024. CMMC Certification: A Comprehensive Cost Guide for Government Contractors 
  1. Federal Budget IQ. (2023). Biden’s FY24 DOD Budget | Federal Budget IQ 
  1. GAO (Government Accountability Office). (2024). 
  1. InterSec. (2024). The Complete CMMC 2.0 Guide (intersecinc.com) 
  1. MarketsandMarkets. (2024). Market Reports 
  1. MxD. (2024). CMMC 2.0: Why Manufacturers Should Get Started Now | MxD (mxdusa.org) 
  1. NIST. (2024). Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. 
  1. PreVeil. (2024). 6 Ways to Save Money on CMMC Certification Costs (preveil.com). 
  1. PreVeil. (2024). What is DFARS 7012 and Why It’s Important (preveil.com) 
  1. Pivot Point Security. (2024). CMMC Audit Preparation.  
  1. Taft Privacy & Data Security Insights. (2024). CMMC 2.0 Is Here to Stay: Where Do We Start? 
  1. The National Law Review. (2024). https://natlawreview.com/article/understanding-basics-cmmc-level-2 
  1. USFCR. (2024) 2024 UPDATE: Cybersecurity Maturity Model Certification (CMMC) 2.0 (usfcr.com) 
  1. Venable. (2024). https://www.venable.com/insights/publications/2023/12/the-new-cmmc-rule-faqs-for-federal-contractors 
  1. Wiley. (2024). https://www.wiley.law/alert-UPDATE-DOD-Proposed-Rule-Solidifies-Plans-for-CMMC-2-0-Program-Security-Requirements-Assessments-Affirmations-and-Some-Flow-Down-Details 

Leave a Reply

Your email address will not be published. Required fields are marked *

Please verify that you are human.