Congress and small business advocates are working on a series of fixes for a new Department of Defense cybersecurity certification program they fear will otherwise be a major disincentive for smaller, nontraditional defense suppliers to bid on Air Force and other defense contracts.
On Capitol Hill, there is a draft bill that would create a tax credit to cover part of the cost of compliance for the smallest companies. And some advocates are also suggesting Small Business Administration loans might be available to help businesses cover the upfront costs.
The long-delayed Cybersecurity Maturity Model Certification program, or CMMC, was finalized this year and the requirements will start to show up in defense contracts by the end of next year, said Rachel Grey, the director of research and regulatory policy for the National Small Business Association.
“We support a congressional fix to help small businesses comply with CMMC,” she told Air & Space Forces Magazine.
The CMMC is designed to ensure that defense contractors handling unclassified but still sensitive data known as Controlled Unclassified Information comply with cybersecurity guidelines from the National Institute for Standards and Technology, or NIST. But advocates are concerned that the comparatively high costs of compliance may discourage smaller, more innovative companies from competing for defense contracts.
“The costs of compliance risks shutting small businesses out of the defense industrial base,” said Grey, noting the investment in CMMC compliance must be made upfront, before any contract award.
The aim of securing the defense industrial base, or DIB, against foreign cyber intruders is widely shared, including by NSBA, said Grey. But “the burden is not sustainable for small businesses,” she said.
Lawmakers addressed the issue in report language accompanying the must-pass National Defense Authorization bill for 2025, stating that “with the finalization of the rules for the Cybersecurity Maturity Model Certification, we believe it is important that the Department of Defense provide additional assistance to small businesses in the defense industrial base navigating this process.”
The Small Business Cybersecurity Act of 2024, proposed by Rep. Scott Fitzgerald (R-Wis.), would allow companies with fewer than 50 employees to deduct 30 percent of their compliance costs, up to a maximum of $50,000, from their annual tax bill.
The bill was developed by Fitzgerald’s office after discussions with staff from the Senate Small Business Committee and the DOD Chief Information Officer, said attorney Robert Metzger, who has acted in a volunteer capacity as a liaison on the legislation between the Hill and the Pentagon for almost two years.
Metzger said it’s unlikely the bill will make it into the NDAA, which is currently being finalized, but there’s a good chance it gets included in a major tax bill due early next year.
According to DOD figures, there are over 56,000 small defense contracting businesses that will eventually be required to get a third-party assessment of their compliance with the NIST cybersecurity standards, Metzger said. If all of them could claim the maximum allowable credit, the tax revenue lost would amount to $2.83 billion. But if the credit was only available to the smallest companies, those with fewer than 50 employees, the cost would be reduced to $1.04 billion.
Moreover, Metzger points out, many companies may not claim the maximum amount which would also reduce the cost. And since the implementation of CMMC contractual requirements is spread over seven years, so will the costs of compliance.
“The objective here was to start with something that would be significantly helpful to the companies most in need, while being … fiscally prudent, administratively responsible and focused solely on new costs” coming directly from CMMC compliance, he said. “You don’t want it to be open to waste, fraud, abuse or gaming.”
“There will be lots of jostling as to the parameters of this legislation” as it moves forward, Metzger added, warning against special interests “exploiting” the measure by expanding it too far, which he said would reduce the chances of it passing.
“I think it’s important to have a limited tax credit measure to help those who need it most, and to focus that help upon the new costs that CMMC requires. And I think if it’s done prudently, it should have a fair chance of success. Beyond that, I take a cautious approach to expanding the size of the credit, who may claim the credit, or for what,” he said.
The Pentagon broadly supports the idea of such a limited tax credit, according to Stacy Bostjanick, DOD’s deputy chief information officer for cybersecurity, who said it was one of a number of ideas being looked at to mitigate possible negative effects of CMMC on small business participation in the DIB.
“There’s a tax incentive that’s going through the Congress now—well, we’re hoping it goes through—and we’re supportive of that,” she said during a recent webcast, “We’re trying to find any means possible to help alleviate some of the pain and struggle for our small businesses.”
But others note that the tax credit, while a positive idea, would only be available to businesses after they had spent the money.
“The costs are incurred in advance of any possible revenue,” explained ML Mackey, chair of the Small Business Division of the National Defense Industrial Association, a trade group for military contractors.
“Small businesses live or die by their cashflow,” she said, “Typically, they don’t tend to have cash reserves sitting around. They use what revenue they have to try to grow and scale.”
Mackey is the cofounder, co-owner, and CEO of Beacon Interactive Systems, a small business which is digitizing Air Force flight lines and first became a military supplier through an SBIR contract.
“From my own and my colleagues’ experience, for the small business owner, those kinds of upfront costs often mean refinancing their home or taking on credit card debt in order to make that leap of faith and do what they need to expand and grow,” she said.
Mackey was clear that businesses needed to meet the costs of compliance, but pointed out it was a national security priority to increase the number of smaller, more innovative, and nontraditional technology suppliers in the DIB.
“How do we help create a runway such that they can effectively get their CMMC certification and be able to execute on contracts and deliver that much needed, critical innovation for national security needs?” she asked.
She said one interesting idea would be to expand the innovative work done in the past two years by a partnership between the DOD’s Office of Strategic Capital and SBA’s Office of Investment and Innovation. Their Small Business Investment Company Critical Technology Initiative leverages existing SBA loan authorities to match private capital investment in critical technology areas.
“We could do the same kind of thing to make that patient capital [loans with a long repayment period and low interest rate] available to companies that are in critical technology sectors and need support to meet CMMC requirements upfront,” she said, “We don’t need new programs, we can use existing loan vehicles that are already in play.”
Metzger added that implementing such a large and ambitious program within the DOD would take continuing leadership attention and called for the formation of a steering group within DOD.
“These things don’t just execute themselves,” he said. “You need leadership. You need management, oversight, administration, process, training, policies, guidance, instructions, and we’re just at the start of all that.”
He pointed out that although CMMC was designed and produced by the the Pentagon’s CIO’s office, it will actually be implemented in contracts written by the department’s acquisition workforce. “There are other parts of DOD that have a say in this, as well,” he said. “Research and engineering [have a view] as to what it does to the innovators; defense intelligence [agencies provide] the threat information that should inform the cyber policy, etc, etc.”
Given all the different players, Metzger argued, “It seems to me necessary that, under the leadership of the Deputy Secretary of Defense or even the Secretary, you need a CMMC executive steering group to essentially oversee this and make sure that we don’t just thrust it upon a big industrial base and hope for the best, because hope is not really a great substitute for planning.”