It is too big a burden for small businesses especially construction and mechanical subcontractors that work on military bases. There are requirements to bring more non traditional contractors into the DoD as a % of work content. How to primes meet this requirement when they have to force these small companies into compliance with CMMC?
Bill Greenwalt at the American Enterprise Institute and a former deputy undersecretary of defense for industrial policy makes a compelling argument for DoD and Congress to step in and scrap CMMC 2.0. CMMC compliance will cost $4 billion (!) annually and will unfairly impact small businesses that DoD wants in (or back in) the defense industrial base. Large contractors will mostly pass on their costs through cost plus contracts, but small businesses will have to invest an early (low) estimate of $100,000 or risk being barred from Government contracts. "Companies that fail these audits are punished ... This punitive enforcement through the contracting process will surely dissuade new and innovative companies from doing business with DoD." "Finally, there's the open question of whether the type of information CMMC seeks to protect, controlled unclassified information (CUI), needs stringent safeguards at all... most CUI probably does not need to be controlled and is only designated as such because of an aversion to risk among those marking it." "CMMC 2.0 is not the way to achieve these objectives and it would be best for DoD to cancel the project. If it doesn't, Congress should act before too many resources are wasted on this effort." #defenseindustry #CMMC #cybersecurity https://lnkd.in/ercSR_KH
Great link and comments JP! I couldn't agree more!
--
2wAbsolutely! The CMMC situation is only going to get worse before it gets better. Even mid-size companies could have problems with compliance.