The Cybersecurity Maturity Model Certification (CMMC) has been a major talking point in the defense contracting community, with many focusing on the direct impact on prime contractors. However, a less discussed aspect of CMMC is its effect on small business subcontractors, who play a vital role in the defense supply chain. According to a recent survey by the National Defense Industrial Association (NDIA), 71% of small business contractors are concerned about the financial burden of CMMC compliance, per NDIA’s 2024 Small Business Survey.
One of the primary concerns for small business subcontractors is the cost of implementing and maintaining CMMC compliance. With limited resources and budgets, these firms may struggle to absorb the costs associated with compliance, which could range from $10,000 to $50,000 or more per year, depending on the level of certification required, according to a report by the Government Accountability Office (GAO-24-105). This financial strain could lead to a decrease in the number of small businesses participating in the defense supply chain, ultimately affecting the overall diversity and resilience of the chain.
The Subcontractor Dilemma
Small business subcontractors often lack the necessary resources and expertise to navigate the complex CMMC requirements. This can lead to a situation where prime contractors, who are responsible for ensuring the compliance of their subcontractors, may be hesitant to work with smaller firms due to the perceived risk. As a result, small businesses may be inadvertently pushed out of the defense supply chain, despite their importance in providing innovative solutions and specialized services. A former Air Force PEO contracting officer noted, ‘The reality is that small businesses are often the ones driving innovation in the defense industry, but they’re also the ones who are most vulnerable to the financial and administrative burdens of CMMC compliance.’
A recent analysis of FPDS-NG data, queried 2024-08-20, found that small businesses account for approximately 23% of all defense contracting awards, totaling over $34.2M in fiscal year 2023.
The CMMC requirement for subcontractors to achieve certification has sparked concerns about the potential for a ‘certification cascade,’ where the costs and administrative burdens of compliance are passed down from prime contractors to smaller subcontractors. This could lead to a situation where small businesses are forced to choose between investing in CMMC compliance or abandoning their participation in the defense supply chain. As noted by the DoD Comptroller in the R-1 Justification Books for fiscal year 2024, the department is aware of the potential risks and is exploring ways to mitigate the impact of CMMC on small businesses.
The CMMC requirements have the potential to be a ‘death sentence’ for small businesses in the defense industry, unless we find a way to make compliance more accessible and affordable.
To address these concerns, the Department of Defense (DoD) has established the CMMC Small Business Initiative, aimed at providing resources and support to small businesses navigating the CMMC process. However, some critics argue that more needs to be done to ensure the long-term sustainability of small businesses in the defense supply chain. A report by the Congressional Research Service (CRS RL34500) highlights the importance of small businesses in the defense industry and recommends that the DoD take a more proactive approach to supporting these firms in their efforts to achieve CMMC compliance.
Finding a Solution
One potential solution to the challenges faced by small business subcontractors is the development of more flexible and cost-effective compliance options. This could include the creation of shared compliance resources or the establishment of a ‘compliance-as-a-service’ model, where smaller firms can access the necessary expertise and resources to achieve certification without breaking the bank. As noted by the GAO in report GAO-24-105, the DoD is exploring alternative compliance models, including a potential ‘compliance-by-component’ approach, which could help reduce the burden on small businesses.
Ultimately, the success of CMMC will depend on its ability to balance the need for enhanced cybersecurity with the need to support and sustain small businesses in the defense supply chain. By finding ways to make compliance more accessible and affordable, the DoD can help ensure that small businesses continue to play a vital role in the defense industry, driving innovation and providing critical services to the warfighter. As the defense industry continues to evolve, it is essential that the DoD takes a proactive approach to addressing the challenges faced by small business subcontractors and works to create a more inclusive and supportive environment for these firms to thrive.
Conclusion
In conclusion, the impact of CMMC on small business subcontractors is a critical issue that requires attention and action from the DoD and the defense contracting community. By understanding the challenges faced by these firms and working to address them, we can help ensure the long-term sustainability of small businesses in the defense supply chain and maintain the diversity and resilience of the chain. As the defense industry continues to navigate the complexities of CMMC, it is essential that we prioritize the needs of small businesses and work to create a more supportive and inclusive environment for these firms to succeed.

