DoD Public Comment Period for DIB and Our Math For Small Businesses
DoD Announces 30-Day Information Collection Notice for Cybersecurity Maturity Model Certification Program
Jeff Stutzman, CEO of Trusted Internet, shares his comments
on the final CMMC rule close on July 22nd.
Here’s what you need to know.
I’d be shocked to see this go away at this point, and we are recommending that clients be aware, and be prepared. Even if the added audit burden does go away, compliance with NIST 800-171 (regardless of the rev), became law in 2012.
What to know about this notice:
This notice talks about the burden placed on a defense contractor to perform an audit.
For me, this math on the costs for smaller companies, albeit, probably true, is a painful, and very dry swallow.
The Department of Defense (DoD), through the Office of the Chief Information Officer, has issued a public notice about the collection of information about the Cybersecurity Maturity Model Certification (CMMC) Program.[1] This initiative is part of the DoD's ongoing efforts to safeguard unclassified information within its supply chain. The proposed data collection was submitted for clearance by the Office of Management and Budget (OMB) under the Paperwork Reduction Act.
The information collection focuses on the assessment burden on two levels of certification assessments (L2 and L3):
Level 2 Certification Assessments involve 10,942 respondents, with an estimated annual burden of 5,754,999.61 hours.
(Remember, this accounts for record keeping time only –just the estimated time for the assessment, an “Average Burden per Response: 525.955 hours.”)
Level 3 Certification Assessments involve 213 respondents, with a smaller annual burden of 16,829.13 hours.
(Level 3 is incremental, but 213 respondents claimed an “Average Burden per Response: 79.01 hours.”)
This effort is crucial for assessing contractor implementation of cybersecurity requirements and enhancing confidence in contractor protection measures. This is an important number to understand as it moves to finality and is published as law.
Let’s think about this for a moment. This is easy math…
A breakdown of NAICS-registered companies shows that 85% of all NAICS-registered companies have less than 50 employees, and 86% of all NAICS-registered companies earn less than $2.5 mil per year. 
A small business ($2.5 mil in annual revenue and 20 employees) should expect to spend approximately $140,000 annually on cyber security protections.
That small company will also be asked to spend 525.955 consulting hours every three years on an assessment (not including workups and pre-audits). At $150 per hour (I’m probably conservative), this totals $78,893.25 every three years.
The company must also pay for the assessment. In one quote I received for my small business, the auditor wanted to charge me for two audits—one for a pre-audit and one for the final… not completely unreasonable, but they quoted me using pricing quoted by GAO (Government Accountability Office) in their last report!
As the owner of a Managed Security Service Provider (a 24x7 cyber security monitoring and protection shop), this could be very good for my business. I’m a huge fan of the US Government’s desire to buy from companies with strong cyber practices (and can prove it). I like using NIST 800-171 as a benchmark (although I wish it’d stop changing. NIST 800-171 is a moving target). I also like the C3PAO process. This is good for business from the cyber security company's perspective (assuming all these SMB DIB companies remain). However, the continuing changes in NIST 800-171 and the current 575-hour assessment burden (on top of all the prep), assuming companies already have 800-171 Rev 1 installed from 2012 (not likely) will overburden as many as 85% of small companies to the point of extinction.
Suppose we extrapolate NAICS to the DIB, and 85% of our defense industrial base companies employ fewer than 50 people and earn less than 2.5 mil on a 20% margin. How many of those 85% of the DIB can afford an extra $200-$300,000 for yearly compliance? I’m worried yet excited to provide services to those who survive.
DoD Requests Public Comments
The DoD is inviting public comments on this proposed information collection, and I encourage you to do so. Comments can be submitted online at www.reginfo.gov by selecting “Currently under 30-day Review—Open for Public Comments” or using the website's search function. This is an open and public debate that only runs through July 22nd. Please consider submitting comments—pro or con.
We Can Help Small Businesses Navigate CMMC
We’re here if you need us.
Trusted Internet is a Cyber-AB Registered Provider Organization
We’re nearing our own C3PAO audit.
We also offer a $500,000 Breach Warrantee for those on our system.
Contact staysafeonline@trustedinternet.io for a no-cost consult with one of our senior Virtual CISOs™ (who have all run 800-171 projects).
Sources:
[1] https://www.federalregister.gov/documents/2024/06/21/2024-13464/submission-for-omb-review-comment-request