A new bipartisan bill would authorize the Department of Defense to issue grants to help small manufacturers reach compliance with new cybersecurity guidelines like the Cybersecurity Maturity Model Certification (CMMC).
The Pentagon would be authorized to issue funds only to Manufacturing Extension Partnership (MEP) Centers, the public-private partnerships that assist small manufacturers, with the intent of helping those kinds of companies reach compliance. The MEP program is run through the National Institute of Standards and Technology (NIST).
The bill, sponsored by Jimmy Panetta, D-Calif., and Joe Wilson, R-S.C., reflects the general concern Congress has for securing the Department of Defense’s supply chain through the CMMC program and others.
“MEP Centers, public-private partnerships located in all 50 states, are uniquely positioned to assist small businesses with cybersecurity requirements and have worked closely with the Pentagon to bolster defense supply chain resiliency,” Panetta said in a statement.
The funds could be used to on a range of cybersecurity-related matters, from hiring experts to help reach compliance or just increasing cybersecurity awareness. The bill doesn’t specify a dollar figure for the grant program or individual grants.
CMMC is the department’s new five-level system for implementing a third-party verified cybersecurity requirement for all contractors (with one exemption). The Department has said that most companies will only need a level one CMMC certification, the most basic level, but so far no cost analysis has been published or provided to Congress on how big an impact compliance will be. There is concern in industry that cyber requirements like CMMC will bring additional financial burden, even though contractors have been a regular target of successful cyber attacks.
CMMC is set to appear in contracts later this year and anAccreditation Body was established to train and accredit the third-party assessors and organizations that will verify that contracts are meeting requirements. Without a third-party assessor certifying that a contractor is meeting a set level of cyber controls, they can’t do work with the DOD.
“DOD is increasingly concerned about cyber vulnerabilities in the defense supply chain, specifically among small- and medium-sized manufacturers,” Wilson, the co-sponsor of the Bill, said in a statement.