A collection of government contractor trade groups say the lack of information about the new Cybersecurity Maturity Model Certification from the Department of Defense could soon have serious financial implications for the companies they represent.
In a letter sent Wednesday to Deputy Secretary of Defense Kathleen Hicks, three industry groups asked for more communication with industry and support for small business trying to comply with the new cyber regime, among other recommendations. The missive was sent jointly by the National Defense Industry Association, the Professional Services Council and Information Technology Industry Council.
The organizations warn that without action from the department, the cost of doing business with the DOD will increase and ultimately hurt the government’s ability to make purchases as companies are forced out of the market and the costs carried to the government increase.
“Currently, our collective members are facing critical decision points that will impact their budgets, strategic planning, and resource allocation without the benefit of knowing the status of DoD cybersecurity policy implementation,” the groups wrote in the letter. “Further, the continued proliferation of federal cybersecurity requirements at the agency level compounds this uncertainty as it remains unclear how DoD requirements will align with those required by other federal agencies.”
CMMC is DOD’s attempt to increase the cybersecurity of its industrial base. The program hinges on a verification model in which contractors must meet one of five tiers of cybersecurity controls, determined by the sensitivity of information they handle. By fiscal 2026, the department plans to require any contractor to have paid for an assessment of their network that would verify its compliance.
The potential costs of preparing for and getting an assessment could be high, especially for small business with tight margins. Some have estimated it could cost more than $100,000, but many business leaders remain uncertain due to a lack of communication from the department and other groups implementing the program.
Many of the complaints raised in the letter have been aired before, including in congressional testimony. But now companies are facing the dilemma of planning their futures against a regulation many still have questions about. There is also particular concern with an ongoing review of the program that was supposed to be concluded by, but DOD has yet to release any of its findings.
“The lack of clarity during the review process has increased uncertainty throughout the DIB and among commercial vendors seeking to provide covered commercial items,” the letter states.
The letter also brought up a foundational issue to CMMC, defining what exact constitutes controlled unclassified information (CUI). Policy on CUI is set by the National Archives and Records Administration, but the industry groups are asking DOD to be more specific about what information constitutes CUI and what protections need to be taken.
“[T]he Department must still provide detailed guidance regarding the type of information to be protected and should continue to collaborate with contractors and subcontractors that generate DoD CUI,” the letter states.
The groups made six suggestions to DOD:
- Regularly engage with industry
- Standardize and improve the marking practices for DoD CUI requiring protection
- Harmonize CMMC and related contractual clauses with existing and future cybersecurity directives
- Clarify Inter-Governmental Authorities for Implementing CMMC and Related Cybersecurity Requirements
- Provide additional implementation guidance and support for small businesses
- Evaluate and clarify remaining policy and process questions around the implementation of [Defense Federal Acquisition Regulation]