CMMC compliance

DOD Looking to Minimize CMMC Accreditation Costs for Small Businesses

The Department of Defense said it will work to ensure that small businesses would not be burdened by costs brought about by the Cybersecurity Maturity Model Certification audit.

According to a DOD spokesperson, an internal review is underway to minimize accreditation costs for small enterprises while keeping the integrity of the cybersecurity requirements.

Most small companies will likely only have to comply with CMMC Level 1 requirements, the spokesperson told FedScoop.

CMMC critics have pointed out that imposing CMMC requirements beyond level 1 on small businesses would be unfair because they have less money to spend on compliance costs compared to their larger counterparts.

Jonathan Williams, a partner at law firm PilieroMazza, told members of the House Small Business Committee on June 24 that keeping requirements to a bare minimum would strike the right balance between ensuring that small businesses adhere to basic cybersecurity protections and minimizing costs.

Under CMMC Level 1, organizations would only have to meet the lowest level of security covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.

Uncertainties surrounding the CMMC program are causing concerns among small business owners, who fear that they could be pushed out of the defense industrial base.

Michael Dunbar, a small business president, said at a recent House hearing that the DOD has not been communicating properly with small businesses about the CMMC implementation.

“It’s basically been kept to a very small group of people that are running all of this and then we get told later on what is happening,” he said.