Small Businesses Seek More Lenient CMMC Audit

Small businesses are seeking to be excused from complying with higher levels of the Department of Defense’s Cybersecurity Maturity Model Certification program.

Jonathan Williams, a partner at the Washington, D.C.-based law firm PilieroMazza, told members of the House Small Business Committee on June 24 that compliance with CMMC requirements beyond level 1 would burden small businesses.

Williams argued that keeping requirements to a bare minimum ensures that organizations have at least the basic cybersecurity protections in place while avoiding significant costs, FCW reported.

Per Williams’ suggestion, small businesses would only have to meet the lowest level of security controls required for a defense contractor, including implementing multi-factor authentication. Organizations with level 1 certification are authorized to manage federal contract information that is not for public release.

Stringent requirements should be demanded from prime contractors, Williams said. He added that DOD contract clauses should inhibit primes from imposing CMMC requirements beyond the subcontract’s scope of work.

The House hearing also tackled the accreditation of CMMC certified third-party assessment organizations.

Scott Singer, the president of CyberNINES, a consulting company based in Madison, Wisconsin, called for a more lenient assessment of C3PAOs. He recommended that candidate assessors only be evaluated for the first two CMMC levels initially and save Level 3 for later.

The CMMC program reached a critical milestone with the recent authorization of two C3PAOs.

Redspin, a division of CynergisTek, received inaugural C3PAO status on June 9. Kratos received the same designation the following week. Both companies were cleared to audit companies seeking CMMC certification at maturity levels 1 through 3.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Defense and Intelligence

Join Us Now