Senators expressed concern that the Department of Defense (DoD) is not doing enough to support small businesses in the defense industrial base (DIB) to implement or subsidize cybersecurity protocols, including the DoD’s Cybersecurity Maturity Model Certificate (CMMC) at a May 18 Senate Subcommittee on Cybersecurity hearing.
It’s an issue Sens. Mike Rounds, R-S.D., and Joe Manchin, D-W.V., ranking member and chairman on the committee, each brought up with witnesses, seeking information about what the DoD is and can be doing to better assist small businesses in protecting DoD data.
“The defense industrial base must help smaller businesses with the protection of DoD data from malicious cyber actors,” Rounds said in his opening statement. “The department cannot simply burden its contractors with increasingly stringent cybersecurity requirements. Doing so without subsidy or assistance is unlikely to particularly improve the cybersecurity of the defense industrial base, and will likely drive the most innovative small businesses away from doing business with the department.”
Sen. Manchin expressed concern about what concrete plans or initiatives DoD is working on that will help small businesses in the DIB shore up their cybersecurity and provide support and guidance in that journey.
It is a concern also shared, at least in part, within the DoD. Jesse Salazar, the deputy assistant secretary of Defense for Industrial Policy, shared small businesses make up most of the businesses in the third and fourth tiers of the DIB, which makes up approximately 74 percent of the DIB, according to Salazar’s written testimony. In addition, the amount of small businesses in the DIB has also shrunk substantially in the past decade.
“We’re really focused on managing costs of cybersecurity for small businesses,” Salazar said at the hearing. “In my role, I also oversee the Office of Small Business programs. So I can say with certainty that small businesses are under immense market pressures. The number of [the] DIB’s small businesses has shrunk by more than 40 percent over the last decade. After the pandemic, one-in-seven small businesses within the DIB say that they’re unlikely to return to pre-pandemic profitability.”
Sen. Joni Ernst, R-Iowa, later asked how the government can strike the right balance between public and private responsibility for cybersecurity between the government and small businesses. As of now, Salazar said that while the DoD is putting programs in place to help small businesses, they are being viewed as a weak link in the supply chain.
“Within the defense industrial base, we see small business businesses really as the engines of innovation and vitality,” Salazar responded. “We want to make sure as a policy matter that we are doing everything we can to maintain a thriving small business segment. The recent spate of supply chain attacks and disruptions have shown that many adversaries are viewing these small businesses as a weak link.”
Current Initiatives to Help Small Businesses
In order to assist small businesses in creating better cyber hygiene practices among their organizations and guide them through the process, both the DoD and the U.S. Army have put programs in place to help.
At DoD, Salazar touted a mentor-protégé program his office has, where the prime contractor coaches its subcontractors through the rigors of handling DoD materials, as well as DoD’s “Project Spectrum” platform, where primes are sharing information with subcontractors in real-time.
“Project Spectrum” is a way DoD has gone about making resources more readily available for small businesses as a way to make them more resilient. He said a concern he’s heard from small businesses is often the barrier for entry, and this project is one way they are trying to drive down costs.
“We’ve … stood up a website called Project Spectrum, the IO, which actually has been very helpful, Salazar said. “We’ve had more than 500,000 views [and] 10,000 trainings disseminated on cyber hygiene. Small businesses can go and assess where they currently stand today. These are the kinds of resources that we’re trying to make available so that we can drive down the cost and start protecting these companies today.”
The Army has its own Office of Small Business Programs also working on aiding small businesses with their cybersecurity practices and getting CMMC ready. Kimberly Buehler leads that office as its director and said her main job is to be an advocate for small businesses at a May 19 FCW virtual event focused on the CMMC program.
Buehler has similarly found small businesses who have said the cost to achieve the CMMC is prohibitive, but also that they are having issues simply understanding the requirements.
“The cost is really one of the barriers that small businesses have mentioned to me, more often than anything else in terms of their hesitancy to get on board with the CMMC requirements,” Buehler said at the event. “If there’s one takeaway from today, I think it has to be: don’t wait. This is moving forward.”
“The more you can do now, the better off you’re going to be. So, you know, building this into your, your business model is really critical if you’re a small business,” Buehler added.
In mentioning resources Army has to help with the transition, Buehler also mentioned DoD’s Project Spectrum, as well as the protégé-mentor program.
She also put in a plug for Army’s Procurement Technical Assistance Centers, run through its Defense Logistics Agency, and the business assistance network America’s Small Business Development Center. The latter has created its Cybersecurity Maturity Model, separate from the CMMC, and partners with the Small Business Administration to be able to give most of its offerings for free.