The Office of Advocacy at the Small Business Administration has outlined four areas of concern in the Pentagon's proposed rule to implement the Cybersecurity Maturity Model Certification program.
“Advocacy is principally concerned with the ability for small businesses to meet and comply with the standards and timelines set out in the CMMC Program without further clarification and guidance documents from the DOD,” the office writes in comments submitted to the Defense Department on Feb. 26.
DOD issued the first proposed rule on Dec. 26. Nearly 800 comments have been filed on the proposed rule from a broad range of sectors including defense, technology, communications, gas, electric and international bodies.
The Office of Advocacy is an independent office housed within SBA. It plays an important role in reviewing regulations before publication in the Federal Register to make sure they comply with the Regulatory Flexibility Act. The Feb. 26 filing is the office’s public comments on the CMMC proposed rule.
“The current rule does not provide clear guidance on the process to create enclaves, which would allow more small business subcontractors to participate in DOD contracts without meeting the full requirements necessary for the prime contractor,” the filing says.
“Advocacy seeks clarification on the role of Third-Party Assessment Organizations (C3PAO) and the indemnification a C3PAO has if a contractor or subcontractor is out of compliance," according to the filing. "Additional concerns include the process of how and if more C3PAOs can be certified by the DOD to review the numerous contracts that will be subject to certifications.”
“Advocacy urges the DOD to provide clarification about the enforcement mechanisms for breaches of cybersecurity,” the filing adds.
“Lastly, Advocacy reminds the DOD that this rule will impose a high cost of compliance on small businesses and any means to reduce the burden on small businesses will increase the participation of these impacted businesses,” according to the office.
Advocacy’s filing is based on outreach meetings the office held with “diverse business stakeholders concerning the rule” in-person and virtually.
“Creating and implementing enclaves will be most effective when a large prime contractor creates these enclaves to ease the burden on small subcontractors," the filing says. "The rule mentions the use of enclaves but does not provide guidance on how to implement enclaves within a business.”
The office supports the use of external service providers, calling them a “driving force” for small businesses to comply with CMMC. “The ability of ESPs to create effective and economically feasible software will allow businesses to enclave different operations more easily and avoid unduly costly compliance expenses,” the filing says.
“Advocacy recommends that the DOD create a presumption to reduce the number of small contracts that are subject to CMMC Level 2," the filing adds. "This can be achieved through varying means, including a positive requirement for prime contractors or the ability for a prime contractor to engage in using enclaves as a positive value marker for their contracts.”
Advocacy says, “Further, the agency contracting officer could be required to engage in mitigating efforts if such CMMC related issues arise between a subcontractor and prime contractor.”
Stakeholders raised questions to Advocacy on how DOD will take “practical steps” when it comes to enforcement actions for breaches.
“Further, stakeholders raised concerns regarding the availability of remediating steps in the instance of failure to meet a CMMC requirement," the filing adds. "Advocacy recommends the agency create guidance documents for small business contractors to better understand the legal effects of the CMMC.”