On December 27, 2021, President Biden signed the FY22 National Defense Authorization Act (NDAA) into law, authorizing nearly $800 billion in defense spending.
The national defense total in the 2022 omnibus spending bill is $782 billion, reflecting a 3.9 percent increase over the administration’s request for 2022 and a 5.6 percent increase over the 2021 appropriations. This total includes $13.6 billion for emergency military and humanitarian aid for Ukraine as Russia’s conflict with the country continues.
Impact on Small Businesses
NDAA and CMMC Framework
Good news for small businesses: the NDAA orders the Pentagon to report on the effects of the Cybersecurity Maturity Model Certification (CMMC) framework on small business concerns (Sec. 866), including its impact on defense contract management practices. The report must detail the estimated costs of compliance, expected changes to the number of small businesses in the defense industrial base, and efforts to mitigate negative effects. This provision is a significant win for small businesses as it compels the Pentagon federal procurement to consider the impacts on lower-tiered small businesses while revamping the CMMC program.
Upcoming Changes to CMMC
The Department of Defense (DoD) plans to release an Interim Rule on the CMMC framework by May 2023, according to Stacy Bostjanick, director of the CMMC program for the DoD. By July 2023, CMMC requirements will start appearing in DoD contracts. Businesses will have about one year to obtain their CMMC certification to be eligible to bid on defense contracts.
If there are no changes to the rulemaking, Level One will include 17 practices, and companies will be allowed to self-certify. While this is an improvement, it also comes with a warning. In the past, businesses allowed to self-certify often failed to implement proper cybersecurity measures, leading to compromised government information.
New Regulations and Compliance
With the new changes to CMMC, the DOJ has recently announced a new Civil Cyber-Fraud Initiative using the False Claims Act (FCA). Companies that self-certify and experience a security breach will be investigated. If it is determined that they did not properly implement CMMC standards, they will face prosecution. Additionally, there is an initiative to incentivize whistleblowers to report companies that are not implementing or maintaining adequate cybersecurity requirements.
The DoD has also reduced the maximum number of federal contracting practices from 171 to 110 for Levels Two and Three. These levels will require third-party certification. Less than 100 businesses will need Level Three certification. Most businesses will only need Level One certification, but if your business handles Controlled Unclassified Information (CUI), you will need Level Two certification.
Next Steps
If you are currently winning contracts or aiming to win contracts with the DoD, now is the time to start the process of completing your CMMC certification.
In the coming years, the majority of federal government agencies will require CMMC certification.
If you have any questions about your next steps, please email us at CMMC@govcontractors.org.
Written by Guy Burns, CSP, CCM, RP, Executive Vice President of Training and Business Development, Government Contractors Association.
Comments are closed