Concern the Defense Department’s plan to require contractors have their cybersecurity practices validated by an independent third party will be “overly burdensome” comes predominantly from larger, not smaller contractors, a new survey shows.
The results of a survey released Tuesday, sponsored by cybersecurity small businesses Apptega and Secure Strux, suggest a majority of smaller contractors share the expectation that the DOD’s Cybersecurity Maturity Model Certification will improve their ability to compete and don’t think it will be overly burdensome. A quarter of smaller organizations indicated that CMMC will create unnecessary burdens and costs, whereas 42% of larger organizations felt that way, according to the survey.
The survey included participation from 130 prime contractors and subcontractors, which it categorized into smaller organizations (those with 100 employees or fewer) and larger organizations (those with more than 100 employees). The surveyors identified the participants by reaching out to a list of contractors published by the DOD and members of the Society of Industrial Security Professionals, which is largely comprised of DOD primes and subs, Apptega Vice President of Marketing Scot McLeod told Nextgov.
The DOD launched the CMMC program after the department concluded the current practice of allowing contractors to self-attest their adherence to standards laid out by the National Institute of Standards and Technology is not reliable. If it were, then it would be less likely for the Chinese to have a plane that looks a lot like the F-35, Katie Arrington, the DOD’s lead official for the program, has suggested.