Navigating the CMMC Journey: Insights From the White House

On March 15, 2024, Brenda Doles, President of HCRS, Inc., had the privilege of attending a gathering at the White House, convened by officials from the Biden-Harris Administration. The focus of the meeting was to delve into policy priorities that concern the economy, small business development, and local engagement. As a business owner who has grappled with the challenges and costs of NIST 800-171 — particularly for contracts with the Department of Defense (DoD) and Veterans Affairs (VA) — Ms. Doles was able to voice the opportunities and hurdles that are often faced by small businesses seeking government contracts.

The Journey to Compliance and the Focus on NIST

Contrary to popular belief, NIST SP 800-171 requirements are not new — they were developed in 2015, and have since undergone several revisions since their inception. While many people have focused on compliance with the Cybersecurity Maturity Model Certification (CMMC) and its recently released second version, the reality is that CMMC enforces NIST, and NIST is already required.

In other words, CMMC 2.0 is the accreditation process for a contractor to confirm that they meet basic practices for cyber hygiene.

During her interaction with Mr. Mark Madrid, an associate administrator with the Office of Entrepreneurial Development, Ms. Doles shared experiences from her company’s difficult CMMC journey, including over $100,000 in costs that were incurred during the past two years. Most of these were due to cloud migration, hardware upgrades, cybersecurity measures, employee training, and infrastructure enhancements. Doles noted how these costs were not merely abstract figures, but represented tangible financial burdens that could significantly impact the operations and bidding options of small businesses.

In spite of this financial strain, Doles also acknolwedged how embracing CMMC’s requirements early on helped her company meet compliance standards that allowed it to secure new contracts and gain a competitive market advantage. Additionally, compliance paved the way for Ms. Doles to be recognized as a Registered Practitioner (RP) and Certified CMMC Professional (CCP) by The Cyber-AB, generating new business opportunities as a result.

“Being invited to share my experiences at the White House was a profound honor,” Doles said. “It provided a platform to address critical issues that are affecting small businesses, and to advocate for measures that promote cybersecurity readiness and resilience.”

Some key strategies that were highlighted during the discussion include:

Creating a sense of urgency among small businesses to meet cyber compliance.
Launching an education campaign to raise awareness about NIST and CMMC.
Emphasizing the importance of due diligence for prospective contractors in navigating the complexities of NIST’s requirements.
Promoting the availability of free resources like Project Spectrum that can assist small businesses in their compliance efforts.
Advocating for workforce development initiatives and on-the-job training programs to enhance cybersecurity skills within small business contractors.

Data indicates that a significant portion of contractors are waiting for CMMC 2.0’s final rulemaking before evaluating changes for compliance. Addressing this knowledge gap that NIST already outlines the requirements they need will take a joint effort from both public and private sectors.

Advocating for Cyber Resilience

The White House meeting laid the groundwork for actionable strategies aimed at addressing the cybersecurity challenges faced by small businesses. By leveraging partnerships and advocating for policies that prioritize cyber resilience, we can empower contractors to navigate the evolving threat landscape and thrive in an increasingly digital economy.