Cubes form a row of increasingly larger cybersecurity shields.

3 Reasons Why SMBs Struggle With the CMMC Approval Process

Small businesses face numerous hurdles when trying to secure federal contracts, including compliance with NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC). While the CMMC approval process was recently updated to make it more cost effective for small businesses to compete, there are still areas where SMBs are put at a heavy disadvantage by larger entities in the CMMC ecosystem. 

To outline these issues in more detail, I’ll be sharing firsthand experience from my company, Healthcare Resolution Services (HCRS), a consulting firm that has dealt with health information management for 30 years. 

3 Key Issues Facing SMBs

Even though HCRS has held a longstanding partnership with the Department of Defense, the DoD issued a requirement a few years back that stated we must maintain a line of credit from a traditional financial institution — a requirement we were unable to meet at that time due to financial hardships during the COVID-19 pandemic. This disqualified us from our DoD contract, in spite of the fact that we had sufficient funds to complete it. 

Since the pandemic, prime contractors have also started to increase their cybersecurity insurance policies, which have affected smaller subcontractors like HCRS. For example, one prime wanted us to have an insurance policy of $5 million, which was both excessive and unrealistic considering that our annual revenue at that time was $2 million.

Then there’s the matter of contract bundling that all SMBs should be wary of. This practice is the result of the government’s initial attempt to help minority-owned businesses participate in federal contracts by including certifications and standards in them that SMBs can meet. A prime will then attempt to partner with an SMB and “bundle” their work so that they have a better chance of being awarded one of these contracts. However, when they do, the prime suddenly cuts the SMB out.

Why does this happen?

First, the prime contractor is fully aware that it has sufficient resources to complete the work without actually involving the SMB, but it has to include the SMB if it wants to win the contract. Second, there isn’t sufficient government oversight to protect SMBs from falling victim to bundling.

Changes Needed in the CMMC Approval Process

It is imperative for the federal government to monitor and adjust their programs serving minority-owned businesses. They must ensure that requirements are reasonable and do not disproportionately disadvantage smaller enterprises. There needs to be a reassessment of the certifications and requirements being imposed, as many are proving to be excessive and exclusionary.

Moreover, the government must tackle the issue of contract bundling by implementing stricter regulations and oversight. This includes creating checkpoints and guardrails to prevent larger businesses from exploiting smaller ones to win contracts. It is essential to build a truly equitable contract environment where SMBs can compete fairly and thrive.

What Small Businesses Like Yours Can Do

While federal agencies have made strides in supporting small businesses, there is still much work to be done. The increasing demands of the CMMC approval process and other certifications are pushing small businesses out of the competition. If the federal government is committed to fostering an inclusive and fair marketplace, it must take decisive action to address these barriers and support the sustainability of small business subcontractors.

If you work for an SMB, here’s what you can do right now: learn all you can about meeting CMMC requirements for handling sensitive information; establish a strategy to track your CMMC journey; be scrupulous in your agreements with prime contractors; and contact your government representatives who can push for the changes discussed above.

If you have questions about this material and are looking for further guidance, I want to help you. When you’re ready, let’s talk about cybersecurity standards, how to develop a system security plan, how to perform a CMMC self-assessment, and other key steps in the CMMC certification process.



This information is adapted from written testimony by Mrs. Doles to the Senate Committee on Small Business and Entrepreneurship on May 6, 2024. Available in full on the Small Business Majority’s website, it “outlines the importance of targeted federal programs such as the U.S. Small Business Administration’s (SBA) 8(a) Business Development Program and the Minority Business Development Agency (MBDA),” while also addressing ongoing racial discrimination and the factors above that have made CMMC compliance difficult for her organization. 

Check out our eBooks!

Get my weekly blog and other emails from me delivered straight to your inbox.

Join the Cyber CMMC Women's Group

8601 Robert Fulton Drive, Suite 130 | Columbia, Maryland 21046

Copyright © 2024 Healthcare Resolution Services, Inc.
All rights reserved. | Privacy Policy