On 26 December 2023 the federal government released updated proposed cybersecurity requirements for defense contractors and subcontractors who conduct business with the U.S. Department of Defense (DoD).

This set of proposed regulations, known as CMMC (Cybersecurity Maturity Model Certification) was released as a 234-page document, which is published online in the Federal Register.

The Huntsville Business Journal sat down with Scott Edwards, CEO of Summit 7, to discuss the proposal and how it would potentially affect Huntsville businesses working with the DoD.

The type of data that a defense contractor manages will determine which of the three levels of CMMC compliance they will need to meet. Contractors in Level 1 will be required to meet 17 practices, and will be able to self assess for compliance. Contractors in Levels 2 and 3 will need to meet 110 and 134+ practices, respectively, and will require third-party assessment for compliance.

Scott Edwards explained how to determine which level of compliance Huntsville companies will need to meet.

“You’re going to be assessed at the highest level of the data you handle across all of your contracts,” said Edwards.

Any company that manages CUIs, Controlled Unclassified Information, will automatically reach Level 2, and thereby be required to obtain third-party assessment.

The size of a particular government contracting firm does not determine its need for compliance. Whether a firm has 2 employees or 2,000, it will need to meet the level of CMMC integration that is designated by the level of security needed for the documents it handles.

Jacob Horne, Chief Security Evangelist at Summit 7, discussed estimated costs of CMMC assessment in a recent online post. Companies requiring the minimum level of CMMC compliance can expect to spend close to $6,000 on assessment alone, while contractors requiring Level 2 compliance may spend over $100,000 obtaining appropriate CMMC assessment.

It should be noted that these particular figures do not include the implementation costs that will prepare DoD contractors to be assessed. Implementation expenses, which may include hiring costs and costs of additional hardware and software, are estimated to reach as high as six-figures for individual companies.

In addition to significant economic outlays, there will also be intangible costs to workers. In order to meet regulations, there may be changes to the ways in which people work on a day-to-day basis. Multi-factor authorization for log-ins, bans on the use of personal devices for work-related material, and the implementation of virtual desktops are just a few examples of changes that workers may need to adjust to as their company implements CMMC regulations.

Building up approved IT infrastructure is estimated to take anywhere from 9 to 24 months, per individual contracting company.

The ability of local defense contractors to meet CMMC regulations will impact residents of Huntsville and Madison, regardless of whether they are a part of the defense industrial base or not.

“Obviously, Huntsville and North Alabama, as a whole, are very dependent on government contracting. That is what Huntsville does. The whole government contracting community really, really has to pay attention to this, because it is going to impact them. It doesn’t impact them any differently than it impacts other communities, it is just that Huntsville has such concentration [of defense contracting] that it impacts our economy more than it impacts other communities,” explained Edwards.

Although the CMMC process can seem overwhelming at first, there are resources available to prepare for the potential changes.

Summit 7 is hosting a free webinar on CMMC compliance on 10 January 2024 at 10:30 am, Central Time. The webinar is designed to be educational, rather than promotional. Interested parties can register here.

The CMMC proposed regulations can be found online through the Federal Register.

Public comments may be made on this page until February 26, 2024. Edwards estimated that the proposed regulations will go into effect during the first quarter of 2025.