Challenges of MICRO Contractors to the Defense Industry

Cost Challenges to MICRO Contractors to the Defense Industry Series Post 1, Part 1

What Is a Micro-Contractor?

Let’s start with defining what a micro contractor to the defense industry base is. The concept of a micro contractor is NOT related with the concept of a micro transaction, currently defined as any purchase under $10,000 as of Aug 31, 2020. A micro contractor is simply a company under ten employees which has secured a contract from the US government that contains CUI/FCI and other sensitive information.

Typically, in a company of ten people about half of them will manage the controlled or classified federal information. Common examples of micro contractors are machine shops, electro-mechanical assemblers, aerospace defense researchers, equipment calibrators, and facilities managers. The key element is that micro contractors provide specialized services with limited demand. For instance, there could be a particular mechanical modification needed to sustain the life of equipment or a need for research where there are only a handful of experts in the world. These contracts could be worth millions of dollars, but they would still classify as a micro contractor. However, the majority of contracts fall within the $10,000 (micro-purchase threshold) to $250,000 (simplified acquisition threshold) range where the federal government has set-aside goal to exclusively contract small business where possible.

DFARS Interim Rule Cost Estimates & the 2021 DoD Review

In the National Defense Magazine Article dated June 8, 2021 the authors describe the pitfalls for factoring in CMMC security costs. Michael Tomaselli and Charles Battad write “A related cause for concern among contractors is that it is not clear that the Defense Department understands the true costs associated with its cybersecurity requirements.” An ongoing debate exists about what will be allowed as costs to be paid within the scope of a defense contract.

The department of defense assumes that a business has already complied with the 110 NIST SP 800-171 controls, which is a very hefty lift for micro contractors. DFARS 252.204-7012 is the requirement to look for in you DoD contract or subcontract. Estimates of small-micro non-compliance for the 110 NIST SP 800-171 controls, range from 50-90% Non-compliance, depending on how it’s measured. And it may be safe to say that none are 100% compliant currently.

Congressional hearings and the DoD’s own review has recognized the burden for Smalls, and especially Micros. Multiple estimates put the cost of compliance for small or micro contractors at $30,000-$100,000 depending on scope, capability, and technical solutions. In a August 27, 2021 article for Federal News Network, guest authors Ed Bassett and Eric Crusius write:

“DoD should explore opportunities for grants to help small businesses pay for the certification assessment and perhaps other CMMC-related costs. This would help preserve the DIB. Small business contractors who encounter CMMC before their competitors by virtue of a new contract opportunity would be at a competitive disadvantage because they would have to account for the cost of a CMMC certification in their general and administrative (G&A) or overhead cost pools where their competitors will not. Further, in the interim final rule, DoD stated that it expected that a business’ cost to support and obtain a Level 3 certification is $51,095.60. This does not account for the cost to come into compliance with the model and outside vendors (such as cybersecurity consultants and attorneys) or the time leadership will take in ensuring an assessment goes smoothly.”

Are These Costs Reasonable?

For a micro business owner, the answer is definitive No. The DoD seems to have set up competing priorities between CMMC compliance standards and attempting to contract out as many small businesses as possible through direct or subcontracts. It is not realistic for the DoD to assume compliance with the 110 controls of NIST 800-171 when the numbers clearly explain a different story.

Micro businesses are often DoD subcontractors and make certain assumptions of the prime contractor. Even though they handle CUI, the assumption is that the Prime contractor will provide a secure VPN with which to process and transmit CUI. This assumption is false. We are seeing dozens of subcontractors that have DFARS 7012 requirements flowed to them without the benefit of a secure VPN or customer provided enclave. This leaves the cost of compliance to each small or micro.

Help Exist for Micro Contractors

While the government has set up demanding regulations, they have also facilitated pathways for micro contractors to meet that regulation. The NIST Manufacturing Extension Partnership (MEP) provides access to professionals in all fifty states and Puerto Rico. A list of MEP centers can be found on page 49-53 of the 2021 report. Each state has a different supporting organization and slightly different offerings but they all provide micro contractors with resources they need to succeed including expert advisors, free training programs, and connections to affordable solutions.

The maze of technical solutions includes MS GCC and GCC High, but the setup costs can run $30,000-$60,000, way out of range for micro contractors. The CMMC Center of Awesomeness provides great suggestions for technical solutions based on company size. A CPI Systems deep-dive into the Micro-Small business Technology Solutions has provided hope for an affordable array of solutions across each Solution Category (and Domain).

Who are some of CPI Systems favorite solutions for Micro-contractor affordability? Our quest was to find technology solutions in the range of $2500 setup fee and $75/month/user with full mapping to NIST 800-171 controls. These solutions cover most controls/practices and have low set-up costs with reasonable monthly costs:

• Beryllium CUICK Trac virtual enclave
• Cimcor CimTrak file integrity monitoring
• Hoplite AND security platform
• NTP managed detection and response
• CPI Systems continues to grow this list through vendor demos

Micro Costing for IT/Cyber Managed Services that Make Sense

With extensive industry experience, CPI Systems is one of a limited number of CMMC RPO’s to have engineered a set of compliance solutions for micro contractors that makes sense. Get started with DFARS 7012 compliance for as low as $2,500. This includes NIST 800-171 controls Assessment, Score, Gap Analysis and Plan of Action & Milestones (PO&AM) with your initial System Security Plan (SSP). Your SSP includes scoping, CUI data flows, inventory control and accountability.

Then close the gaps and prepare for DFARS 7021 (CMMC Level 3) with customized Policies & Procedures, along with identification and implementation of the Micro technology solution(s) that make sense for your budget and your company.

Finding the most cost effective and appropriate CMMC compliance solution can be daunting. CPI provides a no cost consultation. Visit us at http://cpisystraining.com or contact Jim Goodrich to learn more.

Reference links:
https://fas.org/sgp/crs/misc/R45576.pdf
https://www.federalregister.gov/documents/2020/10/22/2020-22518/federal-acquisition-regulation-application-of-micro-purchase-threshold-to-task-and-delivery-orders
https://fas.org/sgp/crs/misc/R45576.pdf
https://www.nationaldefensemagazine.org/articles/2021/6/8/the-pitfalls-of-factoring-in-security-and-cmmc-costs
https://www.nist.gov/mep/about-nist-mep
https://www.nist.gov/system/files/documents/2021/07/23/2020_mep_annual_report.pdf
https://federalnewsnetwork.com/commentary/2021/08/the-future-of-cmmc-is-here/amp/
https://www.cmmc-coa.com/cmmc-awesomness

For your company Management Reviews are an ideal place for these process discussions. Performance indicators may focus on issues that have already happened. But are you planning for likely scenarios ahead? Do Sales, Operations, and Shipping communicate well. How about your key suppliers? They are also part of your extended enterprise success. Planning for risk within and between these processes is key.