[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                    CMMC IMPLEMENTATION: WHAT IT MEANS FOR 
                            SMALL BUSINESSES

=======================================================================

                                HEARING

                               BEFORE THE

       SUBCOMMITTEE ON OVERSIGHT, INVESTIGATIONS, AND REGULATIONS

                                 OF THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                             JUNE 24, 2021

                               __________

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
                               

            Small Business Committee Document Number 117-021
             Available via the GPO Website: www.govinfo.gov
             
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
44-926                      WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------                
             
             
             
                   HOUSE COMMITTEE ON SMALL BUSINESS

                 NYDIA VELAZQUEZ, New York, Chairwoman
                          JARED GOLDEN, Maine
                          JASON CROW, Colorado
                         SHARICE DAVIDS, Kansas
                         KWEISI MFUME, Maryland
                        DEAN PHILLIPS, Minnesota
                         MARIE NEWMAN, Illinois
                       CAROLYN BOURDEAUX, Georgia
                         TROY CARTER, Louisiana
                          JUDY CHU, California
                       DWIGHT EVANS, Pennsylvania
                       ANTONIO DELGADO, New York
                     CHRISSY HOULAHAN, Pennsylvania
                          ANDY KIM, New Jersey
                         ANGIE CRAIG, Minnesota
              BLAINE LUETKEMEYER, Missouri, Ranking Member
                         ROGER WILLIAMS, Texas
                        JIM HAGEDORN, Minnesota
                        PETE STAUBER, Minnesota
                        DAN MEUSER, Pennsylvania
                        CLAUDIA TENNEY, New York
                       ANDREW GARBARINO, New York
                         YOUNG KIM, California
                         BETH VAN DUYNE, Texas
                         BYRON DONALDS, Florida
                         MARIA SALAZAR, Florida
                      SCOTT FITZGERALD, Wisconsin

                 Melissa Jung, Majority Staff Director
            Ellen Harrington, Majority Deputy Staff Director
                     David Planning, Staff Director
                           
                           
                           C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Dean Phillips...............................................     1
Hon. Beth Van Duyne..............................................     3

                               WITNESSES

Mr. Jonathan T. Williams, Partner, PilieroMazza PLLC, Washington, 
  DC.............................................................     5
Mr. Scott Singer, President, CyberNINES, Madison, WI.............     7
Ms. Tina Wilson, Chief Executive Officer, T47 International, 
  Inc., Upper Marlboro, MD.......................................     8
Mr. Michael Dunbar, President, Ryzhka International LLC, Pompano 
  Beach, FL, testifying on behalf of the HUBZone Contractors 
  National Council...............................................    10

                                APPENDIX

Prepared Statements:
    Mr. Jonathan T. Williams, Partner, PilieroMazza PLLC, 
      Washington, DC.............................................    25
    Mr. Scott Singer, President, CyberNINES, Madison, WI.........    33
    Ms. Tina Wilson, Chief Executive Officer, T47 International, 
      Inc., Upper Marlboro, MD...................................    42
    Mr. Michael Dunbar, President, Ryzhka International LLC, 
      Pompano Beach, FL, testifying on behalf of the HUBZone 
      Contractors National Council...............................    44
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    Ho-Chunk Inc.................................................    51
    IPC Report June 2021.........................................    59
    National Defense Industry Association (NDIA).................    74

 
        CMMC IMPLEMENTATION: WHAT IT MEANS FOR SMALL BUSINESSES

                              ----------                              


                        THURSDAY, JUNE 24, 2021

              House of Representatives,    
               Committee on Small Business,
                         Subcommittee on Oversight,
                           Investigations, and Regulations,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 10:01 a.m., in 
Room 2360, Rayburn House Office Building, Hon. Dean Phillips 
[chairman of the Subcommittee] presiding.
    Present: Representatives Phillips, Davids, Evans, Craig, 
Hagedorn, Meuser, Van Duyne, and Fitzgerald.
    Chairman PHILLIPS. All right. Good morning, everybody. I 
call this meeting to order.
    And without objection, the Chair is authorized to declare a 
recess at any time.
    Let me start by saying that the standing House and 
Committee rules and practice will continue to apply during 
hybrid proceedings. All members are reminded that they are 
expected to adhere to these standing rules, including decorum. 
House regulations require members to be visible through a video 
connection throughout the proceeding, so please keep your 
cameras on. And also, please remember to remain muted until you 
are recognized to minimize background noise. And turn your 
microphone on when you are recognized, of course.
    If you have to participate in another proceeding, please 
exit this one and log in later. In the event a member 
encounters technical issues that prevent them from being 
recognized for their questioning, I will move to the next 
available member of the same party and I will recognize that 
member at the next appropriate time slot, provided that they 
have returned to the proceeding.
    For those members and staff physically present in the 
Committee room today, we will continue to follow the most 
recent OAP guidance. Masks are no longer required in our 
meeting spaces for members and staff who have been fully 
vaccinated. All members and staff who have not been fully 
vaccinated are still required to wear masks and socially 
distance. I do hope that we do all our parts to protect each 
other and our staff.
    With that, I will begin with my opening statement. Cyber 
attacks have the potential to threaten public safety and 
undermine the American economy and national security. The early 
months of 2021 have provided harsh reminders of this very fact. 
Over the past 6 months, hackers and other malicious actors have 
held an oil pipeline for ransom, breached the Nation's largest 
transit network, and attacked private companies to obtain 
sensitive customer data.
    According to the Council of Economic Advisers, malicious 
cyber activity has cost the U.S. economy between 57- and $109 
billion since 2016. With our society's reliance on technology 
and digitization growing, there is no doubt that cyber attacks 
will only become more prevalent moving forward.
    Recognizing the urgency of cyber threats, the Department of 
Defense has taken steps to protect sensitive defense 
information from attacks aimed at over 300,000 companies that 
compose the Defense Industrial Base, the DIB. One of these 
efforts has been the creation of the Cybersecurity Maturity 
Model Certification. The CMMC is a framework that seeks to 
improve the protection of different types of sensitive, 
unclassified information through the implementation of a 
unifying security standard across the DIB.
    The CMMC framework consists of a tiered system with a 
series of processes and practices at each level. The program 
was designed based on numerous cybersecurity standards and 
frameworks. CMMC relies on third-party certification to assess 
the relative cybersecurity maturity of DIB companies, thus when 
the initiative is finally implemented and all contracts and 
requirements incorporated a specific CMMC level, only those 
contractors who have achieved the required CMMC level through 
the certification process will be eligible for an award.
    The need for cybersecurity is unquestionable. It is vital 
that companies in the DIB become more resilient and prepared 
for cyber attacks. With that said, the CMMC Initiative has the 
potential of driving many small businesses out of the Defense 
Industrial Base, therefore, we must get this right. To that 
end, it is important to pay attention to the numerous red flags 
that small businesses have raised about this initiative.
    For example, many have a concern about the significant cost 
associated with CMMC compliance. Guarding against cyber attacks 
can be cost prohibitive for many small businesses. And firms 
that seek to abide by CMMC must purchase new hardware and 
software, replace outdated technical systems, and pay the costs 
of initial certification and maintenance amongst other 
expenditures.
    Small businesses often run on thin margins as we know, and 
the cost of CMMC has the potential to leave many small firms in 
the sector without a chance to compete for government 
contracts. Many small businesses also don't have the capacity 
to deal with the complexity of the initiative. Employers at 
small enterprises often wear many hats and have limited 
regulatory or compliance resources. This means that independent 
firms will be forced to turn to outside specialists for help to 
navigate the program. For many small contractors, this will not 
be feasible.
    According to Department plans, the DOD will implement the 
CMMC initiative on select contracts between fiscal year 2021 
and 2025. In addition, in March, DOD initiated an internal 
assessment of CMMC partially guided by an effort to manage 
cybersecurity costs for small businesses. This is a very timely 
hearing, as it allows us to take a closer look at the program 
and its implications for small businesses. There is no doubt 
that contractors working with the DOD must have adequate 
systems in place to handle cyber threats. At the same time, we 
cannot allow the program requirements to drive small businesses 
out of the defense procurement space.
    With that, I would like to yield to the Ranking Member, Ms. 
Van Duyne, for her opening statement.
    Ms. VAN DUYNE. Thank you, Mr. Chairman. We should have 
compared notes before we gave our opening statements, because I 
am going to echo many of the sentiments that you just shared.
    Just a few short weeks ago, we saw how a malicious 
ransomware attack perpetuated by foreign actors on the Colonial 
Pipeline can cause chaos across the entire Eastern Seaboard. 
And not long after that, another attack shut down one of the 
leading meat producers in the United States. The potential for 
profit and opportunity to disrupt U.S. critical infrastructure 
has invited a number of cyber criminals to target U.S. network 
vulnerabilities and one of the softest targets to obtain 
valuable Department of Defense information is through our small 
contractors.
    Recognizing the increased vulnerabilities of small 
contractors, the DOD initiated new cybersecurity assessment 
framework, called the Cybersecurity Maturity Model 
Certification, to assess contractor implementation of 
cybersecurity requirements. While no one disputes the Federal 
Government's need to address the growing cybersecurity risks 
facing our Nation, I am deeply concerned that the CMMC has 
created yet another hurdle to keep small businesses from 
competing in the defense marketplace, exactly what we just 
heard from our Chairman.
    A major concern is the cost of compliance. No matter how 
you look at it, adding stringent cybersecurity requirements 
will be a costly endeavor for small businesses that are already 
recovering from a pandemic. With limited resources compared to 
the competitors in the defense contracting space, small 
businesses are understandably wary of deploying that capital 
without assurance that their investment will return in future 
work.
    The Federal Government has already experienced a 38 percent 
decline in its industrial base for the past decade and measures 
like this will only exasperate this exodus. Simply put, we need 
to ensure a competitive contracting environment for small 
business. This would not only benefit our small employers, but 
would be a net benefit for our national defense.
    I also have major concerns with the rollout of the CMMC for 
a number of reasons. First, the assessments may be inconsistent 
and unfair because the new process is being handled by many 
newly trained assessors. There are also many questions 
outstanding about how subcontractors will be treated under this 
new framework.
    And, finally, I am worried that small contractors will be 
shut out of the conversation entirely, and forced to the end of 
the line.
    The fact is that this new process may threaten the 
livelihood of many small businesses. No assistance, no 
assessment means no certification, and no certification means 
no work. Small businesses rightly fear that they won't be given 
a fair share, left to fend for themselves, as we have too often 
seen when it comes to sweeping government reforms.
    Dealing with cyber threats is an extremely nuanced issue 
that will require continued collaboration, and while the DOD 
may have good intentions with the CMMC initiative, we must 
ensure that the voices of small businesses operating in the 
Defense Industrial Base are heard and have their concerns 
addressed. I look forward to hearing the testimony of the 
witnesses today.
    And I yield back.
    Chairman PHILLIPS. Thank you, Ms. Van Duyne. The gentlelady 
yields back.
    And I will just take a moment to explain how the hearing 
will proceed.
    Each witness will have 5 minutes to provide a statement and 
each Committee member will have 5 minutes for questions. Please 
ensure that your microphone is on when you begin speaking and 
that you return to mute when you are finished.
    With that, I would like to introduce our witnesses.
    Our first witness is Mr. Jonathan T. Williams, partner with 
the law firm of PilieroMazza in Washington, D.C. As Chair of 
their government contracts group, he counsels companies on a 
variety of Federal acquisition regulation compliance issues. 
Mr. Williams is also a member of PilieroMazza's cybersecurity 
and data privacy team. In this role, Jon works with Federal 
contractors, particularly those who contract with the DOD, on 
managing cybersecurity and establishing compliant and effective 
safeguards. We appreciate your expertise on today's topic.
    Our second witness is Mr. Scott Singer, president of 
CyberNINES with offices in both Wisconsin and Minnesota. Mr. 
Singer is a retired U.S. Navy captain bringing over 30 years of 
military experience in both Active Duty and Reserve roles, 
along with 26 years of industry experience. His company, 
CyberNINES, is a service-disabled veteran-owned small business, 
focused on cybersecurity services and a candidate third-party 
assessment organization for CMMC. We appreciate you as well, 
Mr. Singer, for your contributions to today's discussion.
    Our third witness is Ms. Tina Wilson, founder and Chief 
Executive Officer of T47 International, located in Upper 
Marlboro, Maryland. Ms. Wilson is an Air Force veteran, and T47 
International is an 8(a) veteran-owned, and women-owned small 
business, offering a wide range of professional support 
services to the defense community. We thank you also for 
sharing your story today.
    With that, our Ranking Member, Ms. Van Duyne, will 
introduce Mr. Dunbar.
    Ms. VAN DUYNE. Okay. Hold on just a minute. Thank you very 
much.
    I would like to welcome our final witness, Mr. Michael 
Dunbar. Mr. Dunbar is the president of Ryzhka International, a 
service-disabled, veteran-owned small business founded in May 
of 2011, and a HUBZone certified firm as of February of 2014. 
They have lubricants and fuel oil to government, commercial, 
and maritime clients worldwide, and proudly provide 100 percent 
American-made products. From its initial founding to today, the 
company has grown from one to six employees and successfully 
serves clients ranging from the U.S. Army Corps of Engineers, 
the Department of Veterans Affairs, the U.S. Navy and Coast 
Guard, the National Oceanic and Atmospheric Administration, 
various shipyards in many of the dredging community.
    Ryzhka International has been the proud recipient of 
several awards. This is the Department of Defense's award for 
support of the Guard and Reserve. And in addition to its 
businesses, the company's secondary mission is to provide 
gainful employment opportunities to qualified individuals from 
disadvantaged segments of society, such as minorities, women, 
people with disabilities, and veterans.
    Chairman PHILLIPS. And we will begin with Mr. Williams--oh, 
I am sorry.
    Ms. VAN DUYNE. Sorry. You are good. You are good. The 
secondary focus is no surprise considering Mr. Dunbar's own 
military service in the U.S. Navy Nuclear Power program and its 
status as a service-disabled veteran. After his military 
service, Mr. Dunbar went on to spend the summer working on the 
solid rocket boosters for National Aeronautics and Space 
Administration's space shuttle.
    Following that summer, he attended the University of Utah, 
went on to have a successful career as an executive in the 
biotech industry, and afterwards, started his own company. Mr. 
Dunbar will be speaking today on behalf of the HUBZone 
Contractors National Council, which is a nonprofit trade 
association advocating for policies bringing opportunities to 
HUBZone certified small businesses and the economically 
disadvantaged communities in which these companies are based.
    Mr. Dunbar, thank you for your participation today. We look 
forward to hearing your testimony.
    I yield back.
    Chairman PHILLIPS. Thank you, Ms. Van Duyne. The gentlelady 
yields back.
    Sorry, Mr. Dunbar. My bio is about one sentence long, so I 
am not accustomed to two pages.
    With that, we are going to recognize Mr. Williams for 5 
minutes for your opening statement. Mr. Williams.

STATEMENTS OF JONATHAN T. WILLIAMS, PARTNER, PILIEROMAZZA PLLC; 
    SCOTT SINGER, PRESIDENT, CYBERNINES; TINA WILSON, CHIEF 
EXECUTIVE OFFICER, T47 INTERNATIONAL, INC.; AND MICHAEL DUNBAR, 
 PRESIDENT, RYZHKA INTERNATIONAL LLC, TESTIFYING ON BEHALF OF 
            THE HUBZONE CONTRACTORS NATIONAL COUNCIL

               STATEMENT OF JONATHAN T. WILLIAMS

    Mr. WILLIAMS. Good morning, Chairman Phillips, and other 
distinguished members of the Subcommittee. My name is Jonathan 
Williams, and I am a partner with the law firm PilieroMazza, 
which represents government contractors. Many of our clients 
are small businesses that work with the Department of Defense 
as prime contractors and subcontractors. It is an honor to 
participate in this hearing on DOD Cybersecurity Maturity Model 
Certification to share my perspective on the CMMC Initiative.
    DOD's focus on cybersecurity has been steadily building for 
many years, with measures ranging from implementation of new 
regulations and contract clauses to the elevation of 
cybersecurity as the fourth pillar of DOD's acquisition 
planning. DOD has left no doubt about the importance it has 
placed on enhancing cybersecurity for the Defense Industrial 
Base, and with good reason, as recent events like the pipeline 
shutdown demonstrate.
    CMMC marks a significant change in DOD's evolving approach 
to cybersecurity. With CMMC, contractors will no longer be 
allowed to use the honor system by self-certifying their 
cybersecurity. Instead, contractors will have to apply for 
certification from a third-party assessor. These so-called 
C3PAOs will evaluate the contractor's cybersecurity against 
established benchmarks and decide whether to certify the 
contractor in one of five levels.
    The lowest level of CMMC is level one, which requires the 
fewest and most basic cybersecurity measures. The level one 
requirements are things all businesses should be doing, like 
spam filters and antivirus software. The cost and complexity of 
the requirements increases significantly at the higher levels 
of CMMC.
    DOD has said it intends to start requiring CMMC on a few 
contracts this fiscal year with that number increasing steadily 
over the next several years until fiscal year 2026, when all 
DOD contractors will be required to have CMMC.
    However, the implementation schedule has slipped a few 
times already and remains in flux. Approximately 2 years into 
the CMMC Initiative, many practical questions that small 
businesses are asking remains unanswered. These are basic 
questions like, when will I need CMMC? How much will it cost? 
What level do I need? And how do I get it?
    Many small businesses will not be able to adequately 
prepare for CMMC until these questions are answered. For 
example, DOD estimates that most small businesses will only 
need level one; however, that is not guaranteed. DOD agencies 
are more likely to require at least level three for many of 
their contracts, and prime contractors may flow down the same 
level to their subcontractors.
    Given the substantial difference in cost and technological 
know-how between level one and level three, many small 
businesses will be unable to compete if more than a level one 
is required. From my discussions with the small businesses we 
represent, I have several suggestions for how to make the CMMC 
Initiative more manageable for small businesses, including the 
SBA and DOD mentor-protege programs should be utilized to 
ensure that mentors provide small businesses with resources and 
guidance to obtain CMMC.
    Joint ventures, a popular tool for small businesses to 
pursue government work, should not be required to have CMMC 
when the member companies are certified. C3PAOs should be 
required to fast-track CMMC applications when the applicant is 
a small business that is in line for award of a contract.
    DOD contract clauses should prohibit prime contractors from 
imposing a more stringent level of CMMC on a subcontractor than 
is necessary based on the scope of the subcontract.
    And finally, DOD and prime contractors should explore 
alternative ways to give small businesses access to sensitive 
information that will enable more small businesses to 
participate on DOD contracts with a level one certification.
    In closing, I believe the CMMC Initiative appropriately 
aims to improve our Nation's cybersecurity posture. I do not 
think small businesses would debate the importance of 
cybersecurity, or that doing business with the Federal 
Government is a privilege that requires investments in 
compliance and infrastructure.
    At the same time, the worthy goals of the CMMC Initiative 
must be calibrated to avoid creating an unnecessarily high 
barrier to entry for small businesses, which are the engine of 
our economy and critical partners with the Federal Government 
for innovation and provision of many necessary services and 
supplies.
    This concludes my testimony. Thank you, again, for the 
opportunity to appear before you today.
    Chairman PHILLIPS. Thank you, Mr. Williams. A perfect 5 
minutes at that. We appreciate it.
    Now we recognize Mr. Singer for 5 minutes.

                   STATEMENT OF SCOTT SINGER

    Mr. SINGER. Thank you, Representative Phillips, Ranking 
Member Representative Van Duyne, and members of the 
Subcommittee, for inviting me to testify this morning. I look 
forward to providing information that will help ensure we have 
a secure Defense Industrial Base and find cost-effective 
solutions to allow small business to fully comply with CMMC.
    My name is Scott Singer, and I am the owner and president 
of CyberNINES. CyberNINES was founded only in June of 2020; 
however, thanks to the interim final rule released on November 
30, 2020, we have been really busy. And I have done assessments 
in the districts of some of the members of this Subcommittee. 
Small businesses do not have purchasing or IT departments. They 
do not have compliance or regulatory departments. We need to 
make this easier for them. Primes, certified third-party 
assessors, registered provider organizations, all can assist 
these small businesses get compliant and reduce the complexity 
for them.
    Having a program where the primes take a strong guiding 
hand of their supply chain is critical to maintaining these 
small businesses as DOD suppliers. Of the last 33 basic 
assessments CyberNINES has conducted, the average compliance 
score was minus 105. Plus 110 is perfect. We have found that on 
average, they are about only 34 percent of the way toward 
meeting all the risk controls. Cost models put forth by the 
government assume that companies are much further along on this 
journey, and they actually should be by this point.
    Assuming full compliance to NIST, the DOD has put out that 
this will cost $26,000 to complete the 20 additional practices 
followed by an additional $29,000 to be assessed by a C3PAO. As 
discussed above, small businesses that we have assessed are 
only partway there, and we have come up with costs more to the 
tune of about $130,000 for these businesses to be able to be 
compliant.
    Last week, I conducted a basic assessment of a small 
manufacturer in Minnesota. They had only six employees, one 
small manufacturing space with three machines, and they do 
excellent innovative work. I spent a good majority of my time 
doing the assessment actually from the owner's house. This 
year, he expects to make 875K in revenue. My estimate is that 
if he wants to stay a DOD contractor, he will have to spend 10 
percent of his revenue over the next 3 years alone on getting 
compliant.
    Small businesses have been directed to add their allowable 
costs to get compliant to their indirect rates. Most don't do 
cost reimbursement contracting for DOD. Moreover, market 
factors around competition for orders will require them to 
compete and lower prices. Established contractors will be more 
likely to be able to provide a lower bid and win the order from 
the prime. There should be a process separate from the 
competitive marketplace to allow small businesses to get paid 
for the reasonable, necessary, and allowable cyber compliance 
expenses.
    Companies further ahead should not be penalized and be able 
to recoup their past expenses, too. In addition to the 
difficulty small businesses have funding this effort, there are 
bottlenecks for getting enough assessors. In doing the math, I 
just don't see how--and this is my opinion--we can get enough 
C3PAOs and assessors through the process to assess 300,000 DIB 
companies by October 1, 2025. I saw one estimate that we would 
need over 8,000 assessment team members working full-time from 
today on to make this happen.
    To get more C3PAOs through the process, I recommend there 
be a relaxation for the initial C3PAOs. Assess candidate C3PAOs 
to maturity level one or two now, and then require level three 
in the future. The requirement for tier three background 
investigations for assessment and support staff creates another 
bottleneck. I would recommend allowing an interim clearance 
process for that.
    In conclusion, the majority of the 300,000 contractors in 
the DIB are small businesses. Without monetary support and 
clear regulatory guidance, the DOD will lose small businesses 
as they will look to find business in the commercial sector. A 
balance must be struck between risk and cost. Too much cost, we 
lose suppliers; too much risk, and we hurt our national 
security.
    Thank you for allowing me to testify, and I look forward to 
your questions.
    Chairman PHILLIPS. Thank you, Mr. Singer. And now we 
recognize Ms. Wilson for 5 minutes.

                    STATEMENT OF TINA WILSON

    Ms. WILSON. Chairman Phillips, Ranking Member Van Duyne, 
and members of the Subcommittee, thank you for the invitation 
to testify today. I am Tina Wilson, CEO, T47 International, and 
I am honored to have the opportunity to provide some insight 
regarding the implementation of DOD CMMC Initiative.
    As a business owner with over 260 employees located in 28 
States and overseas, T47 provides a variety of staffing 
services from budget and finance, janitorial, inventory 
management, aircraft tools, maintenance to mail room, and 
nonclinical medical and dental case managers. The diversity of 
services offered puts me in a unique position to provide a 
different perspective regarding this subject.
    As CMMC standards continue to be developed and incorporated 
into contract agreements and modifications, it is essential 
that the Small Business Committee be aware of the policy 
impact. If the CMMC standards are not clearly communicated and 
monitored for fraud, the financial ramifications to the over 
300,000 Defense Industrial Base of contractors, and 
specifically to the small business community, could be 
devastating.
    Based on this statement, I will cover three main subject 
areas of concern and offer recommendations.
    Cost to secure CMMC. As of today there is no set cost to 
obtain CMMC. The CMMC accreditation body has stated that the 
marketplace will need to define the cost, which leaves it wide-
open for interpretation what this cost will be. Whether it is a 
tiered cost based on the size of the business, or a set cost 
regardless of the size, there will be initial and sustained 
cost that will impact small businesses' ability to secure the 
certification.
    A similar certification offered by the International 
Organization for Standardization, ISO, is standard 27,000, 
which is information technology and focuses on security for any 
kind of digital information. This certification costs between 
28- to $35,000 to obtain, and takes approximately 6 to 8 months 
to implement. This is a tremendous cost burden to add to a very 
tight budget for most small businesses.
    Cost of not having CMMC. While unknown as of today, what 
has been communicated to the entire Defense Industrial Base is 
that if you don't have CMMC at the basic level, you will not be 
eligible for a Federal contract. Many small businesses may not 
even be aware this new requirement and failure to obtain 
certification means ending contract work as a service provider 
to the DOD.
    Additionally, as the prime contractor, it will be our 
responsibility to flow down the requirements to our 
subcontractors. If the subcontractor does not have 
certification, we would be required to end subcontract 
agreements to remain compliant with the DOD CMMC standards.
    Audit imposters. I raise this subject as an awareness to 
inform the Subcommittee. When the DOD presented the CMMC as the 
new way of life for all businesses within the Defense 
Industrial Base in the summer of 2019, many business owners 
asked a lot of questions of why? Who will conduct the 
implementation and audit? How much? When will it happen? 
Implications, or if you do not have it, and many more 
questions.
    Before the CMMC accreditation body was formed in the latter 
part of 2019, audit imposters with no training and not 
accredited, start advertising that they will certify your 
company as cyber compliant for thousands of dollars to get a 
company ready. For many small businesses that are just now 
hearing about this standard, may in a moment of panic and fear 
of losing their government contract, may fall prey to an audit 
imposter.
    As I close, I recommend that the Subcommittee members 
closely monitor this very important implementation of CMMC 
Initiative. While I know there are so many other issues to 
focus on, CMMC has ramifications that reach far beyond what we 
can realize at this moment.
    It is important that, one, cost is articulated clearly to 
reduce price gauging and to allow the small businesses to plan; 
number two, a balanced cost approach that does not reduce small 
business participation in the Federal marketplace; number 
three, DOD continues to work closely with various advocacy 
groups to ensure that the Defense Industrial Base contractors, 
known at the Office of Small Business, is aware of this 
implication to this new initiative; and four, DOD and the 
Office of Small Business start as soon as possible to put 
various roadblocks in place to reduce the number of audit 
imposters.
    Thank you for your time in addressing this very important 
subject that impacts thousands of small businesses that do 
business with the Department of Defense.
    Chairman PHILLIPS. Thank you, Ms. Wilson.
    And now I recognize Mr. Dunbar for 5 minutes.

                  STATEMENT OF MICHAEL DUNBAR

    Mr. DUNBAR. Chair Phillips, Ranking Member Van Duyne, and 
members of the Subcommittee, thank you for the opportunity to 
testify before you today. My name is Michael Dunbar, and I am 
the president of Ryzhka International, located in Pompano 
Beach, Florida.
    Ryzhka International provides lubricants, fuel oil in bulk 
quantities, package quantities to the Federal Government, 
commercial maritime industries. I am a proud service-disabled, 
veteran-owned small business, as well as a HUBZone certified 
small business.
    I am testifying today on behalf of the HUBZone Contractors 
National Council, a nonprofit trade association providing 
information and support for companies and professionals 
interested in the Small Business Administration's HUBZone 
program. We would like to thank the Committee for its 
commitment to small business and for advancing policies that 
support small businesses doing business with the Federal 
Government.
    In a recent hearing, Deputy Assistant Secretary of Defense 
of Industrial Policy, Jesse Salazar, said it best: The 
Department's approach to cybersecurity must balance the need 
for accountability with the recognition of the challenges 
facing small businesses.
    Small businesses understand the importance of 
cybersecurity, and the very real threats facing their 
companies. We are not looking for a way to opt out or ignore 
this problem. We want to secure our companies. According to the 
DOD's contracting data, 74 percent of the Defense Industrial 
Base are small businesses. These contractors are critical to 
the government, and are not a group that can be ignored.
    The Federal Government has long identified the need to 
safeguard sensitive information and understands that 
cybersecurity is dynamic issue. Small businesses, however, are 
experts on the goods and services they provide. We do our best 
to focus on supplying a product, making a profit, and retaining 
employees. Most small businesses are not IT professionals. We 
are not cybersecurity specialists either. I am--right here is 
the assessment guide. This is for cybersecurity CMMC model 
level three. It is full of stuff I have no idea and don't 
understand. I have to hire somebody to figure this out.
    The initial cost for me to start my business was less than 
$1,000. The cost to start a new government-focused business 
with this, 10,000, 100,000; we really don't know. Access to 
capital can be a very challenging issue for small businesses, 
and we have to use significant capital now to become CMMC 
certified.
    The segments hurt most are the segments that can least 
afford it. The Federal Government already has challenges 
meeting those goals. If we reduce the number of companies that 
qualify, you also reduce opportunity for people to start up new 
businesses in those sectors.
    The council makes the following recommendations to improve 
the rollout of CMMC, and maintain a strong industrial base. 
Increased cost transparency and put guardrails on rising 
compliance costs for small business. One of the biggest 
frustrations for small business throughout the rollout has been 
cost transparency. Some small businesses have estimated costs 
in excess of $100,000 to prepare for level three certification. 
That doesn't include the assessment costs. I have heard of 
assessment costs already estimated at above $150,000 for a 50-
person company.
    Establish clear communication on CMMC efforts. A lack of 
transparency, clear, consistent communication by the DOD, and 
the rollout of CMMC and its implementation by the CMMC 
accreditation body has been concerning. The council suggests 
putting together a more clear, consistent delivery of 
information through a central government platform or website.
    Streamline new and existing standards for contractors. The 
Federal Government lacks unified cybersecurity standards across 
all agencies. The council encourages the DOD to work closely 
with industry, particularly small businesses, to streamline 
these requirements allowing companies to have a plan of action 
and milestones after a CMMC assessment would help these 
burdens.
    Create a system for oversight and equitable rollout. Many 
small businesses worry that they will be put at the back of the 
line and face massive delays as companies serve the 
subcontractors, and equitable rollout is important to these 
companies as well.
    In conclusion, the Federal Government has a long and 
complex history of governing cybersecurity regulations and 
compliance with its contractors. A streamlined approach needs 
to be taken for contractors to navigate all of these standards 
and system successfully.
    Thank you for the opportunity to testify today, and I look 
forward to your questions.
    Chairman PHILLIPS. Thank you, Mr. Dunbar, and to all of our 
witnesses for being with us today and we appreciate your 
testimony on the CMMC Initiative.
    I will begin the hearing now by recognizing myself for 5 
minutes. I will start with Mr. Williams.
    I think we all understand the importance of cybersecurity, 
and ensuring that the most vulnerable small businesses in the 
DIB supply chain are protected. However, it is clear that the 
cost of CMMC could be terribly burdensome for small businesses. 
So how should we be looking at this? How can we strike the 
right balance between enhancing cybersecurity, and ensuring 
that small businesses can participate in DOD acquisitions?
    Mr. WILLIAMS. Yes. Excellent question. Thank you. I think 
one of my top suggestions there is to try to make good on DOD's 
estimate that most small businesses will only need level one. 
As I said in my testimony, that is not guaranteed, but if we 
can keep as many small businesses as possible at level one, 
that will strike the right balance between ensuring that these 
small businesses have at least the basic cybersecurity 
protections in place, but will allow them to avoid, as Mr. 
Dunbar said, the significant additional costs when you go from 
a level one to a level three.
    And I think managing the level one versus level three 
distinction is probably one of the most critical ways to keep 
the cost down for small businesses. That could be done through 
flow-down protections. Make sure that primes are not flowing 
down higher than level one if their subcontractors only need 
level one. And I would like to see more flexible approaches 
where the small businesses don't need to take the controlled 
unclassified information into their own network, because that 
is what then causes the jump from level one to level three.
    Let's look at ways that either the DOD and their own 
systems, or the prime contractors and their own systems, can 
maintain this information, and let's maybe be more creative and 
flexible in how we allow small businesses to participate on 
those programs without having to take that information into 
their network, and then cause them to have to go up to a level 
three.
    Chairman PHILLIPS. Appreciate that. Are there any funding 
streams of which you are aware that can help small businesses 
with the costs of CMMC? And if there is anything that Congress, 
DOD, or even SBA could do to help in that regard, no matter how 
significant the expenses might be?
    Mr. WILLIAMS. I am not aware of specifically targeted 
funding stream at CMMC. I think it would be a fantastic idea if 
there was the wherewithal for a grant program for small 
businesses to help them on their way with the upfront 
investments needed for CMMC.
    The larger small businesses will be able to make that 
investment and get it on the back end when they are paid on 
their contracts with the government, but for the smaller firms, 
even the several thousand dollars of the investment needed for 
a level one might be too difficult to make upfront.
    And I think the existing mentor-protege programs, as I 
mentioned, those are fantastic programs. They work very well in 
many respects at the SBA and DOD for small businesses and large 
businesses. There are a lot of incentives that large business 
mentors get from participating in those programs.
    We could be clearer, more well-defined that mentors, when 
they are permitted to access those programs, have to ensure 
that one of the things they are doing for their proteges is to 
provide financial resources and technical assistance to ensure 
their proteges are ready for CMMC.
    Chairman PHILLIPS. Thank you very much.
    Ms. Wilson, I would love to hear from you about your 
experience. How were you made aware of CMMC? How difficult is 
it for you and T47 to understand, and do you envision having to 
engage a consultant or specialist to help you navigate it?
    Ms. WILSON. Sure. Thank you for the question. I learned 
about CMMC when attending a DISA Industry Day in 2019 up in 
Baltimore. I understand completely how it works and, you know, 
from a broader perspective, but, you know, protecting supply 
chain, intelligence, assets, IT infrastructure and, you know, 
things that matter to protect in our Nation.
    And for T47, the critical part is, we have to secure a 
specialist, which I have already engaged, because it is very 
complex. And for someone that is non-IT like myself--I am a 
business owner. I know how to go get contracts and build a 
company, but to build an IT infrastructure that impacts a lot 
of employees and be able to maintain it and go into other 
secured areas, it is a challenge.
    So to actually have an expert to help us is going to be 
critical, and I have engaged in that process already.
    Chairman PHILLIPS. Thank you very much. My time is expired, 
and now I recognize the Ranking Member, Ms. Van Duyne, for 5 
minutes.
    Ms. VAN DUYNE. Thank you very much. Mr. Dunbar, okay, hold 
that up one more time. You need two hands. That is--I mean, I 
completely understand your frustration right now. Do you 
believe that the CMMC duplicates any of the multiple standards 
in cybersecurity programs that currently exist? Do you find 
that there is a bunch of stuff that is already existing right 
now that is in that book that you are going to have to do more 
of? And is there a way to further streamline these disparate 
processes?
    Mr. DUNBAR. Thank you very much for the question here. From 
what I understand--and I am not a technical expert, so I will 
answer from a layman's perspective--CMMC added, I believe, 20 
additional items to NIST 800-171, which is currently the law of 
the land and what exists today. So what is being projected to 
be our new standard is built on an existing standard, and part 
of me questions why we had to go so much further.
    The reasoning behind putting CMMC in place, part of it was 
because we were doing self-assessments before for companies 
instead of having a third-party assessment. Why could they not 
institute some part of third-party assessment to an existing 
standard? Why create a whole new standard that people have to 
learn and understand to begin with?
    And I didn't have to deal with the first standard because 
most of my business is what they call is called COTS, which is 
Commerical-Off-The-Shelf products; however, fuel recently, as 
we just saw with Colonial Pipeline, has become a very critical 
item. Is supplying fuel by truck, by whatever method all of a 
sudden going to become a CMMC level four like the 
infrastructure piece of it might potentially need to be? That 
is going to impact a significant number of small businesses 
like mine.
    So by adding these additional items, we ask our question as 
to why, and how do we streamline this? I have in place security 
right now that covers 77 of the NIST items--covers 77 of the 
CMMC items, but covers 90 percent of the risk. So is that 
additional cost-benefit, and we are talking 80 to $100,000 of 
additional cost to get that other 10 percent realistic for 
small business?
    Ms. VAN DUYNE. I am concerned that the critical information 
about CMMC is being conveyed in a conflicting and potentially 
informal manner. What are small businesses currently going to 
seek information or guidance on CMMC? Where are you going to 
find more information? And then, what would be the ideal method 
or platform of communication from the DOD to the contracting 
community? How can we make it easier?
    Mr. DUNBAR. The main place that we have been receiving 
information tends to be LinkedIn. We have had members of DOD 
communicating directly through LinkedIn, members of the CMMC 
board communicating through LinkedIn. That tends to be the 
largest location or community of folks getting information on 
this program. We get very little from DOD directly. They have 
had some town halls that they call it. You don't really get 
much notice, if any.
    Just the other day was mentioned a project spectrum, I 
believe it is called, that I had never heard of, that was put 
in place, it looks like some time in 2020. Most small 
businesses are unaware of this as well, and this is supposed to 
help us somehow, it is a DOD program, but we are not even aware 
of it.
    Ms. VAN DUYNE. Your being sent to a website is probably not 
going to help you?
    Mr. DUNBAR. Correct. And that is just--there is no 
consistent method or message coming out from DOD on where to 
get things. Even if you go to the CMMC-AB frequently-asked-
questions page, sometimes they say Oh, that is a DOD 
responsibility, and that has been a lot of the kickback is 
pointing fingers between the CMMC-AB and DOD saying, Well, they 
are responsible for X; they are responsible for Y.
    Ms. VAN DUYNE. Specifically for the small business 
community, I didn't mean to cut you off, if you had anything 
else to add.
    Mr. DUNBAR. No, ma'am.
    Ms. VAN DUYNE. Specifically for the small business 
community, and I hate to add another agency in here, but do you 
see a role that SBA could possibly play in helping to be an 
intermediary between the three?
    Mr. DUNBAR. I definitely--there should be a role for the 
SBA in here. I don't feel that the SBA has been able to be 
involved. I feel that the DOD has sidelined them, at least in 
my opinion, in the same manner that I think a lot of small 
businesses have been ignored when we have raised questions or 
raised issues. And that has basically been kept to a very small 
group of people that are running all of this, and then we get 
told later on, Here is what is happening.
    Ms. VAN DUYNE. Thank you very much.
    I yield back.
    Chairman PHILLIPS. The gentlelady's time is expired.
    And now I recognize the gentleman from Pennsylvania, Mr. 
Evans, for 5 minutes.
    Mr. EVANS. Thank you, Mr. Chairman. I would like to ask a 
question to Ms. Wilson. Small businesses are frequently 
targeted by cyber criminals. What would the ideal situation be 
for you in terms of the Department of Defense ensuring that 
cybersecurity taken care of its small business base?
    Ms. WILSON. Thank you so much, sir. I think one simple 
solution to offer, and it could be reasonable cost and possibly 
free. It is the offer of maybe cyber tools that are already 
approved by DOD to the small business community as a first line 
of defense. It could be offered up from the CMMC level one up 
to possibly level two. And then, at least this way, DOD has a 
level of comfort to say, Okay, at least we have some tool out 
there now, it is up to the marketplace, the small business 
community to go out and secure additional certification, if 
necessary, to ensure that, you know, at least we are taken care 
of, and that shows an effort that the DOD cares. That is a 
critical part. We just need to know that DOD is here to help 
you.
    Mr. EVANS. I would like to follow up. For many small 
business, cybersecurity certification is just one of the many 
requirements of certification they need to comply with as part 
of being a defense contract. Can you mention just a few of the 
other certifications you have to comply with, and how does the 
cybersecurity certification compare to other certification in 
terms of its levels of burdens?
    Ms. WILSON. Sure, sir. So for T47, we have actually 
invested in securing the ISO certifications, three 
certifications. We are doing that currently. That is a very 
costly investment. We will also have the SBA 8(a) certification 
that is due annually. And because of our size now, we now must 
incur additional cost for audits that are necessary to keep the 
certification.
    We have the woman-owned small business certification, and 
then as a clear facility, we have the defense 
counterintelligence security certifications as well to keep our 
clearance.
    So, in comparison to all those other certifications was 
just a small list for us. To be perfectly clear and frank with 
you, the CMMC has been the most challenging, because it is just 
a lack of not understanding exactly what is needed, and it is a 
cost that is involved. There is no transparent cost set aside 
for, like, small business mid or large.
    And I know this is a new initiative because any time you 
roll out a new policy, there is always going to be bumps in the 
road, but at the same token, there needs to be more of a clear 
communication from DOD, and those that are managing this 
process on what it is going to take for small businesses, or 
all businesses to have the certifications necessary.
    And that is going to take a concerted effort for everyone 
to understand. CMMC, to be quite honest with you, it is new, 
but it is a challenge. And it must be worked out pretty quick 
because you are going to start rolling these things out into 
contracts, and the fear could be real once it starts happening.
    Mr. EVANS. I thank you.
    And I yield back the balance of my time.
    Thank you, Mr. Chairman.
    Chairman PHILLIPS. The gentleman yields back.
    And now I recognize the Ranking Member of the Subcommittee 
for Underserved, Agricultural, and Rural Business Development, 
Mr. Hagedorn of Minnesota for 5 minutes.
    Mr. HAGEDORN. Mr. Chairman, thank you for that, Ranking 
Member Van Duyne. It is good to be with you today. Thanks to 
the witnesses. This seems to be one of these issues, and even 
the big agencies the Federal Government want to impose a lot of 
things on small businesses that they themselves don't handle 
appropriately.
    It doesn't take--you don't have to think too long and hard 
to realize that the DOD has lost technology outright, giving it 
away in some cases, our Federal Government, to China. Economic 
technology, of course, gets lost a lot by big companies. OPM 
went and took 25 million records of Federal employees. I was 
one of those folks that they stole from during the Obama 
administration, and now they come along and say, Well, if you 
want to do business with us, you have to go through a bunch of 
gyrations, spend a bunch of money, and some of it, it seems, 
could be reasonable.
    You look at recently, we had some issues with, obviously--
and these things are very important. We had a big meat packing 
company that does 25 percent of the beef in the United States; 
have a pork manufacturing plant in Worthington, Minnesota, 
where I represent, they went down and you see how critical 
things can be. We can lose our food supply and everything else 
in the blink of an eye, but Mr. Dunbar, I think--wouldn't it 
make more sense if the Federal Government just imposed some 
reasonable standard and said if you want to do business with 
us, you got to try to do everything possible in order to make 
sure there is security here, and that you protect these digital 
ways that you do business? I mean, rather than have you go 
through all these hoops. I mean, you say it costs up to 
$100,000, it doesn't seem reasonable to me.
    Mr. DUNBAR. Thank you, sir, for the question. Yes, I agree. 
I think the keyword there is the definition of reasonable. I 
believe the DOD believes that their numbers and that their 
requirements are reasonable. Small businesses would probably 
disagree with that when you have a company like mine of six 
people that has to spend $100,000 to comply with something.
    There are, as I mentioned, standards out there currently 
that are being used every day. I mean, right now, a small 
business--you walk into a small business and we hear 
advertisements on TV and such saying, We have got your 
security, Have your internet service through us, we got you 
covered. Well, that is what a small business thinks. Okay. They 
got our security for us. No problem. Then we see something like 
this and say, Well, we really don't have security, do we? We 
need something in between those two items.
    My security that I currently have in place is, as I 
mentioned, covers 77 of the items that are being requested in 
90 percent of the problems, and it is costing me about $15,000 
a year to $20,000 a year to do that. I could get away with a 
little bit less, but I have insurance and other things on it 
that get tossed into there to cover in case I get hacked.
    So there are standards out there that could cover 
reasonably well what we are all looking for, and meet a level, 
I think, that would provide security for anything but the 
greatest items out there. As was mentioned by Mr. Williams, 
having access into a system provided for us for companies that 
don't need to take something or machine it, but actually just 
need that data and that information can go into the government 
system sort of like the National Guard does. They have their 
little wall garden, we call it. A member of the National Guard 
can go in, get their CUI information in there, go out, be it 
their VPN, and now they have all the information that they 
need, and it has been in a secure environment.
    Mr. HAGEDORN. So I worked a little bit in the Treasury 
Department, and I have seen bureaucracies in action and usually 
the bureaucrats come up with lots of ideas in order to make 
sure that if something goes wrong they can, as you say, point 
the finger at somebody else. And I see a lot of that here. I 
see a lot of expense being pushed along to you, and just 
because if something goes wrong, they don't want to be blamed 
for it.
    And I think, you know, it is kind of telling when 
government comes up with these ideas here, we are going to put 
this regulation on you, we are going to make you do all these 
types of things, and oh, it is going to cost some money so, 
well, now let's go find funding streams in order to help you 
pay for that. I mean, we see this all day long.
    I think a reasonable standard would make sense. Most 
businesses, even the big ones, have issues here. They all need 
to do better in compliance and I think that people can figure 
that out. So thanks very much, by the way, for your service to 
the country and you had a very impressive resume. Took our 
Ranking Member an extra shot at it just to get it out.
    Thanks very much.
    Mr. DUNBAR. Thank you, sir.
    Chairman PHILLIPS. The gentleman yields back.
    And now we recognize the Ranking Member of the Subcommittee 
on Economic Growth, Tax, and Capital Access, Mr. Meuser, for 5 
minutes.
    Mr. MEUSER. Well, thank you, Mr. Chairman. Thank the 
Ranking Member very much for holding this hearing. Thank you to 
the witnesses as well. So there are reports--we all know that 
cybersecurity is clearly an issue. Reports are, that I have 
reviewed, that 6 percent of U.S. military and aerospace 
contractors reported data breaches between 2016 and 2018. 
Ransomware attacks are up over 100 percent in 2020. All 
industries, by the way. That is for all industries. So it is a 
concern.
    DOD, however, seems to have created the CMMC mandates that 
are a major concern to all small businesses and contractors 
certainly sitting here, and in my district. In fact, it seems 
that some of the focus on compliance with these mandates is 
even truncating your actual ability to focus on actual 
cybersecurity. And as being in business for a lot of years, I 
understand that. These mandates coming from Washington, in this 
case the Department of Defense, don't take what your business 
about fully into consideration. How could they possibly, right? 
I mean, it is a one-size-fits-all approach.
    So, I am definitely not happy to hear that the Department 
of Defense is also not offering forums to have this discussion 
with you, right? Perhaps in a hearing maybe we can do that or 
create access so they can better understand your concerns. And, 
again, I have DOD suppliers in my district that have already, 
just in the last couple of years, spent tens of thousands of 
dollars living up to these requirements and trying to achieve 
them. And meanwhile, they don't necessarily even know what 
level they are at, and they are very concerned, even their 
midlevel suppliers of those who are supplying them, being able 
to maintain those costs. Everything that you are discussing 
sharing here.
    So Mr. Dunbar, I will just ask you this: Level one, we are 
talking about level one here, what is--do we have the 
Department of Defense's feedback on if level one is 
satisfactory, and for how long it will be because I know they 
are trying to roll into this with a--in a managed way over the 
next several years, right?
    So what do they say about you and suppliers that you know 
about maintaining level one at this point?
    Mr. DUNBAR. Well, I think you reached part of the problem, 
is we are not really hearing a lot. We have got some estimated 
dollars and some numbers out there tossed around to level one, 
and yet how long is it supposed to last, any of the real detail 
on it? We don't get a lot of that. As you mentioned, the 
technology, is that going to keep up, or are we going to keep 
chasing technology as we go along, and, therefore, chasing more 
regulations and more rules that we have to get reassessed for 
along the way which are just going to continue to increase 
costs?
    Mr. MEUSER. Speaking of cost, what is the cost difference, 
would you estimate, from level one, which many are saying here 
they believe would secure your systems and your companies 
versus say level three? Can you put a number on that?
    Mr. DUNBAR. Easily ten- to twenty-fold.
    Mr. MEUSER. Wow. Okay. And how much more secure would it be 
from level one to level three?
    Mr. DUNBAR. I don't really know specifically from a level 
one to level three how much more secure it would be. I know 
from where I am currently, and what I am paying for the setup I 
have, which is a pretty secure setup, according to--the person 
who handles my security is actually a past director at DCISC 
for the Department of Defense, so he is the one who set mine 
up, and he is the one who said that we have 77 of the 120 
controls and have 90 to 95 percent of the issues.
    So he believes for very small companies that you could be 
looking at, you know, 5 to 10,000 a year maybe for your costs 
instead of, you know, having to reach up to this level and that 
same company could be at hundred-plus thousand dollars a year.
    Mr. MEUSER. Well, I think we can conclude that these 
measures are overly harsh and we do need to create a forum to 
have this discussion with DOD so we can work this out.
    I yield back, Mr. Chairman.
    Chairman PHILLIPS. The gentleman yields back.
    And that completes our first round of questioning. So, 
therefore, I will recognize myself for another 5 minutes.
    Mr. Singer, while companies like yours in the pipeline 
become accredited C3PAOs, there is a long ways to go until we 
have a substantial amount of them. So how likely is full 
implementation of CMMC by 2026, if there is a lack of 
assessors?
    Mr. Singer?
    Mr. SINGER. I forgot to unmute.
    Thanks for the question, sir.
    I think it is very difficult to get there with the current 
progress we are making. We have a hundred provisional assessors 
at this time, and we have two C3PAOs already through the 
process from doing a DOD assessment. And, by the way, the 
third-party assessors are going through that level three 
assessment, so we have to meet the 130 different practices.
    So I think it is very difficult. The timeline is very 
stretched. As I had said in my testimony, I think we need more 
than 8,000 assessment team members to even make this happen, 
and that would be starting from today. So the math just doesn't 
work. I believe that there does need to be some flexibility in 
how we are rolling this out to the third-party assessors, and 
we need to have some--you know, if we are going to try and meet 
that deadline, there needs to be quite a bit more flexibility 
by the DOD in trying to ramp this up and move this out.
    I also feel pretty strongly that not everybody, as we have 
talked about before, needs to be at level three. If you are a 
part component maker, a small business, and you are doing, you 
know, special processes like coatings, painting, and somebody--
a prime flows down a drawing to you and tells you, Put the 
label plate here on this, you know, equipment, all of a sudden 
you have now had to hit level three.
    So there is some work here that needs to be done on 
understanding the risk truly to the supply chain, and maybe a 
single part maker of a bracket doesn't need to be level three, 
but somebody that is making sub assemblies and more complex 
parts does need to be.
    So that would be my answer.
    Chairman PHILLIPS. Thank you, sir.
    And, Mr. Williams, while CMMC is a DOD initiative, we are 
beginning to see it in other solicitations, particularly for 
government-wide contracts like GSA's 8(a) STARS III contract. 
So how concerned should small businesses be of the CMMC 
Initiative being adopted by civilian agencies and becoming a de 
facto baseline for doing business with the Federal Government?
    Mr. WILLIAMS. Yes, I think that is certainly a possibility. 
You know, the rollout with CMMC at DOD has experienced 
challenges, as we have been covering in today's hearing, and I 
think it remains to be seen if they will hit the target of 2026 
as Mr. Singer just said. I would view what is happening at DOD 
as a trial balloon. And if it went well at DOD, which certainly 
is an open question at this point, I wouldn't be surprised at 
all if it is expanded beyond DOD to all of government.
    Chairman PHILLIPS. All right. Thank you, sir.
    And with that, I will now yield to Ms. Van Duyne for 5 
minutes.
    Ms. VAN DUYNE. Thank you very much.
    Mr. Singer, I appreciate your testimony here today. I just 
have a couple of questions.
    What is the penalty or the outcome for a small business 
that can't comply with the requirements?
    Mr. SINGER. Today, the penalty is that you are out of doing 
business with the DOD, period.
    Ms. VAN DUYNE. Okay. I mean, that is--I am seeing Mr. 
Dunbar shake his head as well.
    So I am going to ask actually the whole panel, can you 
point to one or two concrete things that we can do to make 
understanding these flow-down requirements easier for small 
business? Mr. Hagedorn had a great point, well, yes, we could 
just define reasonable and move forward from there. Can we be a 
little bit more specific on what you would need?
    And, Mr. Singer, we will go ahead and start with you.
    Mr. SINGER. Sure. Thanks for the question.
    I think it is really--I think the primes really need to 
step up and play a bigger role here. They have the resources 
and the teams, and they have done a lot of the background work 
on understanding what is required. And instead of just sending 
out a rep and certs or a letter to a small business saying you 
need to post a score in the supplier performance risk system, I 
think there needs to be more support and help for them and more 
of a guiding kind of process program that they implement for 
their whole supply chain to help them get compliant.
    Ms. VAN DUYNE. Ms. Wilson, do you have anything to add?
    Ms. WILSON. Yes, ma'am.
    To ensure that everyone is on the same page and have the 
same information. What we have right now is pockets of 
information going to various individuals, like I just heard 
from Mr. Dunbar, said most of the information is being flowed 
through LinkedIn. Some companies have LinkedIn and some 
companies do not. There needs to be concerted effort of 
communicating what the standards will be, what the costs will 
be across all industry, and filter down to the small business, 
and maybe a regional approach to be able to help understand 
that CMMC is here to stay, take away the fear, but communicate 
clearly what it really means to have this certification.
    Ms. VAN DUYNE. Awesome. Thank you.
    Mr. Williams?
    Mr. WILLIAMS. Thank you.
    Yes, I would like to make two points. First to address the 
comment about flow down. The interim DFARS clause for CMMC 
which was issued late last year directs prime contractors to 
flow down the CMMC level that is appropriate for the 
information that is being flowed down to the subcontractor. 
That gives a lot of discretion to the prime contractor to 
decide what is appropriate. I would like to see the final DFARS 
clause for CMMC prohibit prime contractors from flowing down a 
higher level than is absolutely necessary based on the 
information that is being provided to the subcontractor.
    And the second point I would like to make about the 
information that is being disseminated to the small business 
community, my experience has been that there have been town 
halls, as Mr. Dunbar mentioned, and I get the LinkedIn messages 
as well. There are other ways that information is being pushed 
out, but I think the problem--the challenge is that that 
messaging is blunted by the fact that we still have no answers 
for many of the critical questions.
    So rather than focusing on creating more forums for 
disseminating information, I think we need to focus on 
providing real hard information about how much this is going to 
cost and when are small businesses going to need it, what level 
are they going to need? Until we can answer those basic 
questions, I think, you know, the forums are going to be 
largely lost on the small business community.
    Ms. VAN DUYNE. Thank you very much, Mr. Williams.
    Mr. Dunbar, did you have anything to add?
    Mr. DUNBAR. Yes. One of the items with small business is a 
lot of small businesses work from, I will say remote locations. 
You may have an office where you have people working from home, 
several people at various homes. One of the big items that was 
brought up recently by one of the board members for the CMMC 
was that we will be subject to home inspections in order to 
pass CMMC.
    So now you have people doing home inspections in your own 
private homes. The risks beyond that on there are just, you 
know, incalculable.
    Another item to me that really piqued my interest there was 
our ability to protect ourselves during an assessment. Right 
now, an answer on the Board FAQ site basically states that an 
RP that helped us go ahead and put together our plan is not to 
be there to defend our plan. So if we get--you know, fail it, 
we are supposed to know this book again. We don't have an 
expert to know it.
    Ms. VAN DUYNE. Excellent. Thank you very much.
    I yield back.
    Chairman PHILLIPS. The gentlelady yields back.
    And now I recognize the gentleman from Pennsylvania, Mr. 
Evans, for 5 minutes.
    Mr. EVANS. Thank you, Mr. Chairman.
    Mr. Dunbar, what would you--what would be your 
recommendations for those businesses that are just learning 
about the Initiative? I would like to ask all of the panel that 
question.
    I will start off with you, Mr. Dunbar.
    Mr. DUNBAR. I honestly don't know that I have an answer for 
that, because trying to know find the information, it has not 
been clear enough to everybody where to get it. If I am getting 
it from LinkedIn, I mean, I first heard about it at an Army 
Corps Small Business Conference in 2019. Otherwise, I may not 
even know about it today.
    Mr. EVANS. Does any other panel--any comments or thoughts 
on that, any of the other panelists?
    Mr. SINGER. Sure, sir, I would like to make a comment.
    You know, I think one of the important things is for 
companies to find reputable businesses to help support them 
through this process, and, unfortunately, I think there is too 
much variation in the help that they are getting, as Ms. Wilson 
spoke of earlier also.
    I think also that, especially now, I think a lot of the 
level three companies are aware of this coming down, especially 
small manufacturers that are, you know, just now starting to 
really understand this because the letters are coming out from 
the primes.
    But I think a big gap is the people that are going to have 
to meet level one and they don't know it right now, and I think 
that should be a much more proactive reach-out to those folks. 
I mean, the DOD knows who they are contracting with in these 
areas, and I think they should take a more active role.
    Mr. WILLIAMS. Yes, Representative Evans, if I could just 
back up Mr. Singer's comments there, our primary recommendation 
to our small business clients is to get level one ready. The 
level one requirements really are basic things, like antivirus 
software and spam filters that we think all companies should be 
doing, regardless of whether you work with the Federal 
Government. In this day and age, you should be doing at least 
those basic requirements, and they are already in the FAR. The 
FAR requires these basic safeguards. That has been the 
requirement for a long time.
    So, this really, frankly, shouldn't be surprising, but I 
totally recognize that it is, because small businesses have so 
much to focus on. But these requirements are not new, and they 
are, generally speaking, not difficult to obtain for small 
businesses. So, we would like everyone to really focus on at 
least getting level one ready, because these are things you 
should be doing as a business.
    Ms. WILSON. And I would echo everyone's comment that has 
been made on the panel. I do make a concerted effort to share 
with small business owners to mention CMMC, and I mention it in 
the context of the necessary need for them to actually have it, 
but understand what it means and the implications, because 
right now, we just have black and white implications of saying 
if you don't have it, and your contract comes up for renewal, 
then you run the risk of losing your contract.
    And, so, putting that fear in them early on, maybe prompt 
them to move forward. But also I think from our perspective at 
T47, we have already proactively tried to secure something 
similar, certification. It may not be directly related, but to 
at least get us ready so that way when it comes down for us to 
have an audit, we are in a position to actually, pass the 
audit.
    So it is a challenge, and right now, because we don't have 
cohesiveness of information, it makes it a little more 
difficult for small businesses that just now are recognizing 
that they need it, or they know they need it but don't know how 
to secure it.
    Mr. EVANS. I yield back, Mr. Chairman.
    Chairman PHILLIPS. The gentleman yields back.
    And now I recognize the gentleman from Wisconsin, Mr. 
Fitzgerald, for 5 minutes.
    Mr. FITZGERALD. Thank you, Mr. Chair.
    I am going to start, Mr. Singer, as a fellow Wisconsinite, 
I have quite a bit of experience in working with obviously 
anywhere from major corporations down to, you know, one and two 
person Ma & Pa shops. But my question, I was talking a little 
bit to staff about this yesterday. We were kind of kicking 
around the idea that there might be a different level of 
security from State to State throughout the Nation, and I just 
wanted to get maybe your perceptions on, is there much 
interaction with the State of Wisconsin from your perspective? 
And if there are, what are the influences there? Because I 
think it would be valuable for Members of Congress to know kind 
of what is going on at the State level.
    Mr. SINGER. Thank you, sir.
    As a fellow Wisconsinite, it has been kind of fun starting 
a business in Wisconsin, and Minnesota too. But as far as--I 
haven't had a lot of interaction with the State government. I 
counseled them a little bit on CMMC. It has been new to them, 
in helping them to try and understand the issues around this 
for small business.
    One of the organizations that we work very closely with are 
the MEPs, the Manufacturing Extension Partnership programs. 
Every State has one. There is--and Puerto Rico has one. We have 
been working very closely with them to try and help get the 
small manufacturers in Wisconsin and Minnesota through the 
assessment so that they can accept awards from the primes.
    So I think that is really actually a good avenue to help 
small businesses is through the MEPs, especially the 
manufacturers. But I don't know that, you know, the States yet 
have really kind of figured out any good mechanisms to help 
fund or support the small businesses as of yet.
    Mr. FITZGERALD. Very good. Thank you.
    As anybody could probably answer this question, let me just 
direct it to Mr. Dunbar, though. And I apologize if some 
version of this was asked earlier. But cybersecurity, 
obviously, you can be a consultant, quote/unquote 
``consultant,'' and I am wondering if you are seeing, because 
we are starting to hear that there are many different versions 
of this, and obviously many different levels of professionalism 
and knowledge.
    And I am just wondering if you could comment kind of, you 
know what is your take, kind of what is going on out there on 
the street?
    Mr. DUNBAR. Thank you, sir.
    Yes, you are 100 percent correct. There is a large fear in 
the small business community that the ``consultants,'' in 
quotations, are not all equal. I get inundated with emails 
daily from companies trying to convince me that I am not ready, 
I need to be--I am losing my contracts. I mean, blatant lies in 
your inbox constantly from companies. I call it the fear 
marketing.
    I have also seen things from--as one of the other members 
of the committee had mentioned earlier, you know, companies 
that--there are fraudulent companies out there, just that have 
no business. There was one, I think, the College of India was 
creating, We can get you CMMC certified.
    Mr. FITZGERALD. Right.
    Mr. DUNBAR. Like, okay, great. How is the College of India 
getting me CMMC certified? And that is a fear. We don't know 
where to go. We have been told, Oh, well, the only great place, 
the only authorized place is the CMMC-AB, if they are on their 
marketplace, that is the only place to get, that is legal, to 
get your consulting from. That is a whole separate issue, I 
believe.
    Mr. FITZGERALD. Yes. And, you know, to dovetail on that, so 
compliance, too, because it is kind of wide open as to what the 
cost could be associated with that. You know, you hear figures 
thrown around, like, Well, it costs a company $10,000 to 
comply, or it costs them $1 million to comply. That is not 
necessarily a good gauge, I don't think, on, kind of, you know, 
whether or not somebody is a legitimate consultant. But it 
sounds like that is kind of the range that is out there when a 
lot of these small businesses are considering how to become not 
only compliant, but protect ourselves, so----
    Mr. DUNBAR. And I think you raise a good point because 
there is also a lot of companies out there trying to sell one-
stop shopping, like, Oh, we have this program. You buy this 
program, you are CMMC-compliant.
    Mr. FITZGERALD. Right.
    Mr. DUNBAR. And that is not going to happen.
    Mr. FITZGERALD. Yes. Very good. Thank you very much.
    I yield back.
    Chairman PHILLIPS. The gentleman yields back, and that 
completes our questioning.
    So I will move to my closing statement. And I want to thank 
all of our witnesses for a very compelling testimony today and 
for illuminating the very issues that small contracting firms 
are experiencing as they try to bolster their cybersecurity.
    Recent high-profile attacks have made it very clear that 
the threat of malicious cyber actors is growing, and that is 
why we must ensure that companies in the DIB are prepared for 
all cyber threats that might come their way. But it is equally 
vital, equally vital that we do not deprive businesses like 
yours of critical opportunities in that process.
    We have got to work as a committee to increase 
cybersecurity preparedness across the DIB in a way that is not 
cost prohibitive to small firms. By achieving this, the small 
businesses will still have ample access to a lucrative 
marketplace while also protecting themselves against 21st 
century threats.
    I would ask unanimous consent that members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    And if there is no further business to come before the 
committee, we are now adjourned.
    Thank you.
    [Whereupon, at 11:17 a.m., the subcommittee was adjourned.]
                            
                            A P P E N D I X

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]