For many established, larger DIB contractors, the NIST 800-171 requirements are currently being enforced and the new CMMC 2.0 rule will simply validate their compliance. But many small business Defense Industry Base (DIB) contractors are facing expensive and time-consuming hurdles when pursuing NIST 800-171 and CMMC compliance.

While NIST 800-171 requirements are enforced for all contractors, the flow-down to subcontractors varies based on contract specifics. This variability might not have been clear to all small business contractors previously. Additionally, new DIB contractors must evaluate cyber requirements and costs when determining their ability to provide support for government contracts. In both scenarios, NIST 800-171 and the new CMMC requirements could be a deciding factor in their ability to pursue future government contracts and work.

To address these crucial challenges, Cybernet has been actively involved in guiding DIB contractors through the complexities of CMMC, aiming to bridge the gap between their current practices and the stringent requirements set forth by future cybersecurity mandates. We’ve engaged with numerous small businesses about CMMC and upcoming FAR/DFAR cyber requirements. Below are the top 5 challenges small businesses face when complying with NIST 800-171 and future CMMC requirements.

1. Categorizing Data and Defining Boundary/Enclave(s)

DoD DIB businesses must correctly identify and categorize the data they handle, especially Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This can be the biggest area of confusion for small businesses.

A common theme heard among many DIB contractors is ‘What is CUI, I’ve never seen anything labeled CUI!’. Newly created data is often not reevaluated for potential CUI designation, and technical data is not always considered sensitive.

Businesses that opt to create an enclave for specific sensitive and controlled data risk accidental spillage by wrongly categorizing data and allowing access outside of the secure enclave. Additionally, creating a secure enclave with adequate controls in place to prevent accidental spillage can be challenging for small businesses. Alternatively, including all resources and devices within their CMMC Boundary incurs additional costs and disruptions to their day-to-day workflow.

This decision impacts DIB contractors more if they have a significant commercial customer base. The choice between compliance or focusing solely on commercial customers has been a heavily debated topic among DIB Contractors and MSPs that support them.

2. Cloud Provider / MSPs Compliance

The cybersecurity market is crowded with vendors offering CMMC compliance solutions, some of which may provide misleading information or inadequate services. Small businesses, which typically lack in-house cybersecurity expertise, are particularly vulnerable to overpriced or ineffective cybersecurity services that promise more than they can deliver.

Additionally, many small business DIB contractors rely on Managed Service Providers (MSPs) for their IT and compliance services. While MSPs must currently meet certain standards, these are specific to cloud services and might vary based on the type of data handled and the services offered. In many cases, MSPs will need to meet FedRAMP equivalency for hosted environments and services that require 800-171/CMMC compliance. These requirements impose additional overhead costs on MSPs that support DIB contractors. Many MSPs are deciding not to support DIB contractors, which is creating a lack of compliant MSP options for DIB contractors and higher costs for MSPs that offer compliant services.

3. Disrupting Current Workflows

Implementing the stringent cybersecurity practices required by CMMC can disrupt existing workflows and slow productivity. For instance, introducing multi-factor authentication or stricter access controls may change how employees interact with systems and data. Small businesses often find this adjustment challenging because it can slow down operations or require significant changes to how daily tasks are performed.

If an MSP is involved in new implementations, this not only requires additional overhead for productivity disruptions but also additional expenses for MSP support for the implementation and user issues the changes produce.

4. Stakeholder Buy-In and Funding

Achieving CMMC compliance requires both financial investment and a cultural shift within the organization. Securing adequate funding and organizational commitment to invest in necessary cybersecurity measures and maintain them over time is a significant hurdle. For many DIB contractors, the delays in a CMMC final ruling have created a ‘wait and see what happens’ mentality.

In many cases, internal IT admin and Cyber professionals are met with resistance to additional expenses and budget needs to implement compliance. This is exacerbated with insufficient expertise to adequately explain the need for additional tools, solutions, and time to implement and manage compliance.

With many new work-from-home policies being accepted within DIB businesses, providing secure access to sensitive data remotely is a major challenge. If a company relies primarily on cloud services and limited infrastructure, the required secure access, VPNs, etc., become challenging in terms of implementation and costs.

Also, the need for a cultural shift within a business’s internal processes requires open collaboration between internal IT (and/or MSPs), HR, FSOs, and business owners. Efficiently communicating and standardizing internal processes is not something most IT administrators/support are knowledgeable or trained to provide. This creates a situation where internal IT staff is held responsible for compliance but not given adequate funding or stakeholder support to achieve it.

5. Understanding Rule Requirements

The CMMC framework includes various levels of certification, each with its own set of requirements. Small businesses may struggle to understand the specific rules and standards they must meet, particularly as these can be detailed and technical. This complexity makes it difficult for businesses without specialized knowledge to accurately assess their compliance status and understand what improvements are needed. In many cases, policies and processes, in addition to technical controls, are needed to comply with specific control requirements. Without the expertise to adequately enforce technical controls, small businesses are relying on policies and processes to meet compliancy. However, this is not effectively securing their data or meeting compliance requirements. In many cases, technical implementations need to be implemented, and then policies and processes can be written in context to those implementations.