Strengthening Small Business Cyber Defenses and the CMMC Final Rule

October is National Cybersecurity Awareness Month, a critical time for businesses of all sizes to reflect on their cybersecurity posture. For small businesses, especially those working with the Department of Defense (DoD), this month is an opportunity to ensure that the right measures are in place to protect both your business and national security.

Cyber threats have become more sophisticated and frequent. Businesses handling sensitive information, such as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), are prime targets for malicious cyber actors. It is vital that we take proactive steps to defend against these ever-evolving threats.

In line with these efforts, the DoD recently released the Cybersecurity Maturity Model Certification (CMMC) Final Rule . The CMMC program is designed to verify that companies have implemented the security measures necessary to safeguard FCI and CUI, ensuring that sensitive data stays protected within the defense supply chain.

The release of the CMMC Final Rule is part of a broader effort to elevate the security of the Defense Industrial Base (DIB). Cybersecurity is not just a technical challenge—it's a strategic imperative. By securing your systems and data, you are helping protect our nation's defense supply chain, which is critical to mission success. The DoD Chief Information Officer’s website has a number of resources, and our Project Spectrum initiative is comprehensive platform to provide the tools and training needed to increase cybersecurity awareness and maintain compliance in accordance with DoD contracting requirements.

Take Action: Strengthen Your Cyber Defenses

As we observe National Cybersecurity Awareness Month, here are a few actionable steps you can take:

• Review your cybersecurity measures: Conduct a thorough assessment of your systems and policies, ensure implementation of strong passwords and multi-factor authentication, and back up your critical data regularly to guard against ransomware and other attacks.
• Ensure compliance with the CMMC: Familiarize yourself with the CMMC requirements and begin the process of certification if you haven't already.
• Automate software updates: Stay ahead of potential vulnerabilities by automating critical updates.
• Train your team: Cybersecurity is a team effort. Ensure that your staff is aware of the latest threats, such as phishing, and knows how to respond.

Looking Ahead

At the DoD Office of Small Business Programs, we are committed to supporting our small business partners with cybersecurity awareness, training, best practices, and compliance. National Cybersecurity Awareness Month serves as a timely reminder to prioritize cybersecurity not just this month, but every day.

Securing your business now will not only protect your operations but also position you to contribute meaningfully to the defense supply chain. I encourage all small business owners working with the DoD to take advantage of this time to bolster their defenses, review the CMMC Final Rule , and commit to stronger cybersecurity.

Together, we can ensure the resilience of our defense industrial base and the security of our nation.

Respectfully,

Derrick Davis

Associate Director, Industrial Cybersecurity

DoD Office of Small Business Programs

DoD CIO Provides Answers to CMMC 2.0 FAQs

The DoD CIO recently released an FAQs document about CMMC 2.0 , Cybersecurity Maturity Model Certification, that covers 40 questions and answers about the updated cybersecurity certification requirement.

Here are a few highlights. Click here to view the full document.

Q. What is CMMC trying to address?

The defense industrial base (DIB) is the target of more frequent and complex cyberattacks. CMMC is a key component of the Department’s expansive DIB cybersecurity improvement effort. The program is designed to help ensure that defense contractors and subcontractors are compliant with existing information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are protecting that sensitive unclassified information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.

Q. What resources are available to assist companies in complying with DoD cybersecurity requirements?

The DoD provides various no-cost Cybersecurity-as-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts. The DoD CIO DIB Cybersecurity Program has compiled a list of these services that is available at dibnet.dod.mil under DoD DIB Cybersecurity-As-A Service (CSaaS) Services and Support.

Will prime contractors and subcontractors be required to maintain the same CMMC level?

No, a lower CMMC level may apply to the subcontractor if the prime only flows down limited information. Additionally, if a prime contractor requires a CMMC level 3 certification, then a CMMC level 2 certification is the minimum requirement for CUI flowed down to the subcontractor, unless otherwise specified in the contract.

Q. How frequently will assessments be required?

Once CMMC is implemented through the Title 48 CFR rule, Level 1 self-assessments will be required on an annual basis and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter.

Q. How much will CMMC certification assessment cost?

The cost of a CMMC Level 2 certification assessment will depend upon several factors, including the complexity of the DIB company’s unclassified network for the certification scope, and market forces. DIBCAC assessments required for CMMC Level 3 certification will be conducted free of charge.

?OSBP and Georgia Tech APEX Accelerator at MED Week

The 2024 National Minority Enterprise Development (MED) Week, October 20-26 in Atlanta, Ga., focuses on providing information, tools and resources for minority-owned firms to grow their businesses both domestically and internationally through networking events, workshops and issue forums. OSBP Special Assistant, Melleny Cotton , hosted a roundtable discussion with minority small businesses owners where she shared tips on how to do business with the DoD and available opportunities and resources. Jennifer White , Counselor at the Georgia Tech APEX Accelerator, participated in that session and shared information about how APEX Accelerators are a local resource for business owners.?Special thanks to Eric Morrissette , Deputy Under Secretary of Commerce for Minority Business Development, who stopped by and discussed the Minority Business Development Agency - U.S. Department of Commerce 's efforts to support small businesses.

DoD, SBA Approve Funds for Partially Government-Backed Investments in Small Business

DoD and the U.S. Small Business Administration (SBA) announced the first group of Small Business Investment Company (SBIC) Licensees and Green Light Approved investment funds under the Small Business Investment Company Critical Technology (SBICCT) Initiative.

SBIC companies are private investment funds licensed and regulated by the SBA. Like traditional venture capital firms, they provide capital, mentoring, and operational support to small businesses.

The SBIC companies will leverage a combination of private capital and government-backed funds to provide portfolio companies that might not have access to traditional venture capital but have high growth potential, especially in industries of national importance such as cybersecurity, defense, and technology, which align with the SBICCT's objectives.

The initial cohort collectively plans to invest over $2.8 billion into over 1,000 portfolio companies.

"This first group of SBICCT Initiative funds represents a consequential milestone in demonstrating the power of public-private partnerships to build enduring advantage by growing and modernizing our supply chains, strengthening our economic and national security, and benefiting the development and commercialization of critical technologies that are key drivers of our U.S. industrial base," said Heidi Shyu , Under Secretary of Defense for Research and Engineering.

Over 100 funds have expressed interest in the SBICCT Initiative. Additional applications are expected in future quarterly filing windows.?

Congress is in recess and will return on November 12. The House will be in session through November 21, while the Senate will be in session through November 22. They will both be in recess during Thanksgiving week.

SecNav: Diverse Industrial Base 'Crucial' to Success

Secretary of the Navy Carlos Del Toro emphasized the Navy’s commitment to small business during a roundtable discussion earlier this month in San Francisco as part of Navy Fleet Week. "A healthy, diverse industrial base made up of companies of all sizes—founded by American entrepreneurs from all walks of life—is absolutely crucial to the success of our Navy and our Marine Corps," he said . The Secretary added that the Navy has awarded $526 million in contracts to small businesses within 50 miles of San Francisco.

DIA Plans Small Business On-Ramp for SIA Contract

The?Defense Intelligence Agency ?(DIA) plans to launch an on-ramp process?for the third iteration of the Solutions for Intelligence Analysis (SIA) contract?to allow small businesses to compete for the acquisition vehicle. The contract is to provide intelligence analytical support services for DIA and the defense intelligence enterprise within and outside the continental U.S. DIA intends to issue a request for proposals for the small business on-ramp during this quarter. Learn more>>

The International Stability Operations Association (ISOA) will hold its annual summit from November 12-14 in Arlington, Va. The event will delve into opportunities for the private sector to deliver global stability. The conference will host a small business workshop on November 12 with representatives from DoD, USAID , and 美国国务院 . Sign up>>

The U.S. Small Business Administration Innovation Ecosystem Summit will be held virtually on November 14-15. The event aims to help small businesses across sectors to learn from one another as we work together to build a thriving national innovation ecosystem that promotes equitable access to capital and resources for innovators nationwide. Register today>>

The National Center APEX Accelerator , along with APEX Accelerators in New York, Pennsylvania, and Ohio, will host the 5th Annual Virtual Tri-State APEX Accelerator “Mega Matchmaker” event on December 3-4. This free event allows small businesses to meet virtually with federal, state, and local government buyers. Interested attendees can register in advance and pre-schedule appointments with government resources. Learn more>>

Let’s Stay in Touch

We are a network of small business professionals with common values, shared knowledge and regular communication who partner with acquisition professionals seeking small businesses to fulfill DoD procurement requirements and give our Service Members the competitive advantage. Follow us on social media, visit our website, or send us an email. We look forward to staying connected.

LinkedIn | X | Facebook | YouTube | Flickr | DVIDs | Website