Is CMMC Another Barrier to Entry in the Federal Contracting Market?

Posted on February 28, 2020 by Joseph Goyette

With the release of the new Cybersecurity Maturity Model Certification (CMMC) Model, small businesses are wondering if this is another barrier to entry into the federal government market?

How is a small business to compete given the current barriers to entry such as the numerous FAR and DFARS clauses?

When CMMC was in the planning stages and the Department of Defense (DoD) invited comments, the issue of the adverse potential impact on small businesses was raised and it is believed the government seriously considered the issue.  In response to comments, the government indicated that the costs of compliance, both implementation of CMMC practices as well as assessment costs, would be allowable costs for government contractors.  This meant these costs could be covered in a cost-type contract or used within labor rate builds.

The government also responded that prime contractors are expected to assist subcontractors with their compliance efforts, as all subcontractors will need to be compliant in order for the prime contractor to be eligible for award.

So does the government’s answer sufficiently address the concerns of the small business?

Let’s analyze them and see.  If all contractors must become compliant and there are set costs for compliance, then small businesses will have to bear a disproportionately larger cost per employee to become compliant.  This translates into higher labor rates on a T&M contract or higher indirect costs on a Cost Type contract.  For a small business trying to compete as a government prime contractor, they will be at a disadvantage from a cost perspective and will have to lower their costs in some other area in order to compete.  It sure appears to be an additional barrier to entry.  The smaller the business, the disproportionately greater the burden.

Now let’s look at the small business subcontractor making their pitch to a prime contractor in an effort to join the prime’s team. The prime may have small business participation goals and may be looking to add small businesses to the team, but with all other things being equal, the prime will be more likely to partner with a ‘larger’ small business as they will be able to keep their costs down. But isn’t the prime expected to help subcontractors get their CMMC?  Yes.  But that will only happen after they have decided to bring a small business onto the team.  In short, the overall effect will be another barrier to entry.

Is the CMMC model a bad idea?  No, but we must still acknowledge that it is indeed another barrier to entry into federal contracting.  At the same time, it seems to be a necessary requirement to protect national security and interests.  So how can we reconcile these conflicting interests: basic security standards for contractors via CMMC (with the disproportionate costs), and encouraging small business participation in the federal market?

Historically this has resulted in two opposite approaches:
1) the small business proposes unrealistically low wages to compensate for the higher indirect cost (potentially leading to poor contract performance); or
2) the small business brings superior technical capabilities resulting in a higher technical rating during the evaluation process – at least for ‘best value’ type procurements.

Although these are common approaches, neither negates the fact that CMMC is another barrier to entry.  Perhaps this could be addressed by allowing the CMMC-related costs to be removed from a contractor’s cost proposal thereby leveling the playing field for all parties bidding on the proposal.  Then after contract award, the ‘reasonable’ costs of CMMC compliance could be added back into the contract as an additional cost.  Another proposed solution might be to address it the way personal security clearances are handled by the DoD – where the government covers the costs.  And while there is no easy solution to the situation, we should strive to unburden small business as much as possible or at the very least, ease the burden when possible.

Joseph is a Project Manager and Senior Security Engineer for Blue Mantle Technology.  He has extensive experience in corporate leadership and management in Cybersecurity, having facilitated successful corporate operations for several businesses over the last two decades.  He has a BA from Thomas Aquinas College and an MA and MS from CUA.  He holds the following certifications in the cybersecurity industry (CISSP, CISSP-ISSEP, CAP, GCIH, GCFA), and is a member of the GIAC Advisory Board.

Subscribe to Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Contact Us

Let's talk about the best solution for you because that's the only one that matters.

Get in Touch

Join Us

Get a feeling for our company culture and picture yourself at Blue Mantle.

View Open Positions