I think there are some distinct differences in the way small government contractors are approaching the reality of CMMC, the looming and present deadlines within it, and how this will affect the activity of small business within federal contracting as a whole. The way I see it, CMMC is not just a solution for the long-overdue need for the Department of Defense to have oversight of sharing our country’s national secrets and secured data. It is establishing a dividing line of who will remain in the game because there is a financial aspect that can and may bring about a loss of small business participation in the coming years.
Will CMMC do more for protecting data or eliminating thousands of small businesses from the federal marketplace?
Small business participation
Even though the new administration’s budget and plan included more set asides for small contractors, the actual participation rate among this group is declining. Within government contracting, there is a 90% failure rate for small businesses. That means only 10% of those that get involved in this industry actually make it, achieve certain milestones beyond a 7 year mark, and are competitive and at least mildly profitable within federal contract opportunities. The reason for the lack of success within this industry is the same for the commercial market: lack of access to working capital and cashflow shortfalls that follow them from job to job, project to project. The crippling effect of lack of cash is commonplace for small businesses. So how will added regulation, the cost for implementation and assessment, and a deadline approaching encroach on the further decline of small business participation?
What will this cost you, literally and figuratively?
The more we learn about CMMC, the more the process to be certified up to Level 3 including assessment is looking like it will cost. The price tag will be an issue for most small businesses, especially those who may be holding off implementation because they are not sure how they will finance getting compliant. And with projected cost for assessment ranging from $100k-$300k, this could be the straw that breaks the camel’s back for some in this industry.
Cybersecurity within the DoD is now not just a security necessity but a financial issue. It still is unclear how much will be deemed an allowable cost, thus paid back to the contractor. But the clock is ticking for companies to get in motion with compliance, or the access to opportunity to perform once the deadlines start passing will disappear and so will their ability to bid another day. Options for financing this portion of their operating costs are going to need to be addressed for many or it could eat up any hopes for profit in upcoming projects or eliminate them from the market altogether.
Hurry up and wait
Government contracting is notorious for 11th hour rule changes, added and amended regulations, and many roadblocks like government closure and partisan politics that can hamper the little guy more than the big players. What we know for sure is that CMMC is not going away. There are still some gray areas that will have to be better defined, but that is not stopping this freight train from running its course.
Cost is one of those gray areas still and most likely the reason most contractors are waiting. But the wait will eventually cause a bottleneck effect with supply and demand factors as it pertains to assessment (and that is a whole other topic for another day)! With limited assessors licensed, if you wait too long to get in line, you could miss deadlines because of lack of access.
Stay tuned as we continue to track CMMC progress, changes, and deadlines!