b"<html>\n<title> - CMMC IMPLEMENTATION: WHAT IT MEANS FOR SMALL BUSINESSES</title>\n<body><pre>[House Hearing, 117 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                    CMMC IMPLEMENTATION: WHAT IT MEANS FOR \n                            SMALL BUSINESSES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n       SUBCOMMITTEE ON OVERSIGHT, INVESTIGATIONS, AND REGULATIONS\n\n                                 OF THE\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n                             JUNE 24, 2021\n\n                               __________\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n                               \n\n            Small Business Committee Document Number 117-021\n             Available via the GPO Website: www.govinfo.gov\n             \n                               __________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n44-926                      WASHINGTON : 2021                     \n          \n-----------------------------------------------------------------------------------                \n             \n             \n             \n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                 NYDIA VELAZQUEZ, New York, Chairwoman\n                          JARED GOLDEN, Maine\n                          JASON CROW, Colorado\n                         SHARICE DAVIDS, Kansas\n                         KWEISI MFUME, Maryland\n                        DEAN PHILLIPS, Minnesota\n                         MARIE NEWMAN, Illinois\n                       CAROLYN BOURDEAUX, Georgia\n                         TROY CARTER, Louisiana\n                          JUDY CHU, California\n                       DWIGHT EVANS, Pennsylvania\n                       ANTONIO DELGADO, New York\n                     CHRISSY HOULAHAN, Pennsylvania\n                          ANDY KIM, New Jersey\n                         ANGIE CRAIG, Minnesota\n              BLAINE LUETKEMEYER, Missouri, Ranking Member\n                         ROGER WILLIAMS, Texas\n                        JIM HAGEDORN, Minnesota\n                        PETE STAUBER, Minnesota\n                        DAN MEUSER, Pennsylvania\n                        CLAUDIA TENNEY, New York\n                       ANDREW GARBARINO, New York\n                         YOUNG KIM, California\n                         BETH VAN DUYNE, Texas\n                         BYRON DONALDS, Florida\n                         MARIA SALAZAR, Florida\n                      SCOTT FITZGERALD, Wisconsin\n\n                 Melissa Jung, Majority Staff Director\n            Ellen Harrington, Majority Deputy Staff Director\n                     David Planning, Staff Director\n                           \n                           \n                           C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Dean Phillips...............................................     1\nHon. Beth Van Duyne..............................................     3\n\n                               WITNESSES\n\nMr. Jonathan T. Williams, Partner, PilieroMazza PLLC, Washington, \n  DC.............................................................     5\nMr. Scott Singer, President, CyberNINES, Madison, WI.............     7\nMs. Tina Wilson, Chief Executive Officer, T47 International, \n  Inc., Upper Marlboro, MD.......................................     8\nMr. Michael Dunbar, President, Ryzhka International LLC, Pompano \n  Beach, FL, testifying on behalf of the HUBZone Contractors \n  National Council...............................................    10\n\n                                APPENDIX\n\nPrepared Statements:\n    Mr. Jonathan T. Williams, Partner, PilieroMazza PLLC, \n      Washington, DC.............................................    25\n    Mr. Scott Singer, President, CyberNINES, Madison, WI.........    33\n    Ms. Tina Wilson, Chief Executive Officer, T47 International, \n      Inc., Upper Marlboro, MD...................................    42\n    Mr. Michael Dunbar, President, Ryzhka International LLC, \n      Pompano Beach, FL, testifying on behalf of the HUBZone \n      Contractors National Council...............................    44\nQuestions for the Record:\n    None.\nAnswers for the Record:\n    None.\nAdditional Material for the Record:\n    Ho-Chunk Inc.................................................    51\n    IPC Report June 2021.........................................    59\n    National Defense Industry Association (NDIA).................    74\n\n \n        CMMC IMPLEMENTATION: WHAT IT MEANS FOR SMALL BUSINESSES\n\n                              ----------                              \n\n\n                        THURSDAY, JUNE 24, 2021\n\n              House of Representatives,    \n               Committee on Small Business,\n                         Subcommittee on Oversight,\n                           Investigations, and Regulations,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to call, at 10:01 a.m., in \nRoom 2360, Rayburn House Office Building, Hon. Dean Phillips \n[chairman of the Subcommittee] presiding.\n    Present: Representatives Phillips, Davids, Evans, Craig, \nHagedorn, Meuser, Van Duyne, and Fitzgerald.\n    Chairman PHILLIPS. All right. Good morning, everybody. I \ncall this meeting to order.\n    And without objection, the Chair is authorized to declare a \nrecess at any time.\n    Let me start by saying that the standing House and \nCommittee rules and practice will continue to apply during \nhybrid proceedings. All members are reminded that they are \nexpected to adhere to these standing rules, including decorum. \nHouse regulations require members to be visible through a video \nconnection throughout the proceeding, so please keep your \ncameras on. And also, please remember to remain muted until you \nare recognized to minimize background noise. And turn your \nmicrophone on when you are recognized, of course.\n    If you have to participate in another proceeding, please \nexit this one and log in later. In the event a member \nencounters technical issues that prevent them from being \nrecognized for their questioning, I will move to the next \navailable member of the same party and I will recognize that \nmember at the next appropriate time slot, provided that they \nhave returned to the proceeding.\n    For those members and staff physically present in the \nCommittee room today, we will continue to follow the most \nrecent OAP guidance. Masks are no longer required in our \nmeeting spaces for members and staff who have been fully \nvaccinated. All members and staff who have not been fully \nvaccinated are still required to wear masks and socially \ndistance. I do hope that we do all our parts to protect each \nother and our staff.\n    With that, I will begin with my opening statement. Cyber \nattacks have the potential to threaten public safety and \nundermine the American economy and national security. The early \nmonths of 2021 have provided harsh reminders of this very fact. \nOver the past 6 months, hackers and other malicious actors have \nheld an oil pipeline for ransom, breached the Nation's largest \ntransit network, and attacked private companies to obtain \nsensitive customer data.\n    According to the Council of Economic Advisers, malicious \ncyber activity has cost the U.S. economy between 57- and $109 \nbillion since 2016. With our society's reliance on technology \nand digitization growing, there is no doubt that cyber attacks \nwill only become more prevalent moving forward.\n    Recognizing the urgency of cyber threats, the Department of \nDefense has taken steps to protect sensitive defense \ninformation from attacks aimed at over 300,000 companies that \ncompose the Defense Industrial Base, the DIB. One of these \nefforts has been the creation of the Cybersecurity Maturity \nModel Certification. The CMMC is a framework that seeks to \nimprove the protection of different types of sensitive, \nunclassified information through the implementation of a \nunifying security standard across the DIB.\n    The CMMC framework consists of a tiered system with a \nseries of processes and practices at each level. The program \nwas designed based on numerous cybersecurity standards and \nframeworks. CMMC relies on third-party certification to assess \nthe relative cybersecurity maturity of DIB companies, thus when \nthe initiative is finally implemented and all contracts and \nrequirements incorporated a specific CMMC level, only those \ncontractors who have achieved the required CMMC level through \nthe certification process will be eligible for an award.\n    The need for cybersecurity is unquestionable. It is vital \nthat companies in the DIB become more resilient and prepared \nfor cyber attacks. With that said, the CMMC Initiative has the \npotential of driving many small businesses out of the Defense \nIndustrial Base, therefore, we must get this right. To that \nend, it is important to pay attention to the numerous red flags \nthat small businesses have raised about this initiative.\n    For example, many have a concern about the significant cost \nassociated with CMMC compliance. Guarding against cyber attacks \ncan be cost prohibitive for many small businesses. And firms \nthat seek to abide by CMMC must purchase new hardware and \nsoftware, replace outdated technical systems, and pay the costs \nof initial certification and maintenance amongst other \nexpenditures.\n    Small businesses often run on thin margins as we know, and \nthe cost of CMMC has the potential to leave many small firms in \nthe sector without a chance to compete for government \ncontracts. Many small businesses also don't have the capacity \nto deal with the complexity of the initiative. Employers at \nsmall enterprises often wear many hats and have limited \nregulatory or compliance resources. This means that independent \nfirms will be forced to turn to outside specialists for help to \nnavigate the program. For many small contractors, this will not \nbe feasible.\n    According to Department plans, the DOD will implement the \nCMMC initiative on select contracts between fiscal year 2021 \nand 2025. In addition, in March, DOD initiated an internal \nassessment of CMMC partially guided by an effort to manage \ncybersecurity costs for small businesses. This is a very timely \nhearing, as it allows us to take a closer look at the program \nand its implications for small businesses. There is no doubt \nthat contractors working with the DOD must have adequate \nsystems in place to handle cyber threats. At the same time, we \ncannot allow the program requirements to drive small businesses \nout of the defense procurement space.\n    With that, I would like to yield to the Ranking Member, Ms. \nVan Duyne, for her opening statement.\n    Ms. VAN DUYNE. Thank you, Mr. Chairman. We should have \ncompared notes before we gave our opening statements, because I \nam going to echo many of the sentiments that you just shared.\n    Just a few short weeks ago, we saw how a malicious \nransomware attack perpetuated by foreign actors on the Colonial \nPipeline can cause chaos across the entire Eastern Seaboard. \nAnd not long after that, another attack shut down one of the \nleading meat producers in the United States. The potential for \nprofit and opportunity to disrupt U.S. critical infrastructure \nhas invited a number of cyber criminals to target U.S. network \nvulnerabilities and one of the softest targets to obtain \nvaluable Department of Defense information is through our small \ncontractors.\n    Recognizing the increased vulnerabilities of small \ncontractors, the DOD initiated new cybersecurity assessment \nframework, called the Cybersecurity Maturity Model \nCertification, to assess contractor implementation of \ncybersecurity requirements. While no one disputes the Federal \nGovernment's need to address the growing cybersecurity risks \nfacing our Nation, I am deeply concerned that the CMMC has \ncreated yet another hurdle to keep small businesses from \ncompeting in the defense marketplace, exactly what we just \nheard from our Chairman.\n    A major concern is the cost of compliance. No matter how \nyou look at it, adding stringent cybersecurity requirements \nwill be a costly endeavor for small businesses that are already \nrecovering from a pandemic. With limited resources compared to \nthe competitors in the defense contracting space, small \nbusinesses are understandably wary of deploying that capital \nwithout assurance that their investment will return in future \nwork.\n    The Federal Government has already experienced a 38 percent \ndecline in its industrial base for the past decade and measures \nlike this will only exasperate this exodus. Simply put, we need \nto ensure a competitive contracting environment for small \nbusiness. This would not only benefit our small employers, but \nwould be a net benefit for our national defense.\n    I also have major concerns with the rollout of the CMMC for \na number of reasons. First, the assessments may be inconsistent \nand unfair because the new process is being handled by many \nnewly trained assessors. There are also many questions \noutstanding about how subcontractors will be treated under this \nnew framework.\n    And, finally, I am worried that small contractors will be \nshut out of the conversation entirely, and forced to the end of \nthe line.\n    The fact is that this new process may threaten the \nlivelihood of many small businesses. No assistance, no \nassessment means no certification, and no certification means \nno work. Small businesses rightly fear that they won't be given \na fair share, left to fend for themselves, as we have too often \nseen when it comes to sweeping government reforms.\n    Dealing with cyber threats is an extremely nuanced issue \nthat will require continued collaboration, and while the DOD \nmay have good intentions with the CMMC initiative, we must \nensure that the voices of small businesses operating in the \nDefense Industrial Base are heard and have their concerns \naddressed. I look forward to hearing the testimony of the \nwitnesses today.\n    And I yield back.\n    Chairman PHILLIPS. Thank you, Ms. Van Duyne. The gentlelady \nyields back.\n    And I will just take a moment to explain how the hearing \nwill proceed.\n    Each witness will have 5 minutes to provide a statement and \neach Committee member will have 5 minutes for questions. Please \nensure that your microphone is on when you begin speaking and \nthat you return to mute when you are finished.\n    With that, I would like to introduce our witnesses.\n    Our first witness is Mr. Jonathan T. Williams, partner with \nthe law firm of PilieroMazza in Washington, D.C. As Chair of \ntheir government contracts group, he counsels companies on a \nvariety of Federal acquisition regulation compliance issues. \nMr. Williams is also a member of PilieroMazza's cybersecurity \nand data privacy team. In this role, Jon works with Federal \ncontractors, particularly those who contract with the DOD, on \nmanaging cybersecurity and establishing compliant and effective \nsafeguards. We appreciate your expertise on today's topic.\n    Our second witness is Mr. Scott Singer, president of \nCyberNINES with offices in both Wisconsin and Minnesota. Mr. \nSinger is a retired U.S. Navy captain bringing over 30 years of \nmilitary experience in both Active Duty and Reserve roles, \nalong with 26 years of industry experience. His company, \nCyberNINES, is a service-disabled veteran-owned small business, \nfocused on cybersecurity services and a candidate third-party \nassessment organization for CMMC. We appreciate you as well, \nMr. Singer, for your contributions to today's discussion.\n    Our third witness is Ms. Tina Wilson, founder and Chief \nExecutive Officer of T47 International, located in Upper \nMarlboro, Maryland. Ms. Wilson is an Air Force veteran, and T47 \nInternational is an 8(a) veteran-owned, and women-owned small \nbusiness, offering a wide range of professional support \nservices to the defense community. We thank you also for \nsharing your story today.\n    With that, our Ranking Member, Ms. Van Duyne, will \nintroduce Mr. Dunbar.\n    Ms. VAN DUYNE. Okay. Hold on just a minute. Thank you very \nmuch.\n    I would like to welcome our final witness, Mr. Michael \nDunbar. Mr. Dunbar is the president of Ryzhka International, a \nservice-disabled, veteran-owned small business founded in May \nof 2011, and a HUBZone certified firm as of February of 2014. \nThey have lubricants and fuel oil to government, commercial, \nand maritime clients worldwide, and proudly provide 100 percent \nAmerican-made products. From its initial founding to today, the \ncompany has grown from one to six employees and successfully \nserves clients ranging from the U.S. Army Corps of Engineers, \nthe Department of Veterans Affairs, the U.S. Navy and Coast \nGuard, the National Oceanic and Atmospheric Administration, \nvarious shipyards in many of the dredging community.\n    Ryzhka International has been the proud recipient of \nseveral awards. This is the Department of Defense's award for \nsupport of the Guard and Reserve. And in addition to its \nbusinesses, the company's secondary mission is to provide \ngainful employment opportunities to qualified individuals from \ndisadvantaged segments of society, such as minorities, women, \npeople with disabilities, and veterans.\n    Chairman PHILLIPS. And we will begin with Mr. Williams--oh, \nI am sorry.\n    Ms. VAN DUYNE. Sorry. You are good. You are good. The \nsecondary focus is no surprise considering Mr. Dunbar's own \nmilitary service in the U.S. Navy Nuclear Power program and its \nstatus as a service-disabled veteran. After his military \nservice, Mr. Dunbar went on to spend the summer working on the \nsolid rocket boosters for National Aeronautics and Space \nAdministration's space shuttle.\n    Following that summer, he attended the University of Utah, \nwent on to have a successful career as an executive in the \nbiotech industry, and afterwards, started his own company. Mr. \nDunbar will be speaking today on behalf of the HUBZone \nContractors National Council, which is a nonprofit trade \nassociation advocating for policies bringing opportunities to \nHUBZone certified small businesses and the economically \ndisadvantaged communities in which these companies are based.\n    Mr. Dunbar, thank you for your participation today. We look \nforward to hearing your testimony.\n    I yield back.\n    Chairman PHILLIPS. Thank you, Ms. Van Duyne. The gentlelady \nyields back.\n    Sorry, Mr. Dunbar. My bio is about one sentence long, so I \nam not accustomed to two pages.\n    With that, we are going to recognize Mr. Williams for 5 \nminutes for your opening statement. Mr. Williams.\n\nSTATEMENTS OF JONATHAN T. WILLIAMS, PARTNER, PILIEROMAZZA PLLC; \n    SCOTT SINGER, PRESIDENT, CYBERNINES; TINA WILSON, CHIEF \nEXECUTIVE OFFICER, T47 INTERNATIONAL, INC.; AND MICHAEL DUNBAR, \n PRESIDENT, RYZHKA INTERNATIONAL LLC, TESTIFYING ON BEHALF OF \n            THE HUBZONE CONTRACTORS NATIONAL COUNCIL\n\n               STATEMENT OF JONATHAN T. WILLIAMS\n\n    Mr. WILLIAMS. Good morning, Chairman Phillips, and other \ndistinguished members of the Subcommittee. My name is Jonathan \nWilliams, and I am a partner with the law firm PilieroMazza, \nwhich represents government contractors. Many of our clients \nare small businesses that work with the Department of Defense \nas prime contractors and subcontractors. It is an honor to \nparticipate in this hearing on DOD Cybersecurity Maturity Model \nCertification to share my perspective on the CMMC Initiative.\n    DOD's focus on cybersecurity has been steadily building for \nmany years, with measures ranging from implementation of new \nregulations and contract clauses to the elevation of \ncybersecurity as the fourth pillar of DOD's acquisition \nplanning. DOD has left no doubt about the importance it has \nplaced on enhancing cybersecurity for the Defense Industrial \nBase, and with good reason, as recent events like the pipeline \nshutdown demonstrate.\n    CMMC marks a significant change in DOD's evolving approach \nto cybersecurity. With CMMC, contractors will no longer be \nallowed to use the honor system by self-certifying their \ncybersecurity. Instead, contractors will have to apply for \ncertification from a third-party assessor. These so-called \nC3PAOs will evaluate the contractor's cybersecurity against \nestablished benchmarks and decide whether to certify the \ncontractor in one of five levels.\n    The lowest level of CMMC is level one, which requires the \nfewest and most basic cybersecurity measures. The level one \nrequirements are things all businesses should be doing, like \nspam filters and antivirus software. The cost and complexity of \nthe requirements increases significantly at the higher levels \nof CMMC.\n    DOD has said it intends to start requiring CMMC on a few \ncontracts this fiscal year with that number increasing steadily \nover the next several years until fiscal year 2026, when all \nDOD contractors will be required to have CMMC.\n    However, the implementation schedule has slipped a few \ntimes already and remains in flux. Approximately 2 years into \nthe CMMC Initiative, many practical questions that small \nbusinesses are asking remains unanswered. These are basic \nquestions like, when will I need CMMC? How much will it cost? \nWhat level do I need? And how do I get it?\n    Many small businesses will not be able to adequately \nprepare for CMMC until these questions are answered. For \nexample, DOD estimates that most small businesses will only \nneed level one; however, that is not guaranteed. DOD agencies \nare more likely to require at least level three for many of \ntheir contracts, and prime contractors may flow down the same \nlevel to their subcontractors.\n    Given the substantial difference in cost and technological \nknow-how between level one and level three, many small \nbusinesses will be unable to compete if more than a level one \nis required. From my discussions with the small businesses we \nrepresent, I have several suggestions for how to make the CMMC \nInitiative more manageable for small businesses, including the \nSBA and DOD mentor-protege programs should be utilized to \nensure that mentors provide small businesses with resources and \nguidance to obtain CMMC.\n    Joint ventures, a popular tool for small businesses to \npursue government work, should not be required to have CMMC \nwhen the member companies are certified. C3PAOs should be \nrequired to fast-track CMMC applications when the applicant is \na small business that is in line for award of a contract.\n    DOD contract clauses should prohibit prime contractors from \nimposing a more stringent level of CMMC on a subcontractor than \nis necessary based on the scope of the subcontract.\n    And finally, DOD and prime contractors should explore \nalternative ways to give small businesses access to sensitive \ninformation that will enable more small businesses to \nparticipate on DOD contracts with a level one certification.\n    In closing, I believe the CMMC Initiative appropriately \naims to improve our Nation's cybersecurity posture. I do not \nthink small businesses would debate the importance of \ncybersecurity, or that doing business with the Federal \nGovernment is a privilege that requires investments in \ncompliance and infrastructure.\n    At the same time, the worthy goals of the CMMC Initiative \nmust be calibrated to avoid creating an unnecessarily high \nbarrier to entry for small businesses, which are the engine of \nour economy and critical partners with the Federal Government \nfor innovation and provision of many necessary services and \nsupplies.\n    This concludes my testimony. Thank you, again, for the \nopportunity to appear before you today.\n    Chairman PHILLIPS. Thank you, Mr. Williams. A perfect 5 \nminutes at that. We appreciate it.\n    Now we recognize Mr. Singer for 5 minutes.\n\n                   STATEMENT OF SCOTT SINGER\n\n    Mr. SINGER. Thank you, Representative Phillips, Ranking \nMember Representative Van Duyne, and members of the \nSubcommittee, for inviting me to testify this morning. I look \nforward to providing information that will help ensure we have \na secure Defense Industrial Base and find cost-effective \nsolutions to allow small business to fully comply with CMMC.\n    My name is Scott Singer, and I am the owner and president \nof CyberNINES. CyberNINES was founded only in June of 2020; \nhowever, thanks to the interim final rule released on November \n30, 2020, we have been really busy. And I have done assessments \nin the districts of some of the members of this Subcommittee. \nSmall businesses do not have purchasing or IT departments. They \ndo not have compliance or regulatory departments. We need to \nmake this easier for them. Primes, certified third-party \nassessors, registered provider organizations, all can assist \nthese small businesses get compliant and reduce the complexity \nfor them.\n    Having a program where the primes take a strong guiding \nhand of their supply chain is critical to maintaining these \nsmall businesses as DOD suppliers. Of the last 33 basic \nassessments CyberNINES has conducted, the average compliance \nscore was minus 105. Plus 110 is perfect. We have found that on \naverage, they are about only 34 percent of the way toward \nmeeting all the risk controls. Cost models put forth by the \ngovernment assume that companies are much further along on this \njourney, and they actually should be by this point.\n    Assuming full compliance to NIST, the DOD has put out that \nthis will cost $26,000 to complete the 20 additional practices \nfollowed by an additional $29,000 to be assessed by a C3PAO. As \ndiscussed above, small businesses that we have assessed are \nonly partway there, and we have come up with costs more to the \ntune of about $130,000 for these businesses to be able to be \ncompliant.\n    Last week, I conducted a basic assessment of a small \nmanufacturer in Minnesota. They had only six employees, one \nsmall manufacturing space with three machines, and they do \nexcellent innovative work. I spent a good majority of my time \ndoing the assessment actually from the owner's house. This \nyear, he expects to make 875K in revenue. My estimate is that \nif he wants to stay a DOD contractor, he will have to spend 10 \npercent of his revenue over the next 3 years alone on getting \ncompliant.\n    Small businesses have been directed to add their allowable \ncosts to get compliant to their indirect rates. Most don't do \ncost reimbursement contracting for DOD. Moreover, market \nfactors around competition for orders will require them to \ncompete and lower prices. Established contractors will be more \nlikely to be able to provide a lower bid and win the order from \nthe prime. There should be a process separate from the \ncompetitive marketplace to allow small businesses to get paid \nfor the reasonable, necessary, and allowable cyber compliance \nexpenses.\n    Companies further ahead should not be penalized and be able \nto recoup their past expenses, too. In addition to the \ndifficulty small businesses have funding this effort, there are \nbottlenecks for getting enough assessors. In doing the math, I \njust don't see how--and this is my opinion--we can get enough \nC3PAOs and assessors through the process to assess 300,000 DIB \ncompanies by October 1, 2025. I saw one estimate that we would \nneed over 8,000 assessment team members working full-time from \ntoday on to make this happen.\n    To get more C3PAOs through the process, I recommend there \nbe a relaxation for the initial C3PAOs. Assess candidate C3PAOs \nto maturity level one or two now, and then require level three \nin the future. The requirement for tier three background \ninvestigations for assessment and support staff creates another \nbottleneck. I would recommend allowing an interim clearance \nprocess for that.\n    In conclusion, the majority of the 300,000 contractors in \nthe DIB are small businesses. Without monetary support and \nclear regulatory guidance, the DOD will lose small businesses \nas they will look to find business in the commercial sector. A \nbalance must be struck between risk and cost. Too much cost, we \nlose suppliers; too much risk, and we hurt our national \nsecurity.\n    Thank you for allowing me to testify, and I look forward to \nyour questions.\n    Chairman PHILLIPS. Thank you, Mr. Singer. And now we \nrecognize Ms. Wilson for 5 minutes.\n\n                    STATEMENT OF TINA WILSON\n\n    Ms. WILSON. Chairman Phillips, Ranking Member Van Duyne, \nand members of the Subcommittee, thank you for the invitation \nto testify today. I am Tina Wilson, CEO, T47 International, and \nI am honored to have the opportunity to provide some insight \nregarding the implementation of DOD CMMC Initiative.\n    As a business owner with over 260 employees located in 28 \nStates and overseas, T47 provides a variety of staffing \nservices from budget and finance, janitorial, inventory \nmanagement, aircraft tools, maintenance to mail room, and \nnonclinical medical and dental case managers. The diversity of \nservices offered puts me in a unique position to provide a \ndifferent perspective regarding this subject.\n    As CMMC standards continue to be developed and incorporated \ninto contract agreements and modifications, it is essential \nthat the Small Business Committee be aware of the policy \nimpact. If the CMMC standards are not clearly communicated and \nmonitored for fraud, the financial ramifications to the over \n300,000 Defense Industrial Base of contractors, and \nspecifically to the small business community, could be \ndevastating.\n    Based on this statement, I will cover three main subject \nareas of concern and offer recommendations.\n    Cost to secure CMMC. As of today there is no set cost to \nobtain CMMC. The CMMC accreditation body has stated that the \nmarketplace will need to define the cost, which leaves it wide-\nopen for interpretation what this cost will be. Whether it is a \ntiered cost based on the size of the business, or a set cost \nregardless of the size, there will be initial and sustained \ncost that will impact small businesses' ability to secure the \ncertification.\n    A similar certification offered by the International \nOrganization for Standardization, ISO, is standard 27,000, \nwhich is information technology and focuses on security for any \nkind of digital information. This certification costs between \n28- to $35,000 to obtain, and takes approximately 6 to 8 months \nto implement. This is a tremendous cost burden to add to a very \ntight budget for most small businesses.\n    Cost of not having CMMC. While unknown as of today, what \nhas been communicated to the entire Defense Industrial Base is \nthat if you don't have CMMC at the basic level, you will not be \neligible for a Federal contract. Many small businesses may not \neven be aware this new requirement and failure to obtain \ncertification means ending contract work as a service provider \nto the DOD.\n    Additionally, as the prime contractor, it will be our \nresponsibility to flow down the requirements to our \nsubcontractors. If the subcontractor does not have \ncertification, we would be required to end subcontract \nagreements to remain compliant with the DOD CMMC standards.\n    Audit imposters. I raise this subject as an awareness to \ninform the Subcommittee. When the DOD presented the CMMC as the \nnew way of life for all businesses within the Defense \nIndustrial Base in the summer of 2019, many business owners \nasked a lot of questions of why? Who will conduct the \nimplementation and audit? How much? When will it happen? \nImplications, or if you do not have it, and many more \nquestions.\n    Before the CMMC accreditation body was formed in the latter \npart of 2019, audit imposters with no training and not \naccredited, start advertising that they will certify your \ncompany as cyber compliant for thousands of dollars to get a \ncompany ready. For many small businesses that are just now \nhearing about this standard, may in a moment of panic and fear \nof losing their government contract, may fall prey to an audit \nimposter.\n    As I close, I recommend that the Subcommittee members \nclosely monitor this very important implementation of CMMC \nInitiative. While I know there are so many other issues to \nfocus on, CMMC has ramifications that reach far beyond what we \ncan realize at this moment.\n    It is important that, one, cost is articulated clearly to \nreduce price gauging and to allow the small businesses to plan; \nnumber two, a balanced cost approach that does not reduce small \nbusiness participation in the Federal marketplace; number \nthree, DOD continues to work closely with various advocacy \ngroups to ensure that the Defense Industrial Base contractors, \nknown at the Office of Small Business, is aware of this \nimplication to this new initiative; and four, DOD and the \nOffice of Small Business start as soon as possible to put \nvarious roadblocks in place to reduce the number of audit \nimposters.\n    Thank you for your time in addressing this very important \nsubject that impacts thousands of small businesses that do \nbusiness with the Department of Defense.\n    Chairman PHILLIPS. Thank you, Ms. Wilson.\n    And now I recognize Mr. Dunbar for 5 minutes.\n\n                  STATEMENT OF MICHAEL DUNBAR\n\n    Mr. DUNBAR. Chair Phillips, Ranking Member Van Duyne, and \nmembers of the Subcommittee, thank you for the opportunity to \ntestify before you today. My name is Michael Dunbar, and I am \nthe president of Ryzhka International, located in Pompano \nBeach, Florida.\n    Ryzhka International provides lubricants, fuel oil in bulk \nquantities, package quantities to the Federal Government, \ncommercial maritime industries. I am a proud service-disabled, \nveteran-owned small business, as well as a HUBZone certified \nsmall business.\n    I am testifying today on behalf of the HUBZone Contractors \nNational Council, a nonprofit trade association providing \ninformation and support for companies and professionals \ninterested in the Small Business Administration's HUBZone \nprogram. We would like to thank the Committee for its \ncommitment to small business and for advancing policies that \nsupport small businesses doing business with the Federal \nGovernment.\n    In a recent hearing, Deputy Assistant Secretary of Defense \nof Industrial Policy, Jesse Salazar, said it best: The \nDepartment's approach to cybersecurity must balance the need \nfor accountability with the recognition of the challenges \nfacing small businesses.\n    Small businesses understand the importance of \ncybersecurity, and the very real threats facing their \ncompanies. We are not looking for a way to opt out or ignore \nthis problem. We want to secure our companies. According to the \nDOD's contracting data, 74 percent of the Defense Industrial \nBase are small businesses. These contractors are critical to \nthe government, and are not a group that can be ignored.\n    The Federal Government has long identified the need to \nsafeguard sensitive information and understands that \ncybersecurity is dynamic issue. Small businesses, however, are \nexperts on the goods and services they provide. We do our best \nto focus on supplying a product, making a profit, and retaining \nemployees. Most small businesses are not IT professionals. We \nare not cybersecurity specialists either. I am--right here is \nthe assessment guide. This is for cybersecurity CMMC model \nlevel three. It is full of stuff I have no idea and don't \nunderstand. I have to hire somebody to figure this out.\n    The initial cost for me to start my business was less than \n$1,000. The cost to start a new government-focused business \nwith this, 10,000, 100,000; we really don't know. Access to \ncapital can be a very challenging issue for small businesses, \nand we have to use significant capital now to become CMMC \ncertified.\n    The segments hurt most are the segments that can least \nafford it. The Federal Government already has challenges \nmeeting those goals. If we reduce the number of companies that \nqualify, you also reduce opportunity for people to start up new \nbusinesses in those sectors.\n    The council makes the following recommendations to improve \nthe rollout of CMMC, and maintain a strong industrial base. \nIncreased cost transparency and put guardrails on rising \ncompliance costs for small business. One of the biggest \nfrustrations for small business throughout the rollout has been \ncost transparency. Some small businesses have estimated costs \nin excess of $100,000 to prepare for level three certification. \nThat doesn't include the assessment costs. I have heard of \nassessment costs already estimated at above $150,000 for a 50-\nperson company.\n    Establish clear communication on CMMC efforts. A lack of \ntransparency, clear, consistent communication by the DOD, and \nthe rollout of CMMC and its implementation by the CMMC \naccreditation body has been concerning. The council suggests \nputting together a more clear, consistent delivery of \ninformation through a central government platform or website.\n    Streamline new and existing standards for contractors. The \nFederal Government lacks unified cybersecurity standards across \nall agencies. The council encourages the DOD to work closely \nwith industry, particularly small businesses, to streamline \nthese requirements allowing companies to have a plan of action \nand milestones after a CMMC assessment would help these \nburdens.\n    Create a system for oversight and equitable rollout. Many \nsmall businesses worry that they will be put at the back of the \nline and face massive delays as companies serve the \nsubcontractors, and equitable rollout is important to these \ncompanies as well.\n    In conclusion, the Federal Government has a long and \ncomplex history of governing cybersecurity regulations and \ncompliance with its contractors. A streamlined approach needs \nto be taken for contractors to navigate all of these standards \nand system successfully.\n    Thank you for the opportunity to testify today, and I look \nforward to your questions.\n    Chairman PHILLIPS. Thank you, Mr. Dunbar, and to all of our \nwitnesses for being with us today and we appreciate your \ntestimony on the CMMC Initiative.\n    I will begin the hearing now by recognizing myself for 5 \nminutes. I will start with Mr. Williams.\n    I think we all understand the importance of cybersecurity, \nand ensuring that the most vulnerable small businesses in the \nDIB supply chain are protected. However, it is clear that the \ncost of CMMC could be terribly burdensome for small businesses. \nSo how should we be looking at this? How can we strike the \nright balance between enhancing cybersecurity, and ensuring \nthat small businesses can participate in DOD acquisitions?\n    Mr. WILLIAMS. Yes. Excellent question. Thank you. I think \none of my top suggestions there is to try to make good on DOD's \nestimate that most small businesses will only need level one. \nAs I said in my testimony, that is not guaranteed, but if we \ncan keep as many small businesses as possible at level one, \nthat will strike the right balance between ensuring that these \nsmall businesses have at least the basic cybersecurity \nprotections in place, but will allow them to avoid, as Mr. \nDunbar said, the significant additional costs when you go from \na level one to a level three.\n    And I think managing the level one versus level three \ndistinction is probably one of the most critical ways to keep \nthe cost down for small businesses. That could be done through \nflow-down protections. Make sure that primes are not flowing \ndown higher than level one if their subcontractors only need \nlevel one. And I would like to see more flexible approaches \nwhere the small businesses don't need to take the controlled \nunclassified information into their own network, because that \nis what then causes the jump from level one to level three.\n    Let's look at ways that either the DOD and their own \nsystems, or the prime contractors and their own systems, can \nmaintain this information, and let's maybe be more creative and \nflexible in how we allow small businesses to participate on \nthose programs without having to take that information into \ntheir network, and then cause them to have to go up to a level \nthree.\n    Chairman PHILLIPS. Appreciate that. Are there any funding \nstreams of which you are aware that can help small businesses \nwith the costs of CMMC? And if there is anything that Congress, \nDOD, or even SBA could do to help in that regard, no matter how \nsignificant the expenses might be?\n    Mr. WILLIAMS. I am not aware of specifically targeted \nfunding stream at CMMC. I think it would be a fantastic idea if \nthere was the wherewithal for a grant program for small \nbusinesses to help them on their way with the upfront \ninvestments needed for CMMC.\n    The larger small businesses will be able to make that \ninvestment and get it on the back end when they are paid on \ntheir contracts with the government, but for the smaller firms, \neven the several thousand dollars of the investment needed for \na level one might be too difficult to make upfront.\n    And I think the existing mentor-protege programs, as I \nmentioned, those are fantastic programs. They work very well in \nmany respects at the SBA and DOD for small businesses and large \nbusinesses. There are a lot of incentives that large business \nmentors get from participating in those programs.\n    We could be clearer, more well-defined that mentors, when \nthey are permitted to access those programs, have to ensure \nthat one of the things they are doing for their proteges is to \nprovide financial resources and technical assistance to ensure \ntheir proteges are ready for CMMC.\n    Chairman PHILLIPS. Thank you very much.\n    Ms. Wilson, I would love to hear from you about your \nexperience. How were you made aware of CMMC? How difficult is \nit for you and T47 to understand, and do you envision having to \nengage a consultant or specialist to help you navigate it?\n    Ms. WILSON. Sure. Thank you for the question. I learned \nabout CMMC when attending a DISA Industry Day in 2019 up in \nBaltimore. I understand completely how it works and, you know, \nfrom a broader perspective, but, you know, protecting supply \nchain, intelligence, assets, IT infrastructure and, you know, \nthings that matter to protect in our Nation.\n    And for T47, the critical part is, we have to secure a \nspecialist, which I have already engaged, because it is very \ncomplex. And for someone that is non-IT like myself--I am a \nbusiness owner. I know how to go get contracts and build a \ncompany, but to build an IT infrastructure that impacts a lot \nof employees and be able to maintain it and go into other \nsecured areas, it is a challenge.\n    So to actually have an expert to help us is going to be \ncritical, and I have engaged in that process already.\n    Chairman PHILLIPS. Thank you very much. My time is expired, \nand now I recognize the Ranking Member, Ms. Van Duyne, for 5 \nminutes.\n    Ms. VAN DUYNE. Thank you very much. Mr. Dunbar, okay, hold \nthat up one more time. You need two hands. That is--I mean, I \ncompletely understand your frustration right now. Do you \nbelieve that the CMMC duplicates any of the multiple standards \nin cybersecurity programs that currently exist? Do you find \nthat there is a bunch of stuff that is already existing right \nnow that is in that book that you are going to have to do more \nof? And is there a way to further streamline these disparate \nprocesses?\n    Mr. DUNBAR. Thank you very much for the question here. From \nwhat I understand--and I am not a technical expert, so I will \nanswer from a layman's perspective--CMMC added, I believe, 20 \nadditional items to NIST 800-171, which is currently the law of \nthe land and what exists today. So what is being projected to \nbe our new standard is built on an existing standard, and part \nof me questions why we had to go so much further.\n    The reasoning behind putting CMMC in place, part of it was \nbecause we were doing self-assessments before for companies \ninstead of having a third-party assessment. Why could they not \ninstitute some part of third-party assessment to an existing \nstandard? Why create a whole new standard that people have to \nlearn and understand to begin with?\n    And I didn't have to deal with the first standard because \nmost of my business is what they call is called COTS, which is \nCommerical-Off-The-Shelf products; however, fuel recently, as \nwe just saw with Colonial Pipeline, has become a very critical \nitem. Is supplying fuel by truck, by whatever method all of a \nsudden going to become a CMMC level four like the \ninfrastructure piece of it might potentially need to be? That \nis going to impact a significant number of small businesses \nlike mine.\n    So by adding these additional items, we ask our question as \nto why, and how do we streamline this? I have in place security \nright now that covers 77 of the NIST items--covers 77 of the \nCMMC items, but covers 90 percent of the risk. So is that \nadditional cost-benefit, and we are talking 80 to $100,000 of \nadditional cost to get that other 10 percent realistic for \nsmall business?\n    Ms. VAN DUYNE. I am concerned that the critical information \nabout CMMC is being conveyed in a conflicting and potentially \ninformal manner. What are small businesses currently going to \nseek information or guidance on CMMC? Where are you going to \nfind more information? And then, what would be the ideal method \nor platform of communication from the DOD to the contracting \ncommunity? How can we make it easier?\n    Mr. DUNBAR. The main place that we have been receiving \ninformation tends to be LinkedIn. We have had members of DOD \ncommunicating directly through LinkedIn, members of the CMMC \nboard communicating through LinkedIn. That tends to be the \nlargest location or community of folks getting information on \nthis program. We get very little from DOD directly. They have \nhad some town halls that they call it. You don't really get \nmuch notice, if any.\n    Just the other day was mentioned a project spectrum, I \nbelieve it is called, that I had never heard of, that was put \nin place, it looks like some time in 2020. Most small \nbusinesses are unaware of this as well, and this is supposed to \nhelp us somehow, it is a DOD program, but we are not even aware \nof it.\n    Ms. VAN DUYNE. Your being sent to a website is probably not \ngoing to help you?\n    Mr. DUNBAR. Correct. And that is just--there is no \nconsistent method or message coming out from DOD on where to \nget things. Even if you go to the CMMC-AB frequently-asked-\nquestions page, sometimes they say Oh, that is a DOD \nresponsibility, and that has been a lot of the kickback is \npointing fingers between the CMMC-AB and DOD saying, Well, they \nare responsible for X; they are responsible for Y.\n    Ms. VAN DUYNE. Specifically for the small business \ncommunity, I didn't mean to cut you off, if you had anything \nelse to add.\n    Mr. DUNBAR. No, ma'am.\n    Ms. VAN DUYNE. Specifically for the small business \ncommunity, and I hate to add another agency in here, but do you \nsee a role that SBA could possibly play in helping to be an \nintermediary between the three?\n    Mr. DUNBAR. I definitely--there should be a role for the \nSBA in here. I don't feel that the SBA has been able to be \ninvolved. I feel that the DOD has sidelined them, at least in \nmy opinion, in the same manner that I think a lot of small \nbusinesses have been ignored when we have raised questions or \nraised issues. And that has basically been kept to a very small \ngroup of people that are running all of this, and then we get \ntold later on, Here is what is happening.\n    Ms. VAN DUYNE. Thank you very much.\n    I yield back.\n    Chairman PHILLIPS. The gentlelady's time is expired.\n    And now I recognize the gentleman from Pennsylvania, Mr. \nEvans, for 5 minutes.\n    Mr. EVANS. Thank you, Mr. Chairman. I would like to ask a \nquestion to Ms. Wilson. Small businesses are frequently \ntargeted by cyber criminals. What would the ideal situation be \nfor you in terms of the Department of Defense ensuring that \ncybersecurity taken care of its small business base?\n    Ms. WILSON. Thank you so much, sir. I think one simple \nsolution to offer, and it could be reasonable cost and possibly \nfree. It is the offer of maybe cyber tools that are already \napproved by DOD to the small business community as a first line \nof defense. It could be offered up from the CMMC level one up \nto possibly level two. And then, at least this way, DOD has a \nlevel of comfort to say, Okay, at least we have some tool out \nthere now, it is up to the marketplace, the small business \ncommunity to go out and secure additional certification, if \nnecessary, to ensure that, you know, at least we are taken care \nof, and that shows an effort that the DOD cares. That is a \ncritical part. We just need to know that DOD is here to help \nyou.\n    Mr. EVANS. I would like to follow up. For many small \nbusiness, cybersecurity certification is just one of the many \nrequirements of certification they need to comply with as part \nof being a defense contract. Can you mention just a few of the \nother certifications you have to comply with, and how does the \ncybersecurity certification compare to other certification in \nterms of its levels of burdens?\n    Ms. WILSON. Sure, sir. So for T47, we have actually \ninvested in securing the ISO certifications, three \ncertifications. We are doing that currently. That is a very \ncostly investment. We will also have the SBA 8(a) certification \nthat is due annually. And because of our size now, we now must \nincur additional cost for audits that are necessary to keep the \ncertification.\n    We have the woman-owned small business certification, and \nthen as a clear facility, we have the defense \ncounterintelligence security certifications as well to keep our \nclearance.\n    So, in comparison to all those other certifications was \njust a small list for us. To be perfectly clear and frank with \nyou, the CMMC has been the most challenging, because it is just \na lack of not understanding exactly what is needed, and it is a \ncost that is involved. There is no transparent cost set aside \nfor, like, small business mid or large.\n    And I know this is a new initiative because any time you \nroll out a new policy, there is always going to be bumps in the \nroad, but at the same token, there needs to be more of a clear \ncommunication from DOD, and those that are managing this \nprocess on what it is going to take for small businesses, or \nall businesses to have the certifications necessary.\n    And that is going to take a concerted effort for everyone \nto understand. CMMC, to be quite honest with you, it is new, \nbut it is a challenge. And it must be worked out pretty quick \nbecause you are going to start rolling these things out into \ncontracts, and the fear could be real once it starts happening.\n    Mr. EVANS. I thank you.\n    And I yield back the balance of my time.\n    Thank you, Mr. Chairman.\n    Chairman PHILLIPS. The gentleman yields back.\n    And now I recognize the Ranking Member of the Subcommittee \nfor Underserved, Agricultural, and Rural Business Development, \nMr. Hagedorn of Minnesota for 5 minutes.\n    Mr. HAGEDORN. Mr. Chairman, thank you for that, Ranking \nMember Van Duyne. It is good to be with you today. Thanks to \nthe witnesses. This seems to be one of these issues, and even \nthe big agencies the Federal Government want to impose a lot of \nthings on small businesses that they themselves don't handle \nappropriately.\n    It doesn't take--you don't have to think too long and hard \nto realize that the DOD has lost technology outright, giving it \naway in some cases, our Federal Government, to China. Economic \ntechnology, of course, gets lost a lot by big companies. OPM \nwent and took 25 million records of Federal employees. I was \none of those folks that they stole from during the Obama \nadministration, and now they come along and say, Well, if you \nwant to do business with us, you have to go through a bunch of \ngyrations, spend a bunch of money, and some of it, it seems, \ncould be reasonable.\n    You look at recently, we had some issues with, obviously--\nand these things are very important. We had a big meat packing \ncompany that does 25 percent of the beef in the United States; \nhave a pork manufacturing plant in Worthington, Minnesota, \nwhere I represent, they went down and you see how critical \nthings can be. We can lose our food supply and everything else \nin the blink of an eye, but Mr. Dunbar, I think--wouldn't it \nmake more sense if the Federal Government just imposed some \nreasonable standard and said if you want to do business with \nus, you got to try to do everything possible in order to make \nsure there is security here, and that you protect these digital \nways that you do business? I mean, rather than have you go \nthrough all these hoops. I mean, you say it costs up to \n$100,000, it doesn't seem reasonable to me.\n    Mr. DUNBAR. Thank you, sir, for the question. Yes, I agree. \nI think the keyword there is the definition of reasonable. I \nbelieve the DOD believes that their numbers and that their \nrequirements are reasonable. Small businesses would probably \ndisagree with that when you have a company like mine of six \npeople that has to spend $100,000 to comply with something.\n    There are, as I mentioned, standards out there currently \nthat are being used every day. I mean, right now, a small \nbusiness--you walk into a small business and we hear \nadvertisements on TV and such saying, We have got your \nsecurity, Have your internet service through us, we got you \ncovered. Well, that is what a small business thinks. Okay. They \ngot our security for us. No problem. Then we see something like \nthis and say, Well, we really don't have security, do we? We \nneed something in between those two items.\n    My security that I currently have in place is, as I \nmentioned, covers 77 of the items that are being requested in \n90 percent of the problems, and it is costing me about $15,000 \na year to $20,000 a year to do that. I could get away with a \nlittle bit less, but I have insurance and other things on it \nthat get tossed into there to cover in case I get hacked.\n    So there are standards out there that could cover \nreasonably well what we are all looking for, and meet a level, \nI think, that would provide security for anything but the \ngreatest items out there. As was mentioned by Mr. Williams, \nhaving access into a system provided for us for companies that \ndon't need to take something or machine it, but actually just \nneed that data and that information can go into the government \nsystem sort of like the National Guard does. They have their \nlittle wall garden, we call it. A member of the National Guard \ncan go in, get their CUI information in there, go out, be it \ntheir VPN, and now they have all the information that they \nneed, and it has been in a secure environment.\n    Mr. HAGEDORN. So I worked a little bit in the Treasury \nDepartment, and I have seen bureaucracies in action and usually \nthe bureaucrats come up with lots of ideas in order to make \nsure that if something goes wrong they can, as you say, point \nthe finger at somebody else. And I see a lot of that here. I \nsee a lot of expense being pushed along to you, and just \nbecause if something goes wrong, they don't want to be blamed \nfor it.\n    And I think, you know, it is kind of telling when \ngovernment comes up with these ideas here, we are going to put \nthis regulation on you, we are going to make you do all these \ntypes of things, and oh, it is going to cost some money so, \nwell, now let's go find funding streams in order to help you \npay for that. I mean, we see this all day long.\n    I think a reasonable standard would make sense. Most \nbusinesses, even the big ones, have issues here. They all need \nto do better in compliance and I think that people can figure \nthat out. So thanks very much, by the way, for your service to \nthe country and you had a very impressive resume. Took our \nRanking Member an extra shot at it just to get it out.\n    Thanks very much.\n    Mr. DUNBAR. Thank you, sir.\n    Chairman PHILLIPS. The gentleman yields back.\n    And now we recognize the Ranking Member of the Subcommittee \non Economic Growth, Tax, and Capital Access, Mr. Meuser, for 5 \nminutes.\n    Mr. MEUSER. Well, thank you, Mr. Chairman. Thank the \nRanking Member very much for holding this hearing. Thank you to \nthe witnesses as well. So there are reports--we all know that \ncybersecurity is clearly an issue. Reports are, that I have \nreviewed, that 6 percent of U.S. military and aerospace \ncontractors reported data breaches between 2016 and 2018. \nRansomware attacks are up over 100 percent in 2020. All \nindustries, by the way. That is for all industries. So it is a \nconcern.\n    DOD, however, seems to have created the CMMC mandates that \nare a major concern to all small businesses and contractors \ncertainly sitting here, and in my district. In fact, it seems \nthat some of the focus on compliance with these mandates is \neven truncating your actual ability to focus on actual \ncybersecurity. And as being in business for a lot of years, I \nunderstand that. These mandates coming from Washington, in this \ncase the Department of Defense, don't take what your business \nabout fully into consideration. How could they possibly, right? \nI mean, it is a one-size-fits-all approach.\n    So, I am definitely not happy to hear that the Department \nof Defense is also not offering forums to have this discussion \nwith you, right? Perhaps in a hearing maybe we can do that or \ncreate access so they can better understand your concerns. And, \nagain, I have DOD suppliers in my district that have already, \njust in the last couple of years, spent tens of thousands of \ndollars living up to these requirements and trying to achieve \nthem. And meanwhile, they don't necessarily even know what \nlevel they are at, and they are very concerned, even their \nmidlevel suppliers of those who are supplying them, being able \nto maintain those costs. Everything that you are discussing \nsharing here.\n    So Mr. Dunbar, I will just ask you this: Level one, we are \ntalking about level one here, what is--do we have the \nDepartment of Defense's feedback on if level one is \nsatisfactory, and for how long it will be because I know they \nare trying to roll into this with a--in a managed way over the \nnext several years, right?\n    So what do they say about you and suppliers that you know \nabout maintaining level one at this point?\n    Mr. DUNBAR. Well, I think you reached part of the problem, \nis we are not really hearing a lot. We have got some estimated \ndollars and some numbers out there tossed around to level one, \nand yet how long is it supposed to last, any of the real detail \non it? We don't get a lot of that. As you mentioned, the \ntechnology, is that going to keep up, or are we going to keep \nchasing technology as we go along, and, therefore, chasing more \nregulations and more rules that we have to get reassessed for \nalong the way which are just going to continue to increase \ncosts?\n    Mr. MEUSER. Speaking of cost, what is the cost difference, \nwould you estimate, from level one, which many are saying here \nthey believe would secure your systems and your companies \nversus say level three? Can you put a number on that?\n    Mr. DUNBAR. Easily ten- to twenty-fold.\n    Mr. MEUSER. Wow. Okay. And how much more secure would it be \nfrom level one to level three?\n    Mr. DUNBAR. I don't really know specifically from a level \none to level three how much more secure it would be. I know \nfrom where I am currently, and what I am paying for the setup I \nhave, which is a pretty secure setup, according to--the person \nwho handles my security is actually a past director at DCISC \nfor the Department of Defense, so he is the one who set mine \nup, and he is the one who said that we have 77 of the 120 \ncontrols and have 90 to 95 percent of the issues.\n    So he believes for very small companies that you could be \nlooking at, you know, 5 to 10,000 a year maybe for your costs \ninstead of, you know, having to reach up to this level and that \nsame company could be at hundred-plus thousand dollars a year.\n    Mr. MEUSER. Well, I think we can conclude that these \nmeasures are overly harsh and we do need to create a forum to \nhave this discussion with DOD so we can work this out.\n    I yield back, Mr. Chairman.\n    Chairman PHILLIPS. The gentleman yields back.\n    And that completes our first round of questioning. So, \ntherefore, I will recognize myself for another 5 minutes.\n    Mr. Singer, while companies like yours in the pipeline \nbecome accredited C3PAOs, there is a long ways to go until we \nhave a substantial amount of them. So how likely is full \nimplementation of CMMC by 2026, if there is a lack of \nassessors?\n    Mr. Singer?\n    Mr. SINGER. I forgot to unmute.\n    Thanks for the question, sir.\n    I think it is very difficult to get there with the current \nprogress we are making. We have a hundred provisional assessors \nat this time, and we have two C3PAOs already through the \nprocess from doing a DOD assessment. And, by the way, the \nthird-party assessors are going through that level three \nassessment, so we have to meet the 130 different practices.\n    So I think it is very difficult. The timeline is very \nstretched. As I had said in my testimony, I think we need more \nthan 8,000 assessment team members to even make this happen, \nand that would be starting from today. So the math just doesn't \nwork. I believe that there does need to be some flexibility in \nhow we are rolling this out to the third-party assessors, and \nwe need to have some--you know, if we are going to try and meet \nthat deadline, there needs to be quite a bit more flexibility \nby the DOD in trying to ramp this up and move this out.\n    I also feel pretty strongly that not everybody, as we have \ntalked about before, needs to be at level three. If you are a \npart component maker, a small business, and you are doing, you \nknow, special processes like coatings, painting, and somebody--\na prime flows down a drawing to you and tells you, Put the \nlabel plate here on this, you know, equipment, all of a sudden \nyou have now had to hit level three.\n    So there is some work here that needs to be done on \nunderstanding the risk truly to the supply chain, and maybe a \nsingle part maker of a bracket doesn't need to be level three, \nbut somebody that is making sub assemblies and more complex \nparts does need to be.\n    So that would be my answer.\n    Chairman PHILLIPS. Thank you, sir.\n    And, Mr. Williams, while CMMC is a DOD initiative, we are \nbeginning to see it in other solicitations, particularly for \ngovernment-wide contracts like GSA's 8(a) STARS III contract. \nSo how concerned should small businesses be of the CMMC \nInitiative being adopted by civilian agencies and becoming a de \nfacto baseline for doing business with the Federal Government?\n    Mr. WILLIAMS. Yes, I think that is certainly a possibility. \nYou know, the rollout with CMMC at DOD has experienced \nchallenges, as we have been covering in today's hearing, and I \nthink it remains to be seen if they will hit the target of 2026 \nas Mr. Singer just said. I would view what is happening at DOD \nas a trial balloon. And if it went well at DOD, which certainly \nis an open question at this point, I wouldn't be surprised at \nall if it is expanded beyond DOD to all of government.\n    Chairman PHILLIPS. All right. Thank you, sir.\n    And with that, I will now yield to Ms. Van Duyne for 5 \nminutes.\n    Ms. VAN DUYNE. Thank you very much.\n    Mr. Singer, I appreciate your testimony here today. I just \nhave a couple of questions.\n    What is the penalty or the outcome for a small business \nthat can't comply with the requirements?\n    Mr. SINGER. Today, the penalty is that you are out of doing \nbusiness with the DOD, period.\n    Ms. VAN DUYNE. Okay. I mean, that is--I am seeing Mr. \nDunbar shake his head as well.\n    So I am going to ask actually the whole panel, can you \npoint to one or two concrete things that we can do to make \nunderstanding these flow-down requirements easier for small \nbusiness? Mr. Hagedorn had a great point, well, yes, we could \njust define reasonable and move forward from there. Can we be a \nlittle bit more specific on what you would need?\n    And, Mr. Singer, we will go ahead and start with you.\n    Mr. SINGER. Sure. Thanks for the question.\n    I think it is really--I think the primes really need to \nstep up and play a bigger role here. They have the resources \nand the teams, and they have done a lot of the background work \non understanding what is required. And instead of just sending \nout a rep and certs or a letter to a small business saying you \nneed to post a score in the supplier performance risk system, I \nthink there needs to be more support and help for them and more \nof a guiding kind of process program that they implement for \ntheir whole supply chain to help them get compliant.\n    Ms. VAN DUYNE. Ms. Wilson, do you have anything to add?\n    Ms. WILSON. Yes, ma'am.\n    To ensure that everyone is on the same page and have the \nsame information. What we have right now is pockets of \ninformation going to various individuals, like I just heard \nfrom Mr. Dunbar, said most of the information is being flowed \nthrough LinkedIn. Some companies have LinkedIn and some \ncompanies do not. There needs to be concerted effort of \ncommunicating what the standards will be, what the costs will \nbe across all industry, and filter down to the small business, \nand maybe a regional approach to be able to help understand \nthat CMMC is here to stay, take away the fear, but communicate \nclearly what it really means to have this certification.\n    Ms. VAN DUYNE. Awesome. Thank you.\n    Mr. Williams?\n    Mr. WILLIAMS. Thank you.\n    Yes, I would like to make two points. First to address the \ncomment about flow down. The interim DFARS clause for CMMC \nwhich was issued late last year directs prime contractors to \nflow down the CMMC level that is appropriate for the \ninformation that is being flowed down to the subcontractor. \nThat gives a lot of discretion to the prime contractor to \ndecide what is appropriate. I would like to see the final DFARS \nclause for CMMC prohibit prime contractors from flowing down a \nhigher level than is absolutely necessary based on the \ninformation that is being provided to the subcontractor.\n    And the second point I would like to make about the \ninformation that is being disseminated to the small business \ncommunity, my experience has been that there have been town \nhalls, as Mr. Dunbar mentioned, and I get the LinkedIn messages \nas well. There are other ways that information is being pushed \nout, but I think the problem--the challenge is that that \nmessaging is blunted by the fact that we still have no answers \nfor many of the critical questions.\n    So rather than focusing on creating more forums for \ndisseminating information, I think we need to focus on \nproviding real hard information about how much this is going to \ncost and when are small businesses going to need it, what level \nare they going to need? Until we can answer those basic \nquestions, I think, you know, the forums are going to be \nlargely lost on the small business community.\n    Ms. VAN DUYNE. Thank you very much, Mr. Williams.\n    Mr. Dunbar, did you have anything to add?\n    Mr. DUNBAR. Yes. One of the items with small business is a \nlot of small businesses work from, I will say remote locations. \nYou may have an office where you have people working from home, \nseveral people at various homes. One of the big items that was \nbrought up recently by one of the board members for the CMMC \nwas that we will be subject to home inspections in order to \npass CMMC.\n    So now you have people doing home inspections in your own \nprivate homes. The risks beyond that on there are just, you \nknow, incalculable.\n    Another item to me that really piqued my interest there was \nour ability to protect ourselves during an assessment. Right \nnow, an answer on the Board FAQ site basically states that an \nRP that helped us go ahead and put together our plan is not to \nbe there to defend our plan. So if we get--you know, fail it, \nwe are supposed to know this book again. We don't have an \nexpert to know it.\n    Ms. VAN DUYNE. Excellent. Thank you very much.\n    I yield back.\n    Chairman PHILLIPS. The gentlelady yields back.\n    And now I recognize the gentleman from Pennsylvania, Mr. \nEvans, for 5 minutes.\n    Mr. EVANS. Thank you, Mr. Chairman.\n    Mr. Dunbar, what would you--what would be your \nrecommendations for those businesses that are just learning \nabout the Initiative? I would like to ask all of the panel that \nquestion.\n    I will start off with you, Mr. Dunbar.\n    Mr. DUNBAR. I honestly don't know that I have an answer for \nthat, because trying to know find the information, it has not \nbeen clear enough to everybody where to get it. If I am getting \nit from LinkedIn, I mean, I first heard about it at an Army \nCorps Small Business Conference in 2019. Otherwise, I may not \neven know about it today.\n    Mr. EVANS. Does any other panel--any comments or thoughts \non that, any of the other panelists?\n    Mr. SINGER. Sure, sir, I would like to make a comment.\n    You know, I think one of the important things is for \ncompanies to find reputable businesses to help support them \nthrough this process, and, unfortunately, I think there is too \nmuch variation in the help that they are getting, as Ms. Wilson \nspoke of earlier also.\n    I think also that, especially now, I think a lot of the \nlevel three companies are aware of this coming down, especially \nsmall manufacturers that are, you know, just now starting to \nreally understand this because the letters are coming out from \nthe primes.\n    But I think a big gap is the people that are going to have \nto meet level one and they don't know it right now, and I think \nthat should be a much more proactive reach-out to those folks. \nI mean, the DOD knows who they are contracting with in these \nareas, and I think they should take a more active role.\n    Mr. WILLIAMS. Yes, Representative Evans, if I could just \nback up Mr. Singer's comments there, our primary recommendation \nto our small business clients is to get level one ready. The \nlevel one requirements really are basic things, like antivirus \nsoftware and spam filters that we think all companies should be \ndoing, regardless of whether you work with the Federal \nGovernment. In this day and age, you should be doing at least \nthose basic requirements, and they are already in the FAR. The \nFAR requires these basic safeguards. That has been the \nrequirement for a long time.\n    So, this really, frankly, shouldn't be surprising, but I \ntotally recognize that it is, because small businesses have so \nmuch to focus on. But these requirements are not new, and they \nare, generally speaking, not difficult to obtain for small \nbusinesses. So, we would like everyone to really focus on at \nleast getting level one ready, because these are things you \nshould be doing as a business.\n    Ms. WILSON. And I would echo everyone's comment that has \nbeen made on the panel. I do make a concerted effort to share \nwith small business owners to mention CMMC, and I mention it in \nthe context of the necessary need for them to actually have it, \nbut understand what it means and the implications, because \nright now, we just have black and white implications of saying \nif you don't have it, and your contract comes up for renewal, \nthen you run the risk of losing your contract.\n    And, so, putting that fear in them early on, maybe prompt \nthem to move forward. But also I think from our perspective at \nT47, we have already proactively tried to secure something \nsimilar, certification. It may not be directly related, but to \nat least get us ready so that way when it comes down for us to \nhave an audit, we are in a position to actually, pass the \naudit.\n    So it is a challenge, and right now, because we don't have \ncohesiveness of information, it makes it a little more \ndifficult for small businesses that just now are recognizing \nthat they need it, or they know they need it but don't know how \nto secure it.\n    Mr. EVANS. I yield back, Mr. Chairman.\n    Chairman PHILLIPS. The gentleman yields back.\n    And now I recognize the gentleman from Wisconsin, Mr. \nFitzgerald, for 5 minutes.\n    Mr. FITZGERALD. Thank you, Mr. Chair.\n    I am going to start, Mr. Singer, as a fellow Wisconsinite, \nI have quite a bit of experience in working with obviously \nanywhere from major corporations down to, you know, one and two \nperson Ma & Pa shops. But my question, I was talking a little \nbit to staff about this yesterday. We were kind of kicking \naround the idea that there might be a different level of \nsecurity from State to State throughout the Nation, and I just \nwanted to get maybe your perceptions on, is there much \ninteraction with the State of Wisconsin from your perspective? \nAnd if there are, what are the influences there? Because I \nthink it would be valuable for Members of Congress to know kind \nof what is going on at the State level.\n    Mr. SINGER. Thank you, sir.\n    As a fellow Wisconsinite, it has been kind of fun starting \na business in Wisconsin, and Minnesota too. But as far as--I \nhaven't had a lot of interaction with the State government. I \ncounseled them a little bit on CMMC. It has been new to them, \nin helping them to try and understand the issues around this \nfor small business.\n    One of the organizations that we work very closely with are \nthe MEPs, the Manufacturing Extension Partnership programs. \nEvery State has one. There is--and Puerto Rico has one. We have \nbeen working very closely with them to try and help get the \nsmall manufacturers in Wisconsin and Minnesota through the \nassessment so that they can accept awards from the primes.\n    So I think that is really actually a good avenue to help \nsmall businesses is through the MEPs, especially the \nmanufacturers. But I don't know that, you know, the States yet \nhave really kind of figured out any good mechanisms to help \nfund or support the small businesses as of yet.\n    Mr. FITZGERALD. Very good. Thank you.\n    As anybody could probably answer this question, let me just \ndirect it to Mr. Dunbar, though. And I apologize if some \nversion of this was asked earlier. But cybersecurity, \nobviously, you can be a consultant, quote/unquote \n``consultant,'' and I am wondering if you are seeing, because \nwe are starting to hear that there are many different versions \nof this, and obviously many different levels of professionalism \nand knowledge.\n    And I am just wondering if you could comment kind of, you \nknow what is your take, kind of what is going on out there on \nthe street?\n    Mr. DUNBAR. Thank you, sir.\n    Yes, you are 100 percent correct. There is a large fear in \nthe small business community that the ``consultants,'' in \nquotations, are not all equal. I get inundated with emails \ndaily from companies trying to convince me that I am not ready, \nI need to be--I am losing my contracts. I mean, blatant lies in \nyour inbox constantly from companies. I call it the fear \nmarketing.\n    I have also seen things from--as one of the other members \nof the committee had mentioned earlier, you know, companies \nthat--there are fraudulent companies out there, just that have \nno business. There was one, I think, the College of India was \ncreating, We can get you CMMC certified.\n    Mr. FITZGERALD. Right.\n    Mr. DUNBAR. Like, okay, great. How is the College of India \ngetting me CMMC certified? And that is a fear. We don't know \nwhere to go. We have been told, Oh, well, the only great place, \nthe only authorized place is the CMMC-AB, if they are on their \nmarketplace, that is the only place to get, that is legal, to \nget your consulting from. That is a whole separate issue, I \nbelieve.\n    Mr. FITZGERALD. Yes. And, you know, to dovetail on that, so \ncompliance, too, because it is kind of wide open as to what the \ncost could be associated with that. You know, you hear figures \nthrown around, like, Well, it costs a company $10,000 to \ncomply, or it costs them $1 million to comply. That is not \nnecessarily a good gauge, I don't think, on, kind of, you know, \nwhether or not somebody is a legitimate consultant. But it \nsounds like that is kind of the range that is out there when a \nlot of these small businesses are considering how to become not \nonly compliant, but protect ourselves, so----\n    Mr. DUNBAR. And I think you raise a good point because \nthere is also a lot of companies out there trying to sell one-\nstop shopping, like, Oh, we have this program. You buy this \nprogram, you are CMMC-compliant.\n    Mr. FITZGERALD. Right.\n    Mr. DUNBAR. And that is not going to happen.\n    Mr. FITZGERALD. Yes. Very good. Thank you very much.\n    I yield back.\n    Chairman PHILLIPS. The gentleman yields back, and that \ncompletes our questioning.\n    So I will move to my closing statement. And I want to thank \nall of our witnesses for a very compelling testimony today and \nfor illuminating the very issues that small contracting firms \nare experiencing as they try to bolster their cybersecurity.\n    Recent high-profile attacks have made it very clear that \nthe threat of malicious cyber actors is growing, and that is \nwhy we must ensure that companies in the DIB are prepared for \nall cyber threats that might come their way. But it is equally \nvital, equally vital that we do not deprive businesses like \nyours of critical opportunities in that process.\n    We have got to work as a committee to increase \ncybersecurity preparedness across the DIB in a way that is not \ncost prohibitive to small firms. By achieving this, the small \nbusinesses will still have ample access to a lucrative \nmarketplace while also protecting themselves against 21st \ncentury threats.\n    I would ask unanimous consent that members have 5 \nlegislative days to submit statements and supporting materials \nfor the record.\n    Without objection, so ordered.\n    And if there is no further business to come before the \ncommittee, we are now adjourned.\n    Thank you.\n    [Whereupon, at 11:17 a.m., the subcommittee was adjourned.]\n                            \n                            A P P E N D I X\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre></body></html>\n"