Members warn CMMC costs may squeeze small defense contractors; DOD review underway

Several members told the subcommittee that the Cybersecurity Maturity Model Certification (CMMC) implementation is imposing high costs on small contractors and may discourage participation in the defense industrial base.

Representative Crank recounted meeting a small business owner who, he said, is being told by the department to meet CMMC level‑2 high requirements despite the contract appearing to call for level‑1 self‑attestation; the member said that one employee’s compliance requirement could cost "over a $100,000" for that contractor. (Representative Crank.)

Davies said she has ordered and is conducting a review of the CMMC ecosystem and that her lens is to reduce regulatory burden and open access for new entrants. "The review is still underway, but I'm happy to share with you some early observations," she said, adding that the department is looking at oversight of third‑party assessors and streamlining where possible.

Members also asked whether grants or low‑interest loans should be used to help small suppliers upgrade systems. Davies said DOD already offers capabilities through NSA/DC3 and other programs and that a combination of support, guidance and partnerships is likely to be necessary.

The exchange closed with Davies committing continued oversight and streamlining work but offering no immediate new grant program in open session.