Search

Concerned About CMMC Costs? Contact Your Reps!

Triumvirate Cyber
Jan 28
3 min read

One of the most common concerns regarding the Cybersecurity Maturity Model Certification (CMMC) program is the cost of implementation. Per the recently-proposed FAR CUI Rule, the initial cost of compliance with NIST Special Publication 800-171r2 exceeds $175,000 for small businesses, coupled with an annual estimated cost of maintenance of over $100,000. This creates a substantial burden on their budgets. Fortunately, Congress has begun considering CMMC cost alleviation measures for small businesses.

Mona-Lisa Saperstein politely requesting an investment in her entrepreneurial pursuits

CMMC Cost Alleviation Opportunity for Small Businesses

There has been discussion in Congress on how to reduce the cost burden on small businesses as they invest in protecting America’s national security interests. Representative Scott Fitzgerald of Wisconsin drafted the Small Business Cybersecurity Act of 2024, which would provide a $50,000 tax credit for small business expenditures related to the CMMC program. While this draft bill has not been brought to the House floor, stakeholders within the Defense Industrial Base (DIB) have the opportunity to call on their representatives to support their constituents by backing this proposed investment in small businesses.

How Small Businesses Can Take Action

With budget negotiations imminent in the first quarter of 2025, small business owners and stakeholders should consider encouraging that their elected officials to support this proposed legislation. While there is no guarantee the legislation will be adopted, showing support for this investment in enhancing small businesses’ cybersecurity posture is a material action individuals can take to let their representatives know it is a priority for their constituents.

If you don’t already have your representative’s information handy, head to Congress.gov and use the Find Your Member tool to learn how to contact them. Feel free to use the template below to draft your communication and encourage your elected officials to support small businesses in the DIB!

In the Meantime

Even if the Small Business Cybersecurity Act is adopted in the 2025 federal budget, the rebate will not be distributed until organizations file their 2025 tax returns next year (at the earliest). In the meantime, businesses need to take steps towards CMMC compliance to remain eligible for DoD contracts.

Triumvirate Cybersecurity is a CyberAB Registered Practitioner Organization (RPO) which specializes in addressing the unique challenges faced by small and mid-sized businesses as they develop and implement their information security and compliance programs. Check out our services page to see how we can help your organization prepare without breaking the bank!

CMMC Consulting Services

[Senator/Representative LastName],

In light of the need for businesses to enhance their cybersecurity stature, particularly in relation to the provision of products and services to the U.S. Armed Forces through Department of Defense contracts, I am writing on behalf of the many small businesses in your district which provide products and services in support of U.S. national security interests.

With the imminent requirements facing Department of Defense contractors under the Cybersecurity Maturity Model Certification (CMMC) program per 32 CFR 170 and draft 48 CFR 204.75, which is designed to secure America's national security interests through enhanced cybersecurity standards for the DoD's commercial partners handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), an area of great concern for small businesses is the cost of implementation to comply with these requirements.

Per the public draft of the FAR CUI Rule (FAR Case 2017-016, document number 2024-30437), the cost of achieving compliance with NIST Special Publication 800-171r2 for small businesses is estimated at over $175,000 for initial implementation plus another $100,000 per year for maintenance. For small businesses in your district, these costs present a substantial burden for continuing to provide products and services in support of U.S. national security interests.

As such, I request that you please consider supporting the Small Business Cybersecurity Act of 2024 originally drafted by Representative Fitzgerald of Wisconsin. This proposed legislation would reduce the cost burden of implementing adequate cybersecurity practices to protect Department of Defense information for small businesses by providing a tax credit to offset the cost of cybersecurity expenditures.

Furthermore, please consider the future impact of the proposed FAR CUI Rule on small businesses providing products and services to the U.S. Federal Government via agencies other than the Department of Defense. Further action on your part in support of small businesses in your district would be much appreciated as the cybersecurity requirements associated with NIST SP 800-171r2 extend to all federal contractors upon finalization of the FAR CUI Rule.

Thank you for your consideration,

[Salutation]

CMMC and the Great Power Competition

Since 2018, U.S. national security strategy has increasingly focused on the Great Power Competition (GPC) — a geopolitical and economic...

Join Us for a CMMC Happy Hour!

Triumvirate Cybersecurity will be hosting a happy hour event at the UDRI Digital Transformation Center on May 28, 2025! Join us to discuss the impacts of CMMC!

Mind the Gap (Assessment): Preparing for CMMC Rollout

Though CMMC has not yet been made a contract requirement, the DoD is already considering contractors’ CMMC readiness when reviewing bids on solicitations. Learn what to expect at every stage of CMMC rollout.