When Did Small Businesses Become the Enemy of Cybersecurity?
When did growth become evil in America?
When did we start believing the Government can handle complex and quickly shifting problem spaces with an agility the private sector cannot match? When did we start rooting against cottage industries?
When did the entrepreneur become the enemy?
According to critics of the Cybersecurity Maturity Model Certification program small businesses became a threat when the Defense Department tried to set up a system to upskill small manufacturers through third party assessments.
CMMC 2.0 and Fear of Cottage Industries
I lament the number of people who have cheered the Department of Defense shutting down what may have led to the largest cybersecurity training in our Nation’s history (still pales in comparison to the investment China makes in their workforce).
You read blog post after blog post cheering the “shuttering of the CMMC cottage industry” or those snickering at C3PAOs who expected a market cap between 100-300,000 companies see hundreds of thousands in investments shrivel on the vine of time we call federal rule making.
We, as a nation, through the efforts to scale CMMC could have addressed critical pipeline issues in IT, cybersecurity, machine learning, and artificial intelligence.
Little ole me, nothing but a former middle school teacher with a blog, could even use CMMC 1.0 to build a massive network. I have four universities, Southern Connecticut State University, Capitol Technology University, Emory University, and Metropolitan State University of Denver delivering LTP curriculum. My University, SCSU, has even proposed a 171/CMMC pathway into our Cybersecurity Master’s program which works it’s way through Shared Governance.
The support DoD decided to give in creating a CMMC vertical for 171 assessments would have also helped us address diversity, equity, and inclusion. Many of the schools involved offered free CMMC class tuition to their students. At my school, and many in the network, People of Color make up most of the student body. The opposite is true in the cyber industry.
We were even working with high schools and states, specifically CT and SC, on a 2x2x2 apprenticeship. program. Students would earn IT and networking certs starting their junior year and high school, do internships and graduate with a CCP, they would then enroll two years in a community college and get paid internships while earning other certs and a CCA1, then transferring to a four year institution for two years to get a degree in cyber, have more paid apprenticeships, and leave a CCA3.
Community groups about CMMC sprouted up across the country. I helped to found the CT CMMC Coalition, soon Northeast CMMC Coalition, which we will incorporate into a member owned co-op. We have released 100s of openly licensed pages of contents LPPs use for free in their training. The CMMC Info Institute provides another great example of a non-profit in this space. Their webinars have taught hundreds.
All of this can go away if the naysayers win. CMMC 2.0 rolled the clock back to 2017 and drastically reduced the need for third party assessors. Feels like we decided to fit the mission to the weapons we have rather than get our hands dirty and build the weapons the mission needs.
Cottage industries do not represent a threat to National Security. They provide a Mannerheim Line against a modern battle space. I fear with CMMC 2.0 the DoD has decided to comfortably wait things out behind the Maginot line of self-assessment.
DoD Should Support Cyber Businesses
I hear from the cottage industry critics that supporting small businesses detracts from DoD’s mission and they don’t do economic development. Then why does Farooq Mitha Direct the Defense Department’s office of small business programs? Why do we have Procurement Technical Assistance Centers? Why does every branch of the military give out billions annually in small business grants through SBIR/STTR?
CMMC 1.0, in two years, accomplished more growth in the GovCon cyber sector than all past efforts combined. The Defense department did this while spending next to nothing and issuing a no cost contract to the CMMC-AB.
Growth in the sector will take more than Project Spectrum, and small business efforts in the Defense Department need to transition from just supporting kinetic efforts and start investing in our cyber workforce.
##Headcount Issues Threaten Our Nation
You think finding headcount difficult now? Just wait until the Portman/Peters FISMA reauthorization passes and every federal department must conduct ongoing pen testing. Trust me, I help fill the seats, cleared pentesters do not grow on trees. Have you counted the amount of funding CISA will get from the infrastructure bill and pending cyber bill. Hundreds of billons. Where will we find the people?
CMMC 1.0 could have provided the pipeline if the market could have gotten established.
Instead, folks found it more American to cheer against small businesses. They jeered at the Department of Defense desire to support small assessment companies in a nascent cottage industry. Critics demanded we roll back the clocks to 2017 and erase CMMC 1.0. Naysayers want the government and not private industry to help secure and assess cyber and IT in our manufacturing base.
I disagree, and to all those who dream of starting a cottage industry I salute you.
img credit: “Engineering Shed” by Tim Sheerman-Chase flickr.com/photos/ti… is licensed under CC BY