CMMC Level of Effort for Small Business [6/25/2025 10:00am]
The US Federal government recognizes the risk of theft of its sensitive information–such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)–from its supply chains’ information systems. Therefore, all Federal contractors have certain basic cybersecurity requirements they must implement in their own internal information technology (IT) systems that process Federal contract-related data. Additionally, contractors that process information related to Department of Defense contracts are beholden to DFARS clauses 252.204-7012/7019/7020, and the forthcoming 7021 CMMC clause, that require significant cybersecurity safeguards, and which are a challenge for any organization of any size to implement.
Mr. Adam Austin, Cybersecurity Lead at TotemTech, a small veteran-owned prime USAF contractor, will describe some of the challenges small businesses face when implementing these requirements and pursuing certification, with a focus on expected costs, timelines, level of effort, and where small businesses should start.