John Mitchell, president and CEO of IPC, a global electronics manufacturing association, released the following statement in advance of the U.S. House Small Business Subcommittee on Oversight, Investigations, and Regulations hearing on the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC):
“Cybersecurity is a must for U.S. national security, but the CMMC is an insurmountable hurdle for many small and medium-sized electronics manufacturers that do business with the Department of Defense. A recent IPC survey found CMMC may weaken the U.S. defense electronics industrial base even as it seeks to bolster the security of those that remain in it. The high costs and compliance burdens will push many companies out of the defense market unless DoD takes steps to support the industry’s assessment and compliance. Even more worrisome, the risk to industrial base resiliency may be greater than currently realized as most companies are not fully aware of the heavy costs associated with CMMC compliance.
“IPC thanks Chairman Dean Phillips and Ranking Member Beth Van Duyne for carefully evaluating the impacts of CMMC on the small business community. We urge the DoD to continue its ongoing efforts to provide the DoD supply chain greater clarity, support, and opportunity to leverage existing standards to help reduce the costs and burdens of CMMC compliance.”
On June 8, IPC released an industry survey and report, which found that one-quarter (24 percent) of electronic manufacturers say the costs and burdens of compliance with CMMC may force them out of the DoD supply chain. The survey also found that 33 percent of respondents said the CMMC would weaken the U.S. defense electronics industrial base, while 18 percent were unsure, highlighting the uncertainties involved. And 41 percent believe applying the CMMC clause to their suppliers will create other problems in the supply chain.
Most suppliers expect and are willing to spend upwards of $50,000 on CMMC readiness, and nearly one-third (32 percent) report that it will take them one to two years to prepare to undergo CMMC assessment. However, more than half of the suppliers say implementation costs of more than $100,000 would make CMMC readiness too expensive. DoD’s own cost analysis estimated the cost of a CMMC Maturity Level 3 (ML3) certification to be more than $118,000 in the first year. This means DoD’s own estimate of CMMC compliance costs is too high for 77 percent of the IPC survey respondents.