“FEDERAL NEWS NETWORK” By Justin Doubleday
“The legislation is aimed at addressing longstanding concerns that CMMC compliance costs will force smaller companies to exit the defense business.”
_______________________________________________________________________________
“The draft bill, the “Small Business Cybersecurity Act of 2024,” would allow companies with 50 or less employees to claim a tax credit of up to $50,000 for CMMC costs. Rep. Scott Fitzgerald (R-Wis.) is the sponsor on the legislation.
The credit would help cover the costs of getting a CMMC assessment, as well as for resolving any cybersecurity gaps stemming from those assessments as part of so-called “Plans of Actions and Milestones.”
The bill is unlikely to make its way into the fiscal 2025 defense authorization bill, which lawmakers are working to finalize before the end of this year.
But a person familiar with the bill said the CMMC tax credit could feature in discussions around a tax cut extension Republicans are expected to take up next year. The Ways and Means Committee has jurisdiction over tax policy in the House.
The source cautioned, however, that the outlook for the CMMC credit in the tax bill is uncertain, as DoD has yet to begin implementing the certification program.
“It’s still not without some question marks regarding the implementation and the roll out of CMMC,” the person said. “Because the rule is still in its infancy, folks on both sides of the aisle are still trying to figure out what the true impact will be on small businesses.”
CMMC small business concerns
CMMC is years in the making, but DoD plans to start including requirements in contracts next year. The program aims to verify defense contractor compliance with existing cybersecurity requirements.
Concerns about the costs of complying with CMMC, especially for smaller businesses, have dogged the program for years. Those concerns nearly derailed the program before the Pentagon overhauled CMMC to simplify and streamline many of the requirements.
Still, small business advocates have continued to warn that CMMC could be costly for many companies. Those concerns come as the number of small businesses in the defense industrial base has declined by 40% over the past decade.
Stacy Bostjanick, DoD’s chief of defense industrial base cybersecurity and deputy chief information officer for cybersecurity, said DoD backs the idea for a tax incentive. She cast it as one of several options DoD is looking at to help smaller companies meet the costs of CMMC.
“There’s a tax incentive that’s going through the Congress now – well, we’re hoping it goes through – and we’re supportive of that,” Bostjanick said during Federal News Network’s Risk and Compliance Exchange on Monday. “We’re trying to find any means possible to help alleviate some of the pain and struggle for our small businesses.”
In its final CMMC program rule issued in October, DoD estimates it will cost a small business approximately $101,000 to support a level two CMMC certification. That includes planning, preparing for and conducting the certification assessment, including paying the outside third-party CMMC assessment organization (C3PAO).
The person familiar with tthe ax credit bill said the $50,000 number is based on the idea that the government could help address a portion, but not all, of the certification costs.
“There still needs to be buy-in from the small business,” the source said.
The draft bill’s focus on companies with less than 50 employees — referred to by some as “very small businesses” — is intended to balance the cost concerns of especially small businesses without extending an overly broad tax credit.
Bob Metzger, head of the Washington office for law firm Rogers Joseph O’Donnell, has helped DoD and staff on Capitol Hill develop the CMMC tax incentive bill.
“The way in which the bill was framed reflects decisions intended to give help to the smallest of companies who would most likely need help the most given their size,” Metzger told Federal News Network. “It’s also taken into account the importance of respecting the fiscal limits on how much revenue Congress might be willing to forgo.”
Companies with less than 50 employees are numerous in the defense industry, especially among those further down the supply chain. In 2020, National Defense Magazine surveyed 450 small businesses and found 70% have fewer than 50 employees and 55% had less than $5 million in annual revenue.”
ABOUT THE AUTHOR:
Justin Doubleday covers cybersecurity, homeland security and the intelligence community for Federal News Network. Follow @jdoubledayWFEDSign up for breaking news.
Comments