Bussiness
Army announces effort to help small business meet cybersecurity requirements
WASHINGTON — The Defense Department is actively working on plans to build cybersecurity requirements for the defense industrial base into defense contracts as part of its Cybersecurity Maturity Model Certification program, or CMMC. The first contracts with those requirements built in are expected sometime in 2025.
But for small businesses who might not have the resources to meet stringent cybersecurity requirements on their own, the Army is planning to launch a pilot program called the Next-Generation Commercial Operations in Defended Enclaves, or NCODE, said Undersecretary of the Army Gabe Camarillo, during a discussion Tuesday at the 2024 Association of the United States Army Annual Meeting and Exposition in Washington.
“This essentially provides a cyber-secure enclave in a secure environment for small businesses to participate in where they can collaborate, share information, [and] most importantly, do their own work that they need to that would otherwise present a threat vector for actors that we know are very active in the cybersecurity space,” Camarillo said. “What’s great about it is [that] it is compliant with CMMC, so all of the department’s requirements would be met by operating in this environment.”
Camarillo said many of the small businesses the Army worked with last year were at least partially at risk to cybersecurity threat vectors.
“Depending on how they’re capitalized and how many resources they have, their ability to overcome [those risks], despite our efforts across the department, can be very, very challenging,” he said. “So, we knew we had to do something.”
The Army is setting aside about $26 million in both fiscal year 2025 and fiscal year 2026 for the pilot NCODE program, Camarillo said.
“[It] will be an initial foray in creating kind of a secure classified enclave where there will be collaboration tools, there’ll be a workspace where these companies can kind of do what they need to do, and also kind of begin to do some software development efforts for those that are in that type of business,” he said.
How small businesses can apply to participate in NCODE and how many will be able to participate are details still being worked out within the office of the Assistant Secretary of the Army for Acquisition, Logistics and Technology, Camarillo said.
“I think we will learn a lot in terms of its utilization and how effective it is with the initial kind of tranche of small businesses that we bring into it,” he said. “And I think the goal is to learn from that and continue to evolve the program to make it even better.”
DOD Programs
Helping small businesses find success in working with the Defense Department is one of the roles of the DOD Office of Small Business Programs, and the department has had success in that effort, said program director Farooq Mitha.
One example of that is the DOD’s APEX Accelerator program, which aims to teach small businesses what’s needed for them to do business with the government.
“Our APEX Accelerator Program, which used to be with [Defense Logistics Agency,] and we took it over about two years ago now, [includes] our 97 centers across the country that help companies learn how to do business with DOD,” Mitha said.
APEX Accelerators, Mitha said, are now focused on helping small businesses comply with things like CMMC and also helping them find more information on the programs and opportunities that exist within the DOD.
The DOD’s Mentor-Protege Program has been strengthened in recent years, Mitha said. The program is the oldest continuously operating federal mentor-protege program in existence. Under the program, small businesses are partnered with other companies to help them learn to expand their footprint within the defense industrial base.
On the Mentor-Protege Program, he said, DOD has worked to get funding for the program back into the president’s budget and has also worked with Congress in fiscal year 2023 to make the program permanent. There are also changes to the program to improve its performance, he said. For instance, the revenue requirement for companies who want to serve as mentors changed from $100 million to $25 million.
“We believe strongly that sometimes, or often, small and medium-sized businesses can mentor small businesses better than a large company,” he said.
While firms who serve as mentors within the Mentor-Protege Program were already eligible to receive cost reimbursement for their role, a new pilot program, Mitha said, provides up to 25% reimbursement to protege firms for engineering, software development or manufacturing customization.
Mitha also said as part of the Mentor-Protege Program, the timeline for developing partnership contracts has been sped up.
“Contracting timelines used to take 12 to 18 months,” he said. “We’ve now set up a new centralized contracting mechanism where we are now awarding better mentor/protege agreements in 60 days or less.”