EXCLUSIVE — Small Business Administration Administrator Kelly Loeffler defended her decision to support the suspension of third-party cybersecurity assessment and audit requirements for small defense contractors, despite the cybersecurity risks posed by artificial intelligence.
In an interview with the Washington Examiner at K-Form, a small defense contractor in Sterling, Virginia, Loeffler said suspending Cybersecurity Maturity Model Certification phase II requirements to provide time for a 60-day review strikes the correct balance between protecting the firms and sensitive government information from cybersecurity risks in reducing compliance burdens as the country seeks to strengthen the national security supply chain, particularly during the Iran war.
Recommended Stories
Officials at the War Department, which leads the implementation of the CMMC self-assessment and certification programs, said that the deregulation could save the more than 38,000 small defense contractors with current contracts almost $6 billion annually, costs that officials stipulate have been driving some firms out of the supply chain at the cost of innovation.
Loeffler pointed out that the National Institute of Standards and Technology’s gold-standard cybersecurity guidelines remain in place, regardless of the suspension of CMMC phase II requirements before a November transition deadline, which means third-party assessors and auditors are no longer mandatory.
“The Level 1 and Level 2 CMMC standards still apply,” she said of the accompanying self-assessment program. “The piece that’s changing is the certification piece, which ended up costing a multiple of what the original cost estimate was and didn’t achieve the original aims.”
Loeffler hopes contractors can achieve “continuous compliance” with cybersecurity risk assessments.
“How do we get there?” she asked. “That’s what the 60-day working group is going to talk through.”
Loeffler said the task force is considering how to “modernize compliance” to stay ahead of threats and determining “the ongoing scalable standard that doesn’t cost a small business half a million dollars to comply” against a background of the NIST and Defense Federal Acquisition Regulation Supplement guidelines.
Loeffler argued that “one of the best kept secrets in the country” is that “98% of America’s manufacturers are small businesses.”
“The supply chain is robust, but it also has many vulnerabilities when you look at the regulatory complexity of burdensome compliance costs,” she said. “Walking this floor, factory floor, with a third-generation business owner is a story that I see repeated time and again, and it underscores the importance of our nation being a nation of builders again, and it underscores the importance of the Trump administration’s policies that President Trump has made very clearly: deregulation, tax cuts, fair trade, and energy dominance.”
MAMDANI OFFERS SOCIALIST CHALLENGE TO TRUMP’S VISION OF AMERICA WITH JULY FOURTH SPEECH
During an earlier press conference at K-Form, representatives of which attended President Donald Trump‘s military industrial base event this week in Pennsylvania, Loeffler made the same case alongside Kirsten Davies, the War Department’s chief information officer, and Michael Cadenazzi, the assistant war secretary for industrial base policy.
“In plain terms, this suspension does not eliminate day-to-day contractual and regulatory obligations to safeguard federal information,” Davies said. “If you handle federal data, you are still required to protect it, and you must make sure your subcontractors do as well. This action also does not change the department’s ability to step in and double-check your security setups, as well as the accuracy of your self-assessments.”
