HOME  |  CONTENTS  |  DISCUSSIONS  DISCUSSION ARCHIVES  |  BLOG  |  QUICK-KITs|  STATES

How To Use the NDAA Pages

Back to NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle G—Small Business Matters

P. L. 117-81

Joint Explanatory Statement
SEC. 866. REPORT ON CYBERSECURITY MATURITY MODEL CERTIFICATION EFFECTS ON SMALL BUSINESS.

Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees, the Committee on Small Business and Entrepreneurship of the Senate, and the Committee on Small Business of the House of Representatives a report on the effects of the Cybersecurity Maturity Model Certification framework of the Department of Defense on small business concerns (as defined under section 3 of the Small Business Act (15 U.S.C. 632), including--

(1) the estimated costs of complying with each level of the framework based on verified representative samples of actual costs of compliance small business concerns and an explanation of how these costs will be recoverable by such small business concerns;

(2) the estimated change in the number of small business concerns that are part of the defense industrial base resulting from the implementation and use of the framework;

(3) explanations of how the Department of Defense will--

(A) mitigate negative effects to such small business concerns resulting from the implementation and use of the framework;

(B) ensure small business concerns are trained on the requirements for passing a third-party assessment, self-assessment, or Government-assessment, as applicable, for compliance with the relevant level of the framework; and (C) work with small business concerns and nontraditional defense contractors (as defined under section 2302 of title 10, United States Code) to enable such concerns and contractors to bid on and win contracts with the Department without first having to risk funds on costly security certifications; and (4) the plan of the Department for conducting oversight of third parties conducting assessments of compliance with the applicable protocols under the framework.

 Report on Cybersecurity Maturity Model Certification effects on small business (sec. 866)

The House bill contained a provision (sec. 848) that would require the Secretary of Defense to, not later than 120 days after the date of the enactment of this Act, provide a report to certain congressional committees on the effects of implementation of the Cybersecurity Maturity Model Certification framework on small businesses.

The Senate amendment contained no similar provision.

The agreement includes the House provision with an amendment that would modify elements of the report. The amendment would also expand the reporting requirements to
include information on training for small businesses on assessment compliance, efforts to work with non-traditional companies, and a plan for oversight of third-party assessors.

H. R. 4350--House Report 117-118

N/A

ABOUT  l CONTACT