Compliance Management

Hawaii looks to fill DoD cyber standards gap

A growing number of small and medium-sized businesses are finding it difficult to meet the Department of Defense's new cybersecurity requirements for contractors, the Cybersecurity Maturity Model Certification (CMMC). But a partnership of non-profit groups hopes to bring SMBs in Hawaii up to snuff, and if that succeeds, export the program nationwide.

Smaller companies make up a critical component of a very complex defense industrial supply chain. Lack of CMMC certification will not only affect their bottom lines, but all the companies they supply and, ultimately, the end purchaser of the goods: the military itself.

Yet a BlueVoyant study of small businesses found that nearly three in ten small businesses would not be able to meet the requirements for even the lowest tier of the multi-tier CMMC.

"These companies' whole business operation is based on digital infrastructure, and now they're being told that there are all these threats, there's this thing called ransomware, and they're being attacked because they're part of supply chain," said Kiersten Todt, managing director of the SMB-focused security advocacy group the Cyber Readiness Institute. "It's almost like learning a new language."

CRI offers a number of web-based resources for companies looking to up their security, including its own certification program. But it found that companies it assists nationally still faced considerable difficulty in the face of the new CMMC standard. So CRI, in conjunction with the non-profit CyberHawaii, is launching a cohort-based support system for Hawaiian companies.

The resulting program, Cyber Ready Hawaii, is being funded by the State of Hawaii Department of Business Economic Development and Tourism through a Department of Defense grant.

It will match small groups ("squads") of companies looking to work together in figuring out CMMC requirements, give them the existing resources of CRI and a mentor from either the CyberHawaii or CRI stable of experts.

"My hope would be that this type of program could be a model and a template for other regions, other sectors to help small businesses get to a place where they can achieve the goals for something like CMMC," said Todt.

The program launched as a pilot with a limited number of companies in tow. It hopes to help 250 companies in total before July 2022.

For Hawaiian firms, CyberHawaii believes, this program comes just in time.

“Many of Hawaii’s small and medium-sized enterprises are extremely busy with their day-to-day operations," said Jill Tokuda, co-director of CyberHawaii, in a statement. "Unfortunately, they don’t have the time, resources, or internal expertise to focus on cybersecurity until they experience a breach. CyberHawaii believes that our local entities can be ready to both prevent and respond to cyber-attacks.”

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.