The U.S. Army is building a secure cloud environment that small businesses can use to meet increasingly stringent military cybersecurity requirements and better compete for Defense Department (DoD) contracts.

The military branch is planning to launch a pilot program called the Next-Generation Commercial Operations in Defended Enclaves (N-CODE) that will create a cloud environment that includes all the security controls needed to meet Army requirements for processing, storing, and communicating sensitive data.

Access to N-CODE, which will include commercial cloud technology and enhanced security features, will be available to smaller businesses through low- to no-cost participation options.

“This essentially provides a cyber-secure enclave in a secure environment for small businesses to participate in where they can collaborate, share information, [and] most importantly, do their own work that they need to that would otherwise present a threat vector for actors that we know are very active in the cybersecurity space,” Undersecretary of the Army Gabe Camarillo said at the 2024 Association of the United States Army Annual Meeting and Exposition in Washington DC this week, according to the DoD. “What’s great about it is [that] it is compliant with CMMC, so all of the department’s requirements would be met by operating in this environment.”

CMMC is the department’s Cybersecurity Maturity Model Certification program, which is used to ensure that private sector companies that do business with the DoD can comply with cybersecurity requirements for the defense industrial base (DIB) outlined in the Federal Acquisition Regulation and set forth by the National Institute of Standards and Technology (NIST).

Streamlining the Process

The DoD has been working to simplify the CMMC rule to make is easier for private sector companies of all sizes to comply with cybersecurity requirements that need to be met before they can bid on defense contracts. Those contacts can add up to a lot of money. In its fiscal year 2022, the DoD doled out $415 billion in defense contracts to private companies.

The year before, the department awarded more than $154 billion in prime contracts to small businesses.

The DoD this week released for public inspection the final CMMC program rule. Among the changes was reducing the compliance assessment levels from five to three. The compliance levels include a self-assessment by the potential contractor of its ability to provide basic protection of federal data.

The highest level requires the company to show it can protect higher levels of controlled unclassified information, with certification being complete with the DoD’s Defense Industrial Base Cybersecurity Assessment Center making its own assessment.

The DoD had been developing the CMMC for more than five years but found that implementing the original plans were cumbersome, which concerned the DIB, particularly SMBs the lacked the resources of larger defense contractors, according to the department. That helped fuel the drive to streamline the CMMC to make it simpler and less expensive while still addressing national security.

N-CODE in the Cloud

N-CODE was one of the results of that process. According to Camarillo, many of the small businesses the Army worked with last year were at least partially at risk to cybersecurity threats.

“Depending on how they’re capitalized and how many resources they have, their ability to overcome [those risks], despite our efforts across the department, can be very, very challenging,” he said. “We knew we had to do something.”

The Army plans to spend about $26 million in 2025 and 2026 on the N-CODE pilot program, with Camarillo saying that it “will be an initial foray in creating kind of a secure classified enclave where there will be collaboration tools, there’ll be a workspace where these companies can kind of do what they need to do, and also kind of begin to do some software development efforts for those that are in that type of business.”

Details about how SMBSs can apply to use N-CODE and how many will be allowed to participate in the pilot are stick being worked out by the office of the Assistant Secretary of the Army for Acquisition, Logistics and Technology.

SMBs are Part of the Solution

DoD officials have for years talked about the threats that state-sponsored cybercrimes groups from China, Russia, Iran, and other countries pose to the Defense Department and other U.S. government agencies. The private sector is a key part of the DoD’s cyber-defense strategy, with the DIB comprising more than 200,000 contractors and subcontractors, though a 2022 DoD report said it was contracting, a worrisome trend.

SMBs are a key part of the DIB and the DoD, through its Office of Small Business Programs, is trying to support them with such initiatives as its APEX Accelerator program, which teaches small businesses what they need to do business with the government. Through its Mentor-Protege Program, SMBs are hooked up with other companies to learn how grow in the DIB.