Chances are, you’ve been closely monitoring news about the coronavirus (COVID-19). In addition to concerns about how its spread will affect the health and livelihood of you and your loved ones, you may be wondering how it will impact the Department of Defense’s (DoD) long-planned rollout of the Cybersecurity Maturity Model Certification (CMMC).
While on the surface that question may seem trivial compared to matters of health, it is one you should be asking, and for very good reason. The impact that COVID-19 has on CMMC could directly impact the livelihood of every DoD contractor.
Because CMMC certification will be mandatory for every DoD contract starting in January 2021, and because audits are set to commence in July, the next few months will be critical.
Adding a layer of complexity to all of this is the sudden shift from on-premises to remote work that’s underway with most businesses. If you’re at one of those companies making the shift, how will it affect your ability to satisfy core CMMC requirements needed for certification?
Following a CMMC event in McLean, Va. on March 13, Katie Arrington, Chief Information Security Officer for DOD Acquisition, stated that it was unclear if the virus would impact scheduled CMMC assessor training, which was set to begin in mid-April.
“Everything was on schedule. I have no idea how this is going to impact things. I don’t know if it will, I don’t know if it won’t,” Arrington said, noting that in many cases training was supposed to be done online.
The use of virtual training could mitigate the impact COVID-19 has on the CMMC timeline. According to Arrington, the DOD wants to make every effort to maintain its schedule while still addressing possible health concerns. One possible solution is to expand the use of online training through webinars and live streams.
While Arrington didn’t address any other dates on the CMMC timeline, it’s clear that the DoD hopes to avoid any delays. While that could change as the situation unfolds, contractors should continue to plan as if they will need to be certified by January 2021.
Assuming that the CMMC timeline remains intact, or doesn’t significantly change, there’s still the matter of all those contractors that have shifted to remote environments. What impact will working from home have on their ability to satisfy CMMC or the current security and compliance requirements?
In truth, it could be a benefit. Should companies take this opportunity to fully embrace remote work environments through secure, government-approved platforms, they will also advance their CMMC efforts. Platforms such as Office 365, Microsoft Teams, and Cisco Webex account for many of the controls required for both NIST SP 800-171 and CMMC.
In many cases, these controls are ones your team would have to manually address in an on-premises IT infrastructure. That would increase the time and resources needed from your team, and increase the chances of human error. Cloud satisfies these compliance requirements automatically.
While working remotely will not benefit your CMMC aspirations on its own (accessing CUI through an unsecured laptop or connection won’t win you any points), the right cloud environment can. While that may require some guidance, it could ultimately prove to be a worthwhile move.
As with almost everything these days, how COVID-19 impacts CMMC bears watching. This is a fluid citation that will likely change as the weeks, and possibly months, go by. Even if the timeline remains largely the same, tweaks might be made to the certification process to account for our new reality. We’ll continue to post up-to-date information as we get it.
These are difficult and unpredictable times, but we have the ability and technology to solve most problems (except maybe the toilet paper shortage).
If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.