Get Support
Book Discovery Session

COVID-19 Raises Big Questions About the CMMC Timeline

Brian Seeling
March 19, 2020

Chances are, you’ve been closely monitoring news about the coronavirus (COVID-19). In addition to concerns about how its spread will affect the health and livelihood of you and your loved ones, you may be wondering how it will impact the Department of Defense’s (DoD) long-planned rollout of the Cybersecurity Maturity Model Certification (CMMC).

While on the surface that question may seem trivial compared to matters of health, it is one you should be asking, and for very good reason. The impact that COVID-19 has on CMMC could directly impact the livelihood of every DoD contractor.

Because CMMC certification will be mandatory for every DoD contract starting in January 2021, and because audits are set to commence in July, the next few months will be critical.

Adding a layer of complexity to all of this is the sudden shift from on-premises to remote work that’s underway with most businesses. If you’re at one of those companies making the shift, how will it affect your ability to satisfy core CMMC requirements needed for certification?

How the Coronavirus Might Affect the CMMC Timeline

Following a CMMC event in McLean, Va. on March 13, Katie Arrington, Chief Information Security Officer for DOD Acquisition, stated that it was unclear if the virus would impact scheduled CMMC assessor training, which was set to begin in mid-April.

“Everything was on schedule. I have no idea how this is going to impact things. I don’t know if it will, I don’t know if it won’t,” Arrington said, noting that in many cases training was supposed to be done online.

The use of virtual training could mitigate the impact COVID-19 has on the CMMC timeline. According to Arrington, the DOD wants to make every effort to maintain its schedule while still addressing possible health concerns. One possible solution is to expand the use of online training through webinars and live streams.

While Arrington didn’t address any other dates on the CMMC timeline, it’s clear that the DoD hopes to avoid any delays. While that could change as the situation unfolds, contractors should continue to plan as if they will need to be certified by January 2021.

The Impact of Remote Work Environments

Assuming that the CMMC timeline remains intact, or doesn’t significantly change, there’s still the matter of all those contractors that have shifted to remote environments. What impact will working from home have on their ability to satisfy CMMC or the current security and compliance requirements?

In truth, it could be a benefit. Should companies take this opportunity to fully embrace remote work environments through secure, government-approved platforms, they will also advance their CMMC efforts. Platforms such as Office 365, Microsoft Teams, and Cisco Webex account for many of the controls required for both NIST SP 800-171 and CMMC.

In many cases, these controls are ones your team would have to manually address in an on-premises IT infrastructure. That would increase the time and resources needed from your team, and increase the chances of human error. Cloud satisfies these compliance requirements automatically.

While working remotely will not benefit your CMMC aspirations on its own (accessing CUI through an unsecured laptop or connection won’t win you any points), the right cloud environment can. While that may require some guidance, it could ultimately prove to be a worthwhile move.

This Is a Fluid Situation

As with almost everything these days, how COVID-19 impacts CMMC bears watching. This is a fluid citation that will likely change as the weeks, and possibly months, go by. Even if the timeline remains largely the same, tweaks might be made to the certification process to account for our new reality. We’ll continue to post up-to-date information as we get it.

These are difficult and unpredictable times, but we have the ability and technology to solve most problems (except maybe the toilet paper shortage).

For now, here some things to keep in mind:

  1. Only 5% to 10% of DoD contractors work in actual DoD facilities, which means that for the most part, the work DoD contractors do is remote.

  2. While the CMMC program may see delays, it still will be a requirement for DoD contractors.

  3. The CMMC requirements are outlined, so contractors can (and should) get started preparing now.

  4. We’re advising our clients to get ahead of the game and start preparing to be ready to go through an assessment by July.

  5. In most cases, what can be done in the office can be done at home with today’s technology.

  6. We can help DoD contractors maintain compliance and meet all regulatory requirements, no matter where the work is getting done.

  7. The most significant difference between businesses that get ahead and lag will be the partners they work with to get their environments ready.

New call-to-action


If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.

The Complete Guide to Cybersecurity Maturity Model Certification

You May Also Like

These Stories on Compliance

Subscribe by Email

Comments (2)