How Has COVID-19 Affected the Rollout of the CMMC?


The initial plans for the rollout of the DoD’s new CMMC model for cybersecurity included a phased approach throughout 2020. Those phases included developing assessment and certification controls, providing training to auditors and other CMMC professionals, auditing a select group of DoD contractors, and implementing the new model over the course of a few years.

But how has the COVID-19 pandemic changed these plans? The year 2020 has been no walk in the park for any organization. However, perhaps surprisingly, the DoD has stayed relatively on track with their 2020 plans.

The DoD Is Still on Track for CMMC Implementation

As the DoD began implementing the CMMC in March by creating the CMMC Accreditation Body and developing training materials, news of COVID-19 hit. The DoD made it clear when the pandemic hit that they wanted to avoid delaying the CMMC rollout. And to that end, they have been reasonably successful.

The CMMC-AB, which governs the CMMC operations and requirements, indicated that COVID-19 has, in fact, not delayed training for certified third-party assessment organizations, C3PAOs. These official bodies have developed training resources that can be used online as well as outlined safe ways to begin their first round of CMMC audits. 

What DoD Contractors Should Be Doing to Prepare

With news that the pandemic hasn’t slowed down the rollout of the CMMC, it’s critical that DoD contractors continue preparing for audits as first rounds of audits have begun. Otherwise, companies will be prohibited from working on government contracts. 

Since the audits for CMMC are already in progress, the DoD stresses the importance of not only becoming compliant with the basic controls outlined in the CMMC model, but also working with an experienced CMMC consultant company that can give you an assessment of how ready you really are for an official audit.

The DoD also notes that contractors should focus on meeting the Level 1 or Level 3 controls, depending on the type of information your organization holds, rather than trying to excel to Level 5 from the get-go. The new cybersecurity regulations are designed to be a long-lasting way to protect against advanced cyber threats, so by taking the time to get prepared on the more basic levels first, you will be more successful in your transition to becoming Level 5-certified, if needed.

Another thing the DoD makes clear is that while the CMMC was created due to a lack of compliance with the NIST 800-171 across the DoD, it is meant to be a more comprehensive model that evolves as security threats do. The CMMC is built upon controls that can be adapted and strengthened as needed, with core components that apply to any contracted organization.

Overall, the CMMC isn’t just designed to replace NIST 800-171—rather, it is designed to help contractors avoid siloed data and other common challenges that could make them more susceptible to a cyber attack. It is meant to be a living, breathing model that adapts with changing security needs to help organizations even outside of government contractors move beyond typical ad hoc cybersecurity and push forward into a more sustainable and consistent cybersecurity process.