On January 31st, 2020, the DoD released CMMC Model version 1.0 to the public. The CMMC or Cybersecurity Maturity Model Certification is the DoD’s new cybersecurity program that aims to ensure that Controlled Unclassified Information (or “CUI”) used and stored by DoD contractors is adequately protected. They may further protect themselves by taking out a DBA Insurance policy.
The DoD initially aimed for third party CMMC assessors to be trained during mid-April in order to accredit any DoD contractors planning to work on DoD projects. However, given the current circumstances surrounding the COVID-19 outbreak, there may be delays in training.
Key DoD officials have stated that, while the impact of the pandemic on CMMC accreditation and implementation is so far uncertain, they plan to stick as closely to their initial schedule as possible. This means that despite potential delays in training (although online resources are still allowing training for many third-party assessors), DoD contractors should still be preparing for Cyber Maturity Model Certification.
One important reason to continue preparing for audits is that although training for CMMC auditors could be delayed, they will be trained eventually and possibly within the same initial predicted timeline due to online training resources. DoD contractors who are unprepared when audits occur because they expected delays may find themselves in a predicament, rushing to make their systems compliant so they can continue government-contracted work.
Additionally, the CMMC Accreditation Body has signed a Memorandum of Understanding (MOU) with DoD in regards to the implementation of CMMC, but has stated that the material of CMMC is unlikely to be materially changed. If you fail to receive accreditation and are found to be working on a project that requires CMMC, you can face disqualification from bidding on contracts altogether.
Further, while CMMC rollout could be delayed, cybersecurity concerns are at an all-time high, especially for businesses who hold highly sensitive information. This includes healthcare facilities and organizations, and, of course, business partners contracted by the US government.
The difference between healthcare facilities and DoD contractors is that many government businesses have had to make some or all operations and staff remote, while healthcare organizations are considered essential businesses. This means that DoD contractors are a number one target for hackers looking to exploit new weaknesses in your systems due to infrastructure and network changes as they have switched to remote workforces.
Preparing now for CMMC audits through CMMC implementation services is critical for this reason. The quicker DoD contractors get their systems compliant with these new advanced cybersecurity regulations, the harder it will be for hackers to exploit vulnerabilities. Getting the proper support, assessments, and preparation services—even remotely—can make a huge difference for government business partners.
Make sure you don’t fall prey to fake third-party CMMC assessors advertising CMMC accreditation now, however. At the moment, no official accreditors or assessors have been officially sanctioned by the DoD, so nobody can provide you with an official CMMC.
As Stacy Bostjanick (the director of the CMMC policy office) has stated: “If anyone tells you they can get you certified, they are lying. The test isn’t done yet. We are pressed right now and we have a small team working to get this done so there isn’t a lot of time to stop and go after the fake companies. The accreditation body is getting ready to take that on more than we are. We are aware of it and want to make sure companies know not to go to someone who is engaging in false advertising.”
In terms of what to expect going forward, no certain answers can be provided in this time of, frankly, sheer uncertainty on a global scale. In the meantime, until official accreditors have been fully trained, the best steps DoD contractors can take is to prepare for accreditation right now.
The rollout remains a matter of when CMMC will be fully rolled out, not whether CMMC will be rolled out. You need to be proactive in attaining CMMC accreditation if you intend to carry out work for the DoD in the future.