How the COVID-19 Outbreak May Impact CMMC Implementation

With the world facing a global pandemic, many government contracted businesses have found themselves needing to make changes to their business operations. COVID-19 is impacting almost every aspect of normal workplace functions, so DoD contractors are faced with decisions for how to continue operating.

For many contractors, workforces have had to transition to remote work setups. For others, operations are considered essential, so your workplace operations may be similar to what they are normally. That said, there are still a number of factors related to government contracting being impacted by COVID-19 that all contractors should be aware of.

One of those factors being affected is the upcoming rollout of the Defence Department’s unified cyber security system, the Cybersecurity Maturity Model Certification (CMMC). Implementation of the new regulations is currently on hold, although DoD contractors are still strongly urged to continue preparing for audits.

When was the CMMC released and what does it do?

The CMMC is a new cybersecurity program that the DOD is in the process of rolling out to help make cybersecurity among DoD contractors more effective. The guidelines that must be met to pass a CMMC audit are designed to better protect controlled unclassified information—also known as CUI—that many DOD contractors use and store. The original version of the CMMC was released in January of this year. 

In light of the new CMMC regulations, all companies working on DoD contracts are now required to have adequate cybersecurity protection in place to pass this audit and continue working on contracts. If a company is found to be working on a DoD contract without a valid CMMC certification, they can be disqualified from completing future work. In order to gain the correct certification, contractors and companies need to undertake the accreditation organized by the CMMC Accreditation Body. 

How has the new CMMC impacted DOD contractors and those preparing for CMMC audits?

Katie Arrington, the chief information security officer for DOD acquisition has said regarding the CMMC delays: “Everything was on schedule; I have no idea how this is going to impact things. I don’t know if it will, I don’t know if it won’t because we were doing online training in some cases.”

But while changes that may be caused by future developments in the pandemic are uncertain, Arrington and other key players within the DoD have also stated that they are keen to stay as close to their initial schedule as possible while respecting COVID-19 health issues. To this end, they may choose to offer more remote training via webinars and livestreams. Because a large portion of the training for auditors was already being done online, the impacts may not be very significant.

When were audits planned on being completed? 

Any audits that were planned on being completed at the current time will have to be put on hold, as without a valid CMMC certificate, companies are unable to work on any DOD work. 

COVID-19 and social distancing measures have meant that a number of businesses that should already have their CMMC in place, have been unable to do so. No one is capable of issuing CMMC certificates at this time. 

Unfortunately, Ellen Lord, the DoD’s head of acquisition, said that some third-party entities are falsely advertising CMMC certifications that will qualify DoD contractors to continue working on government projects. As the requirements for becoming a DoD-recognized CMMC auditor have not yet been finalized, this false certification is misleading to many businesses.

How DoD Contractors Should Respond to Possible Delays

Rather than fall prey to these false advertisements, it’s important to instead work with a reliable IT partner who offers CMMC preparation services. A CMMC-focused IT provider will be able to help your business continue preparing for CMMC audits by accredited assessment organizations once they have been approved by the DoD. Your provider can help you find solutions to meet the CMMC cybersecurity regulations, even while your workforce is either partially or fully remote.

DoD contractors should still be prioritizing the security changes outlined in the CMMC despite possible delays in auditing, especially given increased cybercrime data. Because businesses are more vulnerable after having to restructure workplace operations, hackers are taking advantage of these weaknesses and exploiting highly sensitive government data. Preparing to meet the CMMC regulations serves as a useful tool for fighting the battle against cyber crime. 

While contractors, companies, and subcontractors are not currently able to obtain CMMC certification, they can still continue to prepare for audits as scheduled for later in the year. Many aspects of DoD contracted work have been affected by the spread of COVID-19, but working with a reliable IT partner can help your business protect its data and be ready for audits when they occur.