CMMC Timeline: What to Expect As the DoD Rolls Out CMMC

Back in January of this year, the Department of Defense released CMMC Model version 1.0 as the department’s latest cybersecurity verification program. Now, the unprecedented rise and spread of coronavirus during the last few months has left many questioning whether the DoD’s plan to train third party CMMC assessors during mid-April and begin conducting audits in July would pull through. Many anticipated huge delays and questioned whether CMMC training would be taking place at all. 

Now, the DoD has been moving aggressively in spite of the pandemic and intends to maintain a similar schedule to the one they had laid in place before the pandemic. This means that you shouldn’t anticipate huge delays on CMMC training, and you should still be preparing thoroughly to meet CMMC regulations and pass an audit.

Here’s the current expected timeline for the rollout of the CMMC from start to finish:

CMMC Timeline

January 2020: On January 31st of this year, the DoD formed a CMMC accreditation body and released CMMC version 1.0.

February 2020: During the second month of the year, the DoD began to focus on what resources they would require in order to achieve each level of cybersecurity that has been outlined in the most current version of CMMC. 

As the coronavirus pandemic began to unfold, plans for CMMC roll out appeared to be in jeopardy, but as Katie Arrington (the DoD’s CISO for Acquisition) noted, “We are continuing to roll out CMMC, we are not slowing down. Covid-19 is a horrible event for the globe. But the sun will rise, and we have to continue to march forward.”

February–July 2020: Training for third-party assessors began in February, and up to now, Right now, training has still been ongoing. While the agency had to adapt to using more remote and online training resources once the pandemic hit, they are currently adhering to social distancing guidelines and are continuing training. 

July 2020: In July of this year, the DoD intends to put groups of industry based companies through CMMC assessment to begin the accreditation process and make improvements as necessary. By the time this process begins, all DoD contractors and suppliers should be fully compliant with the applicable level of CMMC hygiene.

Jan 2021: As the year begins to draw to a close, the DoD plans to begin fully auditing DoD contractors, incorporating CMMC into DFARS as the new cybersecurity standard. They also plan on possibly extending these regulations to non-defense federal contractors.

How DoD Contractors Should Respond

Given that the original plans for CMMC rollout have not been greatly impacted by the COVID-19 pandemic, it’s important for DoD contractors to continue getting ready for an audit. Delaying compliance will make it more difficult for DoD contractors to pass an initial audit, especially because most have had to face many hurdles of their own during the current pandemic. 

Here are the steps the DoD recommends taking to respond to the CMMC rollout timeline: 

1. Research CMMC guidelines for your applicable level of cybersecurity hygiene.

The DoD recommends researching and studying the CMMC guidelines to prepare for an IT assessment. Areas to focus on include guidelines that are particular to your required level of CMMC hygiene. For example, DoD suppliers that want to achieve CMMC Level 3 will need to implement all the controls of NIST 800-171, plus some additional controls. For more information on CMMC levels and requirements, please our Guide to CMMC

2. Conduct a preparatory CMMC Assessment. 

The DoD also suggests getting a CMMC assessment service from a cybersecurity professional, like SysArc, that will assess how well you are meeting the guidelines required to pass an audit. An IT provider that offers CMMC preparation services can provide feedback on areas of your IT that need to be remediated before you will be considered compliant. 

3. Communicate with subcontractors to meet CMMC compliance requirements.

A final step you can take is making sure that you communicate with any subcontractors or suppliers regarding the new CMMC guidelines to ensure that they’re also following the new guidelines and adhering to best practice policies. The DoD requires that all its partners and any third-party businesses handling government contracts or working with CUI be compliant with these new regulations. 

While there still could be possible delays in the rollout of the CMMC program, it’s not likely, and it is still in DoD contractors’ best interest to prepare now as thoroughly as possible to become compliant with CMMC standards. 

This is especially important now with off-site work taking hold and remote network setups becoming more common. Threat actors are seeking to take advantage of new weaknesses that can be exploited in businesses’ networks that store sensitive information. If DoD contractors delay cybersecurity preparations, they could face major security incidents that are costly and time-consuming to repair, as well as face loss of contracts and penalties from the Department of Defense.

As CMMC implementation becomes the new reality for DoD contractors, the best step contractors and suppliers can take is to prepare adequately now. Doing so will ensure that you are ready when official audits occur, you can maintain critical contracts, and you can prevent data loss or damage that could severely impact your business.