DoD Contractors Faced with Possible CMMC Delays

Photo of author

( — April 30, 2020) — As the spread of COVID-19 results in radical changes to industries across the globe, a question remains for one specific sector—how will DoD contractors be impacted by possible CMMC implementation delays?

The official CMMC, or the Cybersecurity Maturity Model Certification, was released in January of this year and is a new cybersecurity program being rolled out by the Department of Defense. It is designed to ensure that CUI (or “controlled unclassified information”) used and stored by any DIB (or “defense industrial base”) systems and networks is protected from access by unauthorized users. Overall, the CMMC aims to guarantee that good levels of cyber hygiene are being practiced. 

With more and more people forced to work remotely and businesses thus facing a higher risk of falling prey to hacking attempts, the CMMC regulations are more important than ever. The issue is that it’s uncertain whether the COVID-19 pandemic will impact auditing schedules, third-party assessment training by the DoD, or CMMC implementation in general.

Here’s are some answers to questions DoD contractors may have concerning CMMC implementation, potential delays, and next steps:

Why is CMMC so critical for DoD contractors, and how do they become certified?

As the new CMMC becomes a standardized program for government partners, any organization working on DoD contracts will be required to have cybersecurity maturity model certification. This makes achieving CMMC essential. Any organization found to be working on a project that requires CMMC without holding this certification can face disqualification from participating further.

To become certified, DoD contractors will have to undergo an accreditation from the CMMC Accreditation Body —a body of third-party assessors trained by the DoD. 

How has the outbreak of Covid-19 impacted new CMMC accreditation?

The difficulty facing the DoD currently is that assessors are still in the midst of being trained as certified auditors for CMMC accreditation. With possible delays threatening to impede these trainings, it’s not certain whether audits will continue as scheduled.

Katie Arrington, the chief information security officer for DOD acquisition has said regarding the CMMC delays: “Everything was on schedule; I have no idea how this is going to impact things. I don’t know if it will, I don’t know if it won’t because we were doing online training in some cases.” 

The training of new third-party CMMC assessors was supposed to take place in mid-April 2020, but coronavirus protection measures could have an impact on this process. The DoD is aiming to stay as close to schedule as possible and is looking into more online training for assessors according to Arrington and other DoD officials; however, some delays should be expected.

What next steps should DoD contractors be taking to prepare for CMMC implementation?

While delays in CMMC accreditation are possible, it’s still absolutely essential that DoD contractors get prepared now for CMMC audits.

It’s highly recommended therefore that DoD contractors work with an IT partner who can provide CMMC preparation services to sufficiently prepare them for a CMMC audit—even if it doesn’t have a set date yet. This will help to keep you as up-to-date as possible with current regulations and also help you to swerve serious data breaches in the meantime. 

Cybersecurity is becoming an increasing concern for businesses who are now operating on a remote basis, and hackers are taking advantage of vulnerable companies whose IT systems have been restructured in the process. Now is an easier time than ever for threat actors to exploit weaknesses and steal sensitive information. 

In addition, because much of the DoD’s accreditation training for third-party auditors is already being completed online with even more remote tools being researched, it’s also very possible that audits will occur on schedule. 

DoD contractors who aren’t prepping for CMMC audits now could face a rude awakening when they have to rush to update procedures and develop cybersecurity strategies to meet CMMC regulations in the future. The last thing DoD contractors want is to be stuck in a position where they are unprepared to pass an audit and therefore unable to bid on new government contracts.

As you work with a trustworthy IT provider to get prepared for CMMC audits and stay updated on the impacts of COVID-19 on CMMC implementation, your DoD contracted business can still continue to thrive. While these are uncertain times, you can still take steps now to protect your data and meet CMMC regulations to prevent costly data breaches and other negative side effects in the future.