Earlier this spring, the U.S. Department of Defense revealed that defense contractors should expect new Cybersecurity Maturity Model Certification (CMMC) requirements in government requests for proposals starting in November. That marks a delay in the original timeline. Regardless, the DoD is still on track to roll out requirements this year, despite the pandemic.
While it remains unclear what the full impact of COVID-19 will be on the CMMC process, one thing is known for sure: defense contractors have no time to waste in preparing for this new, toothy certification.
Implementation challenges amid COVID
Even without the added factor of the COVID-19 pandemic, companies preparing for the CMMC could expect challenges and surprises. For example, companies that have self-certified against security standards such as NIST’s 800-171 could still easily fail an external CMMC audit, which tracks to that standard, but also heaps added requirements on applicants. These companies will need to act quickly to self-assess and take corrective actions before beginning their CMMC audit.
The DoD and auditors themselves should anticipate impediments as they work to implement the new CMMC standards. Getting the CMMC auditing process in place quickly enough to meet the surge of companies and contractors looking to get certified will be tricky. The CMMC accreditation body has estimated that up to 6,000 companies will need CMMC certifications in the federal fiscal year 2021.
Given that volume, bottlenecks may appear as companies push to get certified as quickly as possible. It will undoubtedly be challenging for auditors to meet this rush of demand as quickly as companies may expect. Because of this, an organization looking to become certified should be absolutely sure it is ready to pass the audit the first time around, otherwise, due to the magnitude of certifications, auditors will be handling, it may face serious delays the second time through.
The COVID-19 pandemic will also, no doubt, impact the certification process. The virus will dish out new and unexpected obstacles for companies and the DoD. For example, companies may find that their security controls are no longer sufficient given the sudden surge of remote work — especially those companies who are dealing with classified information. There have already been reports of an increase in activity from bad actors trying to exploit companies in the defense industrial base. This will increase as long as defense industrial base firms struggle to properly secure all remote work.
Why you should prepare now
With companies and contractors set to face all these challenges, it is vital they don’t procrastinate and start preparing for CMMC now. With companies jostling to get certified first and the DoD rushing to perform audits for thousands of companies at once, it is critical that companies ensure they are prepared for their audit as early as possible.
Additionally, it is still unknown which DoD contracts will require CMMC certification in fiscal year 2021. Companies have to assume that any contract that is new or up for re-compete is a candidate for CMMC. Therefore, it is essential that any company even considering making a bid for a DoD contract prepare now for the CMMC requirements.
Companies and contractors should be taking these requirements seriously. Leaders from the Office of the Under Secretary of Defense for Acquisition and Sustainment have been consistent in saying that they will not be delaying the certifications and companies should prepare for it now.
As a first step, companies should move quickly to conduct a pre-assessment of their readiness to pass the CMMC audit. That should start with assembling all the materials needed to complete an audit. Depending on the outcome of the pre-assessment, firms can seek outside assistance to determine their readiness.
The sooner companies start their preparations, the better chance they have of passing the audit the first time and working towards winning government contracts.
Bill Solms is general manager and president of government solutions at QOMPLX.