The coronavirus pandemic has unexpectedly affected all aspects of life, including businesses, schools, events, and even social factors. In line with government directives for less travel, social distancing, and stay at home, companies have encouraged their workers to telework to reduce the spread of COVID-19. Compellingly, governments will reorder budgeting to fund the healthcare sector adequately. In effect, the unforeseen measures will have implications on CMMC implementation efforts.
What is CMMC
CMMC is a combination of an array of cybersecurity standards and best practices mapped across multiple maturity levels ranging from cyber hygiene to advanced. In this case, each CMMC level comprises of processes and controls that enable organizations to minimize risk against a set of cyber threats. With different levels, it becomes affordable and straightforward for small businesses to implement CMMC. On the other hand, third-parties leverage the model to conduct audits and inform risk in organizations.
The CMMC effort is built upon existing DFARS 252.201-7012 based on trust by adding a verification aspect for cybersecurity requirements. Stakeholders integrate CMMC into the Defense Federal Acquisition Regulation Supplement (DFARS) and apply it as part of stipulations in the procurement process and contract award. The DoD specifies the required CMMC level in requests for information (RFIs) and requests for proposals (RFPs).
COVID-19 May Affect CMMC Implementation
DoD, accreditation body, third-party assessors, and contractors need to prepare for the implementation of the CMMC certification. However, the current coronavirus pandemic will adversely impact such efforts in the following ways:
1. Cancellation of CMMC Training Events
As the Department of Defense strives to stay as close to schedule as possible while implementing CMMC, the current circumstance will affect CMMC training events. In particular, the concerned parties will cancel, postpone, or virtualize training to reduce physical contacts to prevent the spread of COVID-19.
Katie Arrington, the Chief Information Security Officer for DoD acquisition, stated that the department had slated training of third-party assessors for the CMMC program. Fortunately, the original intent of DoD was to have a fraction of the training online using germane technologies.
2. Reduced In-Person Visits by Third-Party Assessors
DoD CMMC certification is a requirement for thousands of DoD contractors who will work with third-party assessors to verification of implemented security practices. The process, in some measure, involves an in-person visit from the assessors to examine the cybersecurity posture and establish that firms seeking certification are authentic companies with real employees.
However, unless the current situation improves, people will continue experiencing restricted movement as countries gain time to implement effective preparedness measures rapidly. In theory, never leaving home during the coronavirus pandemic is an effective means of prevention that reduces the change of infection. COVID-19 will adversely affect the in-person visits necessary for the CMMC audit process since assessors will not be eager to travel to handle the work at in-scope locations.
3. Scarcity of Resources
COVID-19 pandemic will certainly cause DoD’s budget to shrink as the disease compels the government to shift the focus to the healthcare sector. The furiously spreading coronavirus will ultimately trigger a realignment of the U.S. national priorities, which will impact on the DoD’s efforts to implement CMMC certification.
4. Disintegrated Work from Home Strategies
CMMC certification process requires covered entities to inventory all systems that collect, store, and process FCI CUI. Secondly, the implementation involves conducting a gap assessment of current cybersecurity controls relative to the model to determine remediation activities and improvements to achieve the desired certification level. Besides, a covered entity should document cybersecurity policies, formalize security controls in procedural documentation, and assemble all documents in preparation for the certification.
Today, COVID-19 has increased the number of employees working from home. This practice complicates CMMC preparedness, including readiness and documentation. It is challenging to inventory all devices collecting and storing CUI and FCI. Additionally, it is difficult for organizations to document and assemble all cybersecurity documentation while handling in-office and remote teams.
In a Nutshell
CMMC remains a priority to DoD. The government continues to collaborate with industry partners and the accreditation body to meet the certification timelines, despite the current pandemic’s impacts. Nevertheless, the CMMC implementation progress will face canceled, postponed, and virtualized training events as well as reduced in-person visits by assessors, constrained resources, and work from home strategies. CMMC implementation process might take place behind schedule as stakeholders will miss valuable interim training and third-party assessors’ identification processes.