How DoD Contractors Can Still Prepare for CMMC Audits, Even During COVID-19

Companies and contractors who work with the Department of Defense will soon have to pass a CMMC audit in order to continue their working relationship and bid on contracts. The new CMMC program stands for “Cybersecurity Maturity Model Certification” and is being rolled out as the standard for correct cyber hygiene for contractors and suppliers working with CUI (or “controlled unclassified information”).

But when CMMC version 1 was officially released on January 31 of this year, few could predict the global impact that would soon come as a result of the coronavirus spread. Unsurprisingly, many DoD contractors now question whether social distancing guidelines and shelter in place policies will impact the DoD’s anticipated timeline for the rollout of CMMC and CMMC audits. 

Luckily, the answer is fairly straightforward—the CMMC rollout hasn’t been severely impacted by the spread of COVID-19, and the DoD anticipates implementation to continue as scheduled. While there may be slight delays to the roll out of audits (as the DoD has had to adapt online training resources for third-party assessors), it’s now clear that major delays are very unlikely, and the DoD fully intends to implement CMMC standards as originally planned.

On March 13th, as COVID-19 was quickly establishing itself, Katie Arrington, the chief information security officer for DoD acquisition, told reporters that, “Everything was on schedule; I have no idea how this is going to impact things. I don’t know if it will, I don’t know if it won’t because we were doing online training in some cases.” 

However, more recently, Arrington has shown more confidence in sticking to schedule, noting that DoD officials “are continuing to roll out CMMC, we are not slowing down. . . . COVID-19 is a horrible event for the globe. But the sun will rise, and we have to continue to march forward. And gratefully and thankfully, the teams have been working virtually on this.” Auditors are currently being trained online, using online resources to complete the necessary requirements to become third-party assessors.

As you can imagine, this means that it’s extremely important for anyone expecting a DoD CMMC audit to start preparing. It’s anticipated that the DoD will begin to fully audit contractors for CMMC in fall of this year (following a preparatory audit conducted on select contractors in July) and, seeing as we’re already in the month of May, there’s not too long to go before you’ll be facing your official audit. 

DoD officials are therefore stressing the critical nature of preparing to become CMMC compliant as soon as possible, despite possible obstacles that your own business may be facing during the COVID-19 crisis. After all, if you fail your audit, you may be suspended from or prohibited from working on DoD contracts and may find that your bids are futile. It’s absolutely essential if you intend to continue operating in the field and making profits from your current business.

Even if there are any eventual delays in CMMC implementation, the wisest move for DoD contractors across the board is to prepare immediately. Not only is it critical for you to pass your audit, but it will help you keep sensitive data safe. Cybersecurity is becoming an increasing concern for any business right now, especially those that are currently having to operate remotely on several tasks. Hackers are well aware of the changes businesses have had to implement in their switch to remote working and will be looking to exploit and take advantage of businesses that haven’t updated their cybersecurity.

If you’re wondering how to prepare for your audit, don’t fret. The easiest and most effective way to prepare for a CMMC audit is to work with a cybersecurity professional who offers CMMC preparation services and is well versed in compliance regulations for DoD contractors. It’s good to note that these kinds of services can often be provided remotely, so you can still prepare  for a CMMC audit without breaching social distancing or shelter-in-place guidelines. 

While audits may not happen until fall, or later if there happen to be any eventual delays, preparing for your CMMC audit is of the utmost importance right now. Not only will it prepare you and get you into the swing of new practices well in advance of your actual audit, but it will also ensure your business is operating with the highest levels of cyber hygiene possible, staving off hackers and other threats.