What the DoD Says About Prepping for CMMC Audits in the Midst of Coronavirus

CMMC training

Unsurprisingly COVID-19 has had an impact on many organizations; however, some have been faring better than others, one of them being the US Department of Defense.

The official CMMC model was released by the DoD in January of this year as the new cybersecurity model for DoD contractors. It is designed to ensure all federal controlled information (FCI) and controlled unclassified information (CUI) is adequately protected against increasing cyber threats.

 

With the phased implementation of their new Cybersecurity Maturity Model Certification (CMMC) planned for 2020, the DoD made it clear when the pandemic hit that they wanted to avoid delaying CMMC rollout. And to that end, they have so far been successful.

Is the DoD Still Doing CMMC Audits?

As coronavirus hit, the Department of Defense made plans to move forward with the intended rollout schedule with certain adaptations, meaning audits will continue as scheduled. 

 

Many of the training resources for auditing officials were provided online, and the CMMC-AB has worked diligently to ensure that CMMC professionals become certified in time for their first phase of testing audits, which is now beginning.

 

Since the first round of audits is already underway, all DoD contractors should ensure that they are adequately prepared for an official CMMC audit when the time comes, despite the pandemic. Contractors have been preparing for months for the rollout, but if your organization hasn’t yet undergone an assessment to see if you’re ready for an official audit, now’s the time. 

How Can My Company Prepare for a CMMC Audit? 

While companies should have already been preparing for CMMC audits for some time now, the DoD has recently stressed the importance of working with a reliable consultant who offers a CMMC assessment service to see if your business is ready for an audit.

 

To be clear, this assessment would not provide certification as an official CMMC audit—only CMMC-AB-trained auditors may conduct official audits. However, the DoD noted that having a partner who is experienced with DFARS and CMMC guidelines can be critical in ensuring your data isn’t siloed or unprotected, preparing you better for an official audit.

 

There are 5 CMMC certification levels that will reflect on the charity and reliability of any business’s cybersecurity infrastructure. 

 

  • Level One: The organization must perform basic cyber hygiene practices to protect FCI (federal controlled information).

  • Level Two: The organization must document at intermediate cyber hygiene practices to begin the protection of any controlled unclassified information (CUI). This includes NIST security requirements. 

  • Level Three: The organization must have excellent institutionalized and management plans for protecting all CUI.

  • Level Four: The company must have implemented processes for reviewing and measuring the effectiveness of their practices. Not only that, but they should have enhanced methods to detect and respond to changing tactics. 

  • Level Five: The company must have standardized and optimized processes in place that run across the entire business, as well as sophisticated capabilities to detect and respond to APTs.

 

Once the list of C3PAOs is available, businesses should contact C3PAOs to begin the certification process (which will maintain safety according to pandemic guidelines). There is one notable exception to the CMMC requirements, and those are suppliers furnishing only commercial off-the-shelf, COTS items. These will be exempt from the new standards and will not have to achieve any CMMC certification level.

 

CMMC certification will generally last three years; however, if a company has a cybersecurity incident within those three years, they will likely need to have an early reassessment.

 

The CMMC-AB has previously disclosed that it will roll out the first wave of auditors after the testing phase in time for the first RFPs that require CMMC certification in November.

 

As you prepare your government-contracted organization to comply with the CMMC, it’s important to keep in mind that the pandemic has not greatly affected the rollout of the CMMC. That means the more preparation you have now, the more likely you are to pass an official audit that is shortly forthcoming.