Many organizations are struggling with prioritizing strategic initiatives in light of the COVID-19 pandemic and its impact on the workforce. One initiative that needs to be at the top of the list for those that work with the Department of Defense (DoD) is compliance with the Cybersecurity Maturity Model Certification (CMMC). The DoD has made it very clear they are moving forward with efforts to ensure their contractors and supply chain meet stringent cybersecurity requirements, beginning on July 1st, 2020. Currently, organizations do not have the ability to be certified against the CMMC standard because the DoD has not released the process to become an authorized CMMC audit certifier. Due to this process not being in place, many organizations have decided to take no action in regard to preparing for CMMC certification. This is a mistake.

While the actual certification process has not been defined by the DoD, the steps to become compliant are outlined in Version 1.02 of the standard that was released at the end of March. Elliott Davis can perform a gap assessment for organizations to determine where they stand against the CMMC framework. Most organizations that have not worked to align with previous NIST frameworks, such as NIST 800-171, will find they have significant gaps in the areas of documented policies and procedures as well as tools and technology. Now is the appropriate time to begin addressing these gaps so that an audit against the new CMMC standard is more of a verification of existing controls. Many of the items organizations need to remediate will take weeks to implement and can require funding that may not be available without proper planning. This is why it’s imperative to determine what level of CMMC compliance (levels 1-5) will be required for your organization to begin work immediately.

With an estimated 300,000 contractors that will need to be certified in order to continue bidding on DoD work, you can expect a mad scramble for compliance in July and August. It is entirely possible that many organizations will take six months to a year to become certified against the CMMC framework if they do not plan properly. This will present a competitive advantage to those who proactively work to close their security compliance gaps in advance of the July 1st requirement.

We can help

Elliott Davis has advisors who can help walk through the Cybersecurity Maturity Model Certification process. Contact the team to see how we can assist you.

The information provided in this communication is of a general nature and should not be considered professional advice.  You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.