CMMC Regulations incoming
The CMMC Certification, which is a new framework to make sure that all suppliers in the supply chain is protecting sensitive defense information, is now a reality.
By 2026, all Pentagon contracts will require CMMC certification, according to officials Connie Lee - National DEFENSE, July 2020
The CMMC Certification has already been an ongoing topic discussed by many in the defense industry during the last couple of years. With the COVID-19 occurring, a lot of people thought that maybe the US Department of Defense would have postponed the decision of performing the CMMC certification - but that is not the case.
Safety is paramount
CMMC stands for Cybersecurity Maturity Model Certification, and according to Kate Arrington, the chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, the Pentagon will begin rolling version 1.0 this year. Being CMMC certified means that your organisation is certified by a third-party auditor, whose role is to make sure that your organisation meets up with certain standards. Your organisation can basically be ranked on five different levels; 1 being the lightest, whereas 5 is the most stringent.
This new CMMC certification is the Defense Department's "push" to protect industrial base networks and controlled unclassified information from cyberattacks.
When should we all be CMMC certified?
As Connie Lee describes it in her article "CMMC Regulations on the Way Despite Pandemedic" in the National DEFENSE Magazine the CMMC regulations will be a reality for all organisations that want to import to the US market - and as the quote argues: "[..] by 2026." However, in the light of the COVID-19, some procedures may be delayed, even though Arrington is saying that defense contractors will expect to see new CMMC requirements in requests for proposals issued in November 2020 already.
COVID-19 creates challenges
As written earlier, we can not get around the fact that COVID-19 is still a big influence in our lives - and may unfortunately be that for the next long period of time. The biggest challenge, regarding the CMMC certification, is figuring out how to execute third-party audits of organisations' cybersecurity readiness. Why? Because auditors are required to make the visits onsite to evaluate the organisation, which obviously may be a problem. With that being said, the CMMC is still one of the highest priorities, according to Corbin Evans, director of regulatory policy at NDIA.
A big cultural shift
Furthermore, The Small Business Administration and other government agencies discuss right now, how the smaller organisations are going to adapt these regulations since they are already hurting economically from COVID-19. It is up for discussion if financial assistance would be appropriate regarding the certification, says Evans. Additionally, Arrington elaborates on how big of a cultural shift the CMMC certification is going to be, which is why the "implementation part" is something they have in mind when making the CMMC strategy for organisations. For example, contractors bidding on a program may not need to have their CMMC certifications until the time of contract award - this can be helpful in the organisations' adaption of CMMC.
Get the latest news
Follow CMMC Certification with focus on the European region on LinkedIn or the official CMMC account on LinkedIn to get the latest news.