Pandemic Offers Opportunity to Prepare to Meet CMMC Requirements
The need to telecommute, meet virtually and collaborate via workspaces shouldn’t stand in the way of corporate to lay certification groundwork.
The coronavirus is not stopping the U.S. Defense Department from proceeding with work on the Cybersecurity Maturity Model Certification (CMMC), and it shouldn’t slow down industry in doing the same. Although some of the public hearings that should have taken place by now have been delayed because of the pandemic, the CMMC team continues to train and get the word out about rules changes.
Katie Arrington, chief information security officer, office of the undersecretary of defense for acquisition, U.S. Defense Department, joined Ty Schieber, board chairman, CMMC Accreditation Body, and Mark Fox, senior manager defense mission programs, Amazon Web Services (AWS), for a webinar about preparing for the CMMC requirements during the pandemic. Billington Cybersecurity sponsored the event.
The three agreed that the need for cybersecurity is more important now than ever. While much of the United States is experiencing a work slowdown, the country’s adversaries aren’t sitting back and waiting for the coronavirus (COVID-19) to wane, Arrington points out. To the contrary, they are using this time to attack companies, in particular small business. In one case, ransomware cost a small business $200,000 to acquire the decryption key.
On an even larger scale, Arrington points out, the need for cybersecurity standards is important to prevent U.S. adversaries from stealing state secrets. “There are weapons systems out there today, and I point to China specifically, that have the exact same kinds of flaw as ours,” This indicates that U.S weapons designs are being stolen, she explains. “We need to get ahead of that curve,” she explains.
Concerning the CMMC implementation, Fox says most companies currently contacting AWS are looking for information. “They want clarity of the rules. They are anxious to get moving,” he states.
To quench this thirst for information, AWS has a CMMC website that it will update as the Defense Department adds details about the certification. The company also will be introducing new products for supply chain firms to help them get to the CMMC levels faster, Fox shares.
Because 80 percent of the firms the Defense Department depends on are small businesses, the department must be sure that companies of all sizes—and on all contracts—meet appropriate CMMC levels. She predicts most companies will need to meet the requirements for levels 1, 2 or 3, and levels 4 and 5 are likely to be called for in rare instances.
Arrington contends the pandemic has and will to continue to considerably affect industry in ways that will be revealed over time and will have the kind of revolutionary changes of other extraordinary past events, she points out. For example, World War II changed the way the U.S. built products with standards created by the International Organization for Standardization. The terrorist attacks of 9/11 changed the way people travel with stricter security rules. COVID-19, she proposes, has already changed the way people interact and will likely continue to alter the work environment. The need for technologies that support secure videoconferencing, virtual events and multimember online meetings will increase and must meet acceptable standards, Arrington offers.
Schieber emphasizes the importance of implementing the CMMC. “We must make this happen. Whatever we were doing before wasn’t working. Our objective is to implement a standard that’s understandable, affordable and effective,” he says.
While staff continues to be trained to evaluate organizations’ CMMC levels, Schieber admits his team hasn’t determined how the training is likely to continue as the pandemic continues. He relates they are watching closely how to deliver training content via the virtual environments. It is an iterative process, and the team is working with industry and the Defense Contract Management Agency to determine future training, Schieber says, and he expects a provisional model will be available in the late-June/early-July timeframe. In the long term, the CMMC Accreditation Body will maintain relationships with licensed training providers who can deliver CMMC training.
Overall, to assist small businesses to prepare to meet CMMC requirements, Arrington’s office, supported by the Defense Department’s Office of Small Business Programs, developed Project Spectrum, which features informative insights for business owners, training and ways to check readiness for certification evaluations.
Additional information about Cybersecurity Maturity Model Certification is available from the AFCEA CMMC Symposium at the on-demand event website.