The COVID-19 outbreak could snag CMMC implementation
- By Lauren C. Williams
- Mar 18, 2020
It's unclear whether government and commercial precautions to stop the spread of coronavirus will affect the Defense Department's roll out of its unified cybersecurity standard. But mitigation efforts will likely rely on teleconferencing for training.
Katie Arrington, the chief information security officer for DOD acquisition, told reporters March 13 that training of third party assessors for the Cybersecurity Maturity Model Certification program was slated to start in mid-April, but the impact coronavirus protection measures may have on scheduling is unknown.
"Everything was on schedule; I have no idea how this is going to impact things. I don't know if it will, I don't know if it won't because we were doing online training in some cases," Arrington told reporters following a CMMC event in McLean, Va. hosted by Washington Technology, a sibling publication of Defense Systems. DOD previously said training would take place from January to June, when the first 10 requests for information would be released.
Arrington said DOD wants to stay as close to on schedule as possible while respecting health concerns and to do that, may turn to do more remote training via webinars and livestreams.
"But the original intent of the training that we have, was to have a good portion online. We have to use technology to our advantage," she said.
The first version of CMMC was released in January with its independently-assembled accreditation body selecting a chair and standing up soon after. The CMMC Accrediting Body is now developing the curriculum for third party assessors and structuring itself to tackle issues surrounding the cyber standards governance and implementation.
Ellen Lord, DOD's head of acquisition, also released a statement March 13 warning businesses of people claiming to be CMMC assessors, which have not been finalized.
"Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DOD," Lord said in the statements. "The requirements for becoming a CMMC third-party assessment organization have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners."
Lord stressed that no one is capable of issuing CMMC certification at this time.
"Moving forward I am confident we will soon sign a Memorandum of Understanding with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain. When that happens we will make an announcement."
That date could be soon, according to Arrington who told reporters that deliberation had concluded and the memo is "in queue to be signed" by Lord.
This article first appeared on FCW, a partner site of Defense Systems.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.