CMMC Update: April 2
CMMC timeline and Covid-19
While the COVID-19 pandemic has most of us working from home and pushing deadlines back, the OUSD and CMMC AB assure us that they are still, very much, pushing forward.
“We’re doing our absolute best to stay on track because even though we are in horrible times, we have to have continuity of care, the mission is important,” Arrington said of keeping on track.
She went on to say “From where I sit right now, it’s important that we save lives first and foremost. Bottom line is you can replace anything but a human life, but understand that our adversaries, at the same time, will take advantage…so we need to be as aggressive as possible.”
CMMC Accreditation Body signs MOU with DoD
And the proof is in the pudding. The CMMC Accreditation Body signed an MOU (memorandum of understanding) with DoD in late March. This means that DoD officially recognized the non-profit organization as the CMMC Accreditation Body. The CMMC AB stated that they could start training auditors as early as May as they move forward.
Their newsletter comments that they have “created committees and established initial functional and conceptual baselines for defining and implementing an adaptable and scalable ecosystem that supports the CMMC standard. This ecosystem is currently projected to begin issuing DoD-recognized CMMC certifications no later than Q4 2020.”
CMMC V1.02 has been Released
When asked in an interview on govmatters.tv if the standards will evolve over time, Katie Arrington responded:
“The standard should evolve. We’re in the process of a DFARS rule change on the CMMC.”
She later said:
“As the threats evolve, as the way the adversary comes at us changes, as technology evolves, we will modify how that [standard] works.”
We have already seen proof of this statement with the release of CMMC v1.02. The changes from v1.0 consist of mostly grammatical revisions. The release of a minor revision this soon after v1.0 indicates we’ll likely continue to see updates to the standard in the weeks and months ahead.
What to do Now
While the DoD has made it clear recently that there are currently no Third-Party Organizations that can grant a CMMC certification, it is still important to prepare for an audit. You can do this by working toward compliance with NIST 800-171. These controls will get you in good shape for CMMC Level 3. From there, you can begin to identify any gaps you might have and work towards mitigating them. It’s true that no company can certify you at any level of CMMC right now, however, there are plenty of companies that are capable of preparing you for certification. It’s critical to find a service provider with experience in NIST 800-171 assessments to prepare for the upcoming CMMC audits.
For more news and updates on CMMC, keep an eye on our blog.