CMMC Regulations on the Way Despite Pandemic.

• Author: Lee, Connie

The Defense Department's new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.

Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.

The requirements are part of the Defense Department's push to protect industrial base networks and controlled unclassified information from cyberattacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.

Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.

"We are on track to do that," Arrington said during a Project Spectrum webinar in May. "We're still on target to release some initial [requests for information] in June. ... Stay tuned, but the work hasn't stopped and we're still doing our absolute best to stay on track." Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department's Office of Small Business Programs.

The biggest challenge presented by COVID-19 includes figuring out how to conduct third-party audits of companies' cybersecurity readiness, she noted. Auditors are required to perform onsite visits to assess compliance.

"We're trying to figure out ways around that," Arrington said.

During a webinar hosted by Bloomberg Government, Arrington said auditors may need to "find a new way of doing business" to adjust to COVID-19 safety concerns. This will include wearing personal protective equipment while visiting companies.

"I think that you'll wear a mask, and you'll maintain some social distancing and you'll be able to do the audit," she said. "Just like the cable guy today--they come into your home, or they meet you, they wear a mask and we respect each other's personal space to ensure safety for all."

There could potentially be a two- to three-week delay on carrying out the first...