COVID-19 NEWS: New Cybersecurity Regulations ‘On Track’ Despite Virus

By Yasmin Tadjdeh

iStock illustration

Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.

The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.

Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.

“We are on track, but we're having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.

“We're still on track,” she said. “We're still doing the pathfinders. We're working through those. We're still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”

Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.

The biggest sticking point will be conducting in person audits, as is required, Arrington said.

“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn't stopped and we're still doing our absolute best to stay on track.”

Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. 
“A two-week push on something is not going to ... have a massive impact to our rollout of this,” she said. “I don't think it's going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.

Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.

“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn't an option for any of us right now.”
 She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. 
“Do your best to be diligent and remember that ... the weakest link is where the adversary will come in,” she said. “Don't be the weakest link.”

Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.

“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”

Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom's numerous vulnerabilities are not unique to them because every software company and application has them. Zoom's links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”

Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.

Topics: Cyber, Cyber-augmented Operations, Cybersecurity, Defense Contracting

Comments (1)

Re: New Cybersecurity Regulations ‘On Track’ Despite Virus

Despite Ms. Arrington' statements that the CMMC implementation timeline is on-track, no essential information has been published by the government or the CMMC Accreditation Body since the Jan 31, 2020 statement to the press (at which no questions were taken). Ms. Arrington states that the first class of C3 PAOs "will be rolling out in late May or early June" and yet no criteria for becoming a C3PAO have been published by USD AT&L or by the CMMC Accreditation Body ( With 30-45 days until Ms. Arrington projects the first class of C3PAOs to be accredited by the CMMCAB there is no public roadmap for what it takes to become a C3PAO nor is it possible for CMMCAB to conduct face to face meetings withC3PAO candidates even if they did submit an application for accreditation because of the COVID-19 restrictions. The announced "pathfinder" contract solicitations scheduled for June, which is only 38-68 days away depending on whether you count to June 1 or June 30, cannot happen without CMMC certified bidders. No CMMC certifications can be awarded without C3PAOs. No C3PAOs can be accredited until the CMMCAB receives applications from candidate companies. No applications can be submitted until CMMCAB publishes the criteria for C3PAO certification. Under the absolute best circumstances with a fully budgeted program these milestones would be unattainable within 68 days based on the speed of Pentagon policy making. Under COVID-19 restrictions on activity and meeting this appears to be a pure fantasy especially when the cost of the C3PAO assessment must be paid up-front by the companies seeking CMMC certification and they will not receive any reimbursement of this cost until and unless they are awarded a contract by the DoD.

Walt Yates at 7:36 AM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.