The U.S. Department of Defense still has much to finalize within its sweeping new cybersecurity program for defense contractors, and COVID-19-related restrictions mean its timeline for rolling out the new plan may be too ambitious.
“CMMC is not going to be a situation where people can just flip a switch and — bam! — we’re [meeting] CMMC,” said Alex Major, co-chair of McCarter & English LLP’s government contracts group.
Although the DOD has a CMMC “Version 1.02” plan in place and is also releasing additional information over time through webinars, panels and other public forums, lack of formal final guidance means contractors are effectively “horseshoe and hand-grenading” their efforts to meet CMMC requirements, hoping they are close to the standards they will need to meet, Major said.
“I recognize the litany that the policy folks keep saying about the risk and the threat and the challenge and the need [for cybersecurity] and I think contractors all recognize that, and now they’re just waiting. ‘What would you like us to do about it?,'” Major said. “‘We’re trying to meet you, but we don’t want to walk down this path only to find out [we need to go another way].'”