Inside Cybersecurity

March 8, 2021

Daily News

Defense Dept. prepares to release assessment guide for cyber certification program

By Sara Friedman / November 24, 2020

The Defense Department is planning to release its assessment guide for the Cybersecurity Maturity Model Certification program next week, outlining the details for how companies will be evaluated for maturity levels one through three.

“The Assessment guides for level 3 are under internal department review and will be published upon completion on or about 30 November,” a DOD spokeswoman told Inside Cybersecurity Monday.

The original assessment guide was developed by the Pentagon and sent over to the CMMC Accreditation Body for review. Through a working group process, the CMMC AB expanded the guide, according to industry sources, and work needed to be done to reconcile the two guides to make an official guide for use by assessors and their certified third party assessment organizations (C3PAO).

The assessment guide is expected to build on the handbook developed by the National Institute of Standards and Technology for NIST 8001-171. The handbook, published by NIST in 2017, outlines each of the controls in 800-171 and three basic categories for assessment.

“The handbook tells instructors to examine documentation, test systems and interview personnel,” an industry source said.

Assessors are not expected to need to do all three as part of each assessment, sources told Inside Cybersecurity. The expectation is that two of the three will need to be assessed for each control.

A source familiar with the assessment process said individuals conducting the assessments would likely mix up which of the categories would be used for each control.

The assessment guide also needs to provide details on the 20 controls and three practices in CMMC level three that go beyond the 110 controls in NIST 800-171.

"The AB is teaching to the learning standards provided by the Government," the DOD spokeswoman said, adding: "The assessment guides are not finalized yet but will be published as soon as they are complete." 

Publishing the assessment guide on Nov. 30 would align with when the interim rule implementing CMMC will go into effect.

The Pentagon intends to put out 15 contracts from the different services, Missile Defense Agency, Transportation Command, Defense Logistics Agency and Cyber Command during fiscal 2021 with CMMC language. DOD wants to get 1,500 companies certified over the next year to compete for the contracts.

CMMC will be rolled out over a five-year period. Starting on Dec. 1, all contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with NIST 800-171 through DOD’s Supplier Performance Risk System, when they submit a bid for a new contract.

“Right now, everyone wants to see what is in the assessment guide,” the assessment source said. Provisional assessors who have completed training are getting updates on the guide from the CMMC AB, but they still don’t have access to the official guide, according to the source.

Details in the assessment guide could determine which auditing companies decide to participate in the CMMC program as a C3PAO.

“As a professional audit firm, we want to understand the audit standard DOD wants to apply to the CMMC program because any company that publishes or issues a CMMC audit is putting their name behind it,” Jeff Lucy, cyber lead for Deloitte’s consultancy business for the aerospace and defense industry, told Inside Cybersecurity in October. “If we don’t think the level of procedures or testing is adequate for us to put our name to it, we would decline to participate.”

DOD and the CMMC AB are in negotiations on a new contract that will replace the memorandum of understanding that was signed on March 23 by Defense Department acquisition chief Ellen Lord and Ty Schieber, the accreditation body’s first chairman who resigned in September.

“We are still working to solidify our agreement,” the spokeswoman said. When asked about timing, she said the contract will be signed “imminently.”

Industry is also waiting for details on the C3PAOs who will be able to authorized to conduct first assessments on behalf of the CMMC AB. The announcement would likely come after the new contract between the DOD and CMMC AB is finalized, according to a source. -- Sara Friedman (sfriedman@iwpnews.com)