Inside Cybersecurity

June 14, 2021

Daily News

Pentagon’s contract with the CMMC accreditation body outlines spinoff unit for assessor training, performance objectives

By Sara Friedman / February 1, 2021

The independent accreditation body behind the Pentagon’s cyber certification program will be required to separate its assessor and training programs into business units, one of the many conditions in a no-cost contract signed by the Defense Department and the new non-profit reviewed by Inside Cybersecurity.

“The Department of Defense (DoD) will use the Cybersecurity Maturity Model Certification --Accreditation Body, Inc. (CMMC-AB), a non-profit organization, as the authoritative source to accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO),” the contract says in a statement of work obtained via a Freedom of Information Act request.

The new agreement replaces a memorandum of understanding between the Pentagon and CMMC-AB signed in March and establishes a more formal relationship between both parties. The contract was announced shortly before the interim rule implementing DOD’s Cybersecurity Maturity Model Certification program went into effect on Nov. 30.

The statement of work says, “The DoD will retain oversight of the CMMC program and will be responsible for establishing CMMC assessment and training requirements as well as developing, updating, maintaining, and publishing the CMMC Model, all CMMC Assessment Guides, and policies for the DoD implementation of the CMMC framework.”

Over the past five months, CMMC Accreditation Body board members have trained and certified provisional assessors who will conduct audits for the first year of CMMC program. At a “Town Hall” for their stakeholders in December, CMMC-AB officials said they expect their training and certifications framework to be fully implemented, or operational, in September 2021.

The CMMC-AB is required to “achieve compliance with the current ISO/IEC 17011 standard no later than 31 October 2022,” the contract says. In the interim, the accreditation body needs to follow the standard through an “appropriate peer review process” that includes developing and updating “a comprehensive plan and schedule to comply with all ISO/IEC 17011 requirements.”

The accreditation body will:

  • Develop, maintain, and provide provisional training, including curricula and testing, for instructors and individual assessors.
  • Ensure the quality control of all training products, instruction, and testing to include reviews with respect to cybersecurity technical accuracy and alignment with the CMMC Model, CMMC Assessment Guides, and DoD cybersecurity requirements and policies.
  • Develop, maintain, and manage database(s) to track the status of all authorized and accredited C3PAOs, provisional assessors, trainers and instructors. All data shall be replicated and backed up daily to CMMC eMASS or an alternative DoD system.
  • The CMMC-AB shall provide documentation showing the CMMC-AB’s current ecosystem, which includes but is not limited to C3PAOs, the CAICO, Assessors, Registered Provider Organizations, Registered Practitioners, Licensed Instructors, Licensed Partner Publisher, and Licensed Training Providers. These shall be in strict compliance with the specified DoD requirements referred to in Section III(6) below. The CMMC-AB shall provide the OUSD(A&S)/OCISO(A&S) CMMC Office with all plans and/or changes related to CMMC-AB activities and the CMMC ecosystem to review prior to implementation and publication.

In terms of revenue, the contract gives the Defense Department’s CMMC program management office access to “all [CMMC AB] plans that are related to potential sources of revenue to include but not limited to fees, licensing, membership, and/or partnerships.”

“The OUSD(A&S)/OCISO(A&S) CMMC Office has the responsibility to establish the requirements for CMMC assessment and training certifications and the accreditation requirements for C3PAOs and the CAICO,” the contract says. “OUSD(A&S)/OCISO(A&S) CMMC Office will also develop, update, maintain, and publish the CMMC Model and all CMMC Assessment Guides.”

The CMMC-AB has the authority to authorize C3PAOs for two years, which started on Oct. 30, 2020. All of the C3PAOs need to be accredited to CMMC level three before they can conduct assessments.

The contract also establishes a requirement for all authorized C3PAOs to “be subjected to quality assurance reviews to include but not limited to observations of their conduct and management of CMMC assessment processes.” The CMMC-AB will be accrediting C3PAOs under “ISO/IEC 17020 and DoD requirement” and the contract requires the assessment organizations to “achieve and maintain the ISO/IEC 17020 accreditation requirements within 27 months of registration.”

To resolve disputes over assessment results, the contract says, C3PAOs will need to “establish a formal process to address DIB contractor complaints and appeals, in accordance with ISO/IEC 17020, and submit investigation and decisions, to include dispute resolution results, to OUSD(A&S)/OCISO(A&S) CMMC Office via CMMC eMASS.”

The CAICO component of the CMMC-AB tasked with training CMMC assessors and instructors will need to obtain a ISO/IEC 17024 certification “within 25 months after registration,” the contract says.

The contract establishes requirements for assessors to complete “a favorably adjudicated” Tier 1 or Tier 3 “suitability determination that results in no security clearance.” The tier depends on the CMMC maturity levels that assessors want to be able to audit.

The Defense Department’s responsibilities in the contract include:

  1. Retain oversight of the CMMC program to include the CMMC-AB.
  2. Develop, update, maintain, and publish the CMMC Model, all CMMC Assessment Guides, and policies for the DoD implementation of CMMC framework.
  3. Establish specified DoD requirements in addition to ISO/IEC 17020 for the authorization and accreditation of C3PAOs.
  4. Establish specified DoD requirements in addition to ISO/IEC 17024 for the authorization and accreditation of the CAICO.
  5. Establish specified DoD requirements for CMMC assessors, lead assessors, assessment team members, assessment team size and composition, trainers, and instructors.
  6. Coordinate and synchronize all CMMC model version releases with the CMMC-AB and the DIB SCC, to provide sufficient time for CMMC-AB to inform C3PAOs and the CAICO.
  7. Coordinate and synchronize all CMMC Assessment Guides version releases with the CMMC-AB and the DIB SCC to provide sufficient time for CMMC-AB to inform the C3PAOs and the CAICO
  8. Establish reciprocity and/or standard acceptance agreements with other entities for other cybersecurity standards (e.g. ISO 27001, GSA, FedRAMP, DoD Standard Assessment Methodology, etc.). Collaborate with and seek input from the CMMC-AB and the DIB SCC in the process of establishing reciprocity and/or standard acceptance agreements.
  9. Provide factual information to the CMMC-AB in connection with the CMMC-AB's application to the Internal Revenue Service for a tax exemption determination that CMMC-AB is an organization described in Internal Revenue Code Section 501(c)(3).

By the end of March, the CMMC-AB needs to submit its “ISO/IEC 17011 Compliance Roadmap and Plan,” the contract says. A “Comprehensive Conflict of Interest (COI) and Ethics Plan: inclusive of CMMC-AB, C3PAOs, individual assessors, trainers, and others for DoD review and comment” from the accreditation body is also due at the end of that month.

To aid in making changes to CMMC “training and testing content,” the accreditation body needs to establish “Change Control Procedures” that includes providing details for review on “the impact, schedule, and risk analysis within 2 weeks of a Government’s change request submission to the CMMC-AB,” the contract says.

The Defense Department has assigned thresholds for training assessors with 360 individuals required by the end of the current fiscal year and 1,500 in fiscal 2022.

The contract also makes the CMMC-AB “provide a transition out plan within 30 calendar days, for transfer of operations to another body in the event this contract is terminated.” -- Sara Friedman (sfriedman@iwpnews.com)