Inside Cybersecurity

March 25, 2023

Daily News

CMMC accreditation body plans to release updated guidance in July, setting up start of contractor cyber audits

By Sara Friedman / June 29, 2021

The Cybersecurity Maturity Model Certification Accreditation Body is preparing the final documentation necessary for the first authorized certified third party assessment organizations to start conducting audits by the end of July, while taking steps to address training materials developed by organizations without the CMMC-AB’s approval.

The documentation includes a “scoping appendix” from the Pentagon that updates to their CMMC assessment guides for levels one and three put out in December, according to CMMC-AB CEO Matthew Travis.

The CMMC-AB Accreditation Body has prepared a non-technical “assessment process” guide with DOD that outlines the “different phases” and responsibilities for the C3PAO and organization seeking certification, and is preparing to publish it in July, Travis said.

One of the items discussed in the publication is “recommended guidance on the size of an Assessment team, depending on the particular CMMC Level,” Travis said, making it clear that “a specific size will not be mandated” for each assessment.

Travis spoke with Inside Cybersecurity about the final stages of getting the documentation and operationalized system needed for the first C3PAO assessments and next steps to stand up the accreditation body’s formal training program.

The accreditation body is working to set up a system where authorized C3PAOs can submit their assessments to the Defense Department through the Enterprise Mission Assurance Support Service (eMASS), a portal maintained by the Defense Department. Travis said the CMMC-AB is “preparing a Seminar 101” for C3PAOs on how to use the portal and working on providing necessary “certificates” to allow access.

At tonight’s CMMC-AB “Town Hall” meeting, the agenda includes Melanie Kyle Gingrich, vice president of training and development, providing an update on her training portfolio work at the accreditation body, and CynergisTek CEO Caleb Barlow talking about lessons learned going through the process of getting his government division, Redspin, approved as the first authorized C3PAO. Members from the CMMC-AB’s Industry Advisory Council are also scheduled to speak.

The CMMC-AB released a “Notice to the CMMC Ecosystem” today informing stakeholders of their policy for unauthorized training courses and materials.

The organization said, “The CMMC Accreditation Body (CMMC-AB) is alerting all current and prospective members of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem about companies and organizations misrepresenting their ability to train individuals in preparation for the CMMC assessor and CMMC instructor certification exams developed by the CMMC-AB in support of the Department of Defense’s (DoD) CMMC initiative.”

“The CMMC-AB is the sole, authorized entity charged by DoD to license, certify, and manage the CMMC Ecosystem, which includes the training and certification for assessors and instructors at all levels,” the body said.

The policy provides details on the exams for assessors and spells out the roles for CMMC Licensed Partner Publisher and CMMC Licensed Training Provider. The CMMC-AB also provides an update on where things stand with getting the formal training program set up.

Travis told Inside Cybersecurity he is looking to get the training “up and running as soon as the final course objectives are determined and finalized by DOD. Once that happens, we go away from the provisional assessors to the CMMC Certified Assessor, or the CCA, classes as well as the instructors who will then teach classes. The AB and DOD are working to finalize course objectives, which is really DOD’s decision, then we will be able to move forward with the formal training program.”

“Back on the C3PAOs, we will continue to work with the candidate C3PAOs as they apply and prepare for the DIBCAC assessment. Once they go through it, we will pick it back up and get them processed as quickly as we can,” Travis said.

Redspin and Kratos are the only two fully authorized C3PAOs. There is a third C3PAO that has passed its CMMC level three assessment by the DIBCAC and the company needs to go through the final review process to be added to the accreditation body’s marketplace.

The CMMC-AB is working to fulfill requirements in its no-cost contract with the Defense Department to become a registered non-profit organization and achieve international standards ISO 27011 and ISO 27024.

Travis said his organization has filed with the IRS to become a nonprofit and submitted a “accreditation roadmap” to the Pentagon outlining how he plans to meet ISO standards.

“Addressing our standards of conduct and ethics reviews” will be discussed at their July “Town Hall,” Travis said, adding “We’ve enlisted some third party assistants to review our policies, that process is finishing up for the board’s consideration.”

Travis said he is “encouraging” the board and CMMC-AB professional staff to be “fully aware and understanding of the standards to which we will hold ourselves and to ensure the processes are in place that when there is a potential activity outside those standards that we have a process to address that in a timely manner."

The new policy will address participation on LinkedIn, Travis said. Board members, DOD officials and industry stakeholders have actively engaged on the social media platform over the past year to share perspectives and news about the CMMC program.

Travis is in the process of hiring professional staff who will assume roles and responsibilities of board members. Travis said there are currently five employees at the CMMC-AB and he is working on hiring a “Director of Security and Compliance.”

“The Director of Security and Compliance position combines the traditional duties of a Facility Security Officer (FSO) and Ethics and Compliance Officer into one role,” CMMC-AB said in a job post on LinkedIn. “This individual will supervise and direct all security measures within the CMMC-AB and serve as the primary security liaison with the DoD CMMC Program Management Office (PMO).”

Other hires in the pipeline include a chief financial officer and accreditation director. Travis said he hopes to have 10 to 12 employees “by the fall.” -- Sara Friedman (