The first official CMMC assessment starts Aug. 22 under the Pentagon’s “joint surveillance voluntary program,” where a certified third party assessment organization will conduct the examination and report results to the Defense Contract Management Agency for final approval.
The joint program allows voluntary assessments to start and then be converted into a three-year CMMC certification when the rulemaking goes into effect. The Pentagon’s Cybersecurity Maturity Model Certification program is overseen by the Office of the DOD CIO and supported by DCMA’s Defense Industrial Base Cybersecurity Assessment Center when it comes to the actual assessments.
The DIBCAC was “given the authority and responsibility to do assessments” based on the 2020 interim final rule that established the CMMC program and inserted the 7019 and 7020 clauses in the Defense Acquisition Regulation Supplement, according to CMMC director Stacy Bostjanick. She spoke with Inside Cybersecurity on the sidelines of a CMMC conference on Wednesday.
Bostjanick said, “Under that capability, they are allowed to do joint surveillance which gives them the ability to do more companies. That means they can bring C3PAOs in and accept their body of evidence from a company to be able to provide a DIBCAC High assessment.” Bostjanick confirmed that the DCMA has released a memorandum giving the DIBCAC authority to conduct CMMC assessments for contractors in collaboration with the C3PAOs.
The CMMC conference was hosted by Summit 7 Systems and featured presentations from the DIBCAC’s Nick DelRosso, NIST’s Victoria Pillitteri, contracting attorney Robert Metzger and Microsoft CMMC leader Richard Wakeman.
Regarding the first assessment, Bostjanick said at the summit, “keep your eyes peeled” for when it is completed. She said, “When that culminates we are going to make a big fat hairy deal about it.”
Bostjanick and her team are currently in “rulemaking hell” to finish the CMMC rulemaking, she told conference attendees. “My team is all about the implementation of the validation aspect of NIST 800-171,” she said. “It’s my team’s responsibility to make sure that you are compliant.”
Under CMMC 2.0, DOD consolidated the number of maturity levels from five to three and took out the additional 20 controls in the new level two that go beyond NIST 800-171. It also allows for self assessment at level one which concerns federal contracting information.
When CMMC 2.0 was announced, DOD said the plan is to do a “bifurcation” where only some DOD contracts would require a third party assessment based on type of controlled unclassified information covered under the contract.
Determining the bifurcation is still a work in progress, Bostjanick said, explaining, “We are in the process right now of working through with our leadership where this line of possible bifurcation/demarcation will be with CUI. There’s one category that is historical archeological information that could be considered CUI. We might put that under self assess.”
The DIBCAC assessments over the past three years informed changes to the program made in CMMC 2.0 and DOD is continuing to get feedback based on the C3PAO assessments for level two that started this year.
Bostjanick said DIBCAC leaders have been “working shoulder to shoulder with us the whole time making sure what we put in place falls in line what they have actually seen in practice and we are not going to do something that is going to kill people” when it comes to the rulemaking.
The Cyber Accreditation Body on Tuesday released the first “pre-decisional draft” of the CMMC assessment process guide, known as “the CAP.” Bostjanick said DOD received the latest draft on Tuesday and “we are working very hard to get it nailed down and approved as soon as possible.”
There is a 30-day public comment period to allow stakeholders to review the CAP. Bostjanick said, “If you want some light reading one evening make sure you read through it and comment on it if you have any questions and concerns.”
The CAP contains a list of templates in the phase one section that are intended to be appendices for assessors.
“The templates are only going to be available to the C3PAOs” and not publicly released, Cyber AB CEO Matthew Travis told Inside Cybersecurity, adding: “We are not finished developing the actual templates but ultimately I don’t believe we are going to make those available.”
When asked about making them public, Bostjanick said, “It depends on your perspective. Releasing it can provide some problems because you can have people fictitiously replicate them, but then sometimes it may be easier for companies to see the template before they have the interaction with the C3PAO. We have to think through the different vulnerabilities.” -- Sara Friedman (sfriedman@iwpnews.com)