By Kathryn Daily, CISSP, CAP, RDRP
CMMC is still a hot conversation topic in the DoD world. The model as well as the process surrounding the model continue to develop and has largely stuck to the initial schedule set out by Katie Arrington at the onset of this project, no minor feat with so many moving parts! Even amid the COVID-19 outbreak, she has indicated that work has continued and will not be impacted by much of the workforce working remotely.
In January 2020, the CMMC Accreditation Board (CMMCAB) was formed and the MOU was signed between the CMMCAB and the DoD on March 25. The CMMCAB will establish and implement CMMC assessment, certification, training and accreditation processes. The CMMC standard itself is owned and managed by the Department of Defense (DoD). The CMMCAB has set up a website (www.cmmcab.org) as an authoritative site for updated information regarding the development of the process as it happens.
Ellen Lord, Undersecretary of Defense, has put out a statement on the CMMCAB website alerting the DIB to unscrupulous third-party companies who have made claims that they can get companies certified, which is wholly inaccurate. The process to train assessors has not even been developed yet. I’ve even seen a press release from a company claiming to have achieved CMMC Level 5 status (it was later updated to indicate that they had done an internal assessment and determined that they had met the control set for CMMC Level 5). The moral here is to make sure you are using the CMMCAB website to keep up with the current status of the effort because companies will and are actively trying to take advantage of the DIB.
The CMMCAB is made up of members from industry and they want more input from industry. To that end, they have created working groups to gather more insight from what we want to see in the CMMC process. Some working groups are short term to solve a specific issue. Others are more long-term opportunities to provide input. One such working group is the Standards Management Group. The goal for this working group is to determine thresholds for compliance with specific controls. The Accreditation and Credentialing Committee will build and control the process for validating assessment results, and issue and track credentials for training material, training organizations, trainers, C3PAOs, assessors and marketplace listings. The CMMC AB website gives the duration of the working group, when the work begins, how often the group meets, and the maximum number of contributors needed for that group. Applications for the group can be submitted from the CMMCAB website. If you feel like your knowledge and experience can be helpful, check out the groups that are available. If you don’t see something that would be a good fit, keep checking back as more working groups are being added as needed.
That’s all for this update but we’ll be sure to continue this conversation in the next issue to make sure you’re up to speed on all of the future developments as this is a constantly evolving process.