Keeping you up to date with the latest news from the DoD on any new movements and updates in CMMC accreditation.
What is the CMMC?
Many articles have already explained the nuts and bolts of the CMMC, but a brief reminder is always helpful. CMMC, or the Cybersecurity Maturity Model Certification, was released by the Department of Defense (DoD) to put cybersecurity controls and processes in place. These controls and processes protect the controlled unclassified information (CUI) on DoD contractor systems.
Organizations that wish to work with the DoD must meet the requirements imposed by the CMMC. Each of the five levels have a minimum number of cybersecurity practices that must be met to qualify for the CMMC. The level your organization must meet will depend on the information you have access to. All organizations that deal with CUI must meet at least a Level 3 CMMC qualification.
CMMC Accreditation Body
The CMMC Accreditation Body (CMMC-AB) holds the latest news and information regarding the CMMC and its ecosystem. They are a private corporation with a contract with the DoD “responsible for accrediting, certifying, and managing the CMMC Ecosystem.”
Recent Updates on the CMMC
31 August 2021 – CMMC-AB Town Hall Meeting #4
The CMMC-AB August 2021 Town Hall Meeting gave the general CMMC-AB update, introduced new staff, reviewed the C3PAO lessons, updated the status of the Industry Advisory Council (IAC), and discussed the application transparency within the CMMC ecosystem.
Kate Ehrle, Brian Pratt, and Stacy High-Brinkley – executives of Cask Government Services, the third authorized C3PAO – described what they did to prepare their organization for the C3PAO assessment. They emphasized the importance of managing and tracking the use of their resources to minimize the total cost. They also recommended to continually monitor your organization’s security on a daily basis to ensure the safety of your network.
Brian Thompson, the representative of IAC for this meeting, explained what the IAC was working on. They were working on their challenges and set up their email address to be open to feedback on what they can do to improve the CMMC-AB and IAC’s process. Currently, their focus while working with the CMMC-AB is to emphasize how the incorporate the CMMC with small businesses.
Finally, Matthew Travis along with two other representatives – Jon Hanny and Kyle Gringrich – of the CMMC-AB explained the transparency and process of the CMMC-AB assessments. Hanny went into a deep dive of the three phases for the C3PAO assessment – Applicant, Candidate, and Authorized. They also showed new updates on how to check your organization’s status as a C3PAO authorized entity. Lastly, Gringrich discussed how organizations involved in the provisional program of the C3PAO assessments will qualify for the official C3PAO assessments.
For more details, watch the August 2021 Town Hall Meeting here: https://vimeo.com/595976132
27 July 2021 – CMMC-AB Town Hall Meeting #3
The CMMC Certified Professional (CCP) Track’s beta test period will start in November, and the official exam is expected to be launched in February 2022. The other two CMMC-AB exams (CCA1 and CCA3) are currently still a work-in-progress.
In this meeting, two representatives from Kratos Defense & Security Solutions, Inc., one of the authorized C3PAO, explained what they and their team learned during the Level 3 assessment process. They explained how the preparation took several months, and they recommended that any company who wish to become a C3PAO should start their process as soon as possible.
The meeting continued to discuss the ethics and processes of the C3PAO assessment along with the other CMMC related assessments. For more details, watch their video here: https://vimeo.com/580373403
30 June 2021 – First Certified Third-Party Assessment Organization
The CMMC-AB revealed the authorization of the first Certified Third-Party Assessment Organization (C3PAO) in the CMMC ecosystem. The company successfully passed the assessment for the CMMC Maturity Level 3 (ML3) performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and met the C3PAO administrative and personnel requirements.
The C3PAOs are the authorized organization that will conduct the maturity level assessments for companies who wish to obtain a CMMC certification. With the authorization of the C3PAOs, these organizations will now be allowed to schedule assessments with organizations who seek for the CMMC certification.
29 June 2021 – Unauthorized CMMC Training Providers
Organizations have misrepresented their ability to train individuals to prepare for the CMMC-AB’s CMMC assessor and CMMC instructor certification exams. The CMMC-AB is the only authorized organization, approved by the DoD, to license, certify, and manage the CMMC ecosystem. This includes the training and certification for CMMC related assessors and instructors at all levels.
Professional CMMC assessors and instructors must use:
- Educational content from a CMMC Licensed Partner Publisher (LPP).
- Participate in a training service by a CMMC Licensed Training Provider (LTP) as a prerequisite.
- LTPs must use educational content from LPPs.
- LTPs must have CMMC-AB certified instructors.
- Obtain training from an LTP to receive a CMMC-AB Professional Number (CPN).
The CMMC-AB is working with the DoD to finalize the course objectives of the CMMC assessor and CMMC instructor curricula. As such, the CMMC-AB has not authorized any CMMC training content publication by LPPs. Therefore, there are no LTPs authorized to conduct an official CMMC training for the CMMC-AB certification exams.
The CMMC-AB certification exams are for CMMC assessors and instructors. This advisory does not apply to CMMC Registered Practitioners (RPs) and Registered Provider Organizations (RPOs) who advise, consult, or assist Defense Industrial Base (DIB) companies and individuals prepare for their CMMC framework certification.
28 June 2021 – CMMC-AB Town Hall Meeting #2
In the CMMC-AB June 2021 Town Hall Meeting, the advisory body presented the CMMC-AB general update, perspective from an authorized C3PAO, CMMC training update, discussed the CMMC Industry Advisory Council (IAC), and answered general questions related to the CMMC ecosystem.
Caleb Barlow, the CEO of CynergisTek (Redspin), explained what it was like for his company to go through the authorization process. He mentioned that his organization was already following all the requirements imposed by the process, but they were able to make some of their actions sharper and improve their process.
To fully implement and internalize to the CMMC process, Barlow mentioned that the organizational culture was necessary to improve cybersecurity. The organization culture will also help employees understand the cybersecurity documents within the business. As such, they needed to compile lessons on ensuring the security process documents were understood and not just written down.
Melanie Kyle Gingrich reviewed the AB ecosystem training and certification requirements. The AB has not passed the Phase Gate training development. However, Gingrich estimated that the milestones and content release would be available for testing in four to eight weeks.
The Industry Advisory Council is the entity that will serve as a “check-and-balance” for the AB’s practices and costs. Finally, Matthew Travis opened the stage for questions. He then ended the meeting after explaining that further updates will be provided on the Town Hall forum.
Watch the CMMC-AB’s June 2021 Town Hall Meeting: https://vimeo.com/569939630
27 April 2021 – CMMC-AB Town Hall Meeting #1
In the first town hall meeting, the CMMC-AB’s recently appointed CEO, Matthew Travis, gave a general update on the CMMC-AB. After the update on the CMMC-AB’s status, Daren King, director of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) discussed how they were approaching assessments for small businesses who wished to become a C3PAO. The meeting the answered questions regarding the CMMC, Department of Defense CMMC Program Management Office (PMO), DIBCAC, and CMMC-AB.
Travis started off the meeting by reviewing the status applications for different roles within the CMMC ecosystem. Travis emphasized that having a strong data foundation and legal/policy framework is necessary for the AB to produce results for the CMMC/DIB ecosystem.
King began his discussion on how they were working on how small businesses can approach the C3PAO assessments. He reviewed the assessment process and what companies should have ready when they prepare for the C3PAO assessment.
For more information and details, watch the April 2021 Town Hall Meeting here: https://vimeo.com/543227924
What You Need to Know
As security continues to grow, the DoD will soon make it mandatory for all contractors to complete a CMMC assessment. Learn the steps to successfully getting your CMMC certification. To achieve compliance requirements for the CMMC, your organization should plan ahead by at least six months. Prior to your assessment with the DIBCAC, you can use a third party CMMC readiness assessment to determine if your business is ready to achieve the certification.
If you found this blog useful, please share with others: