The CMMC-AB held its March Town-Hall meeting on March 30, 2021. A link to the recording can be found below. Most of the Town Hall was a review of existing information, but we did catch a few new pieces of information, and there were some great questions and answers. Our summary is below the link to the recording.
The session opened with introductory remarks by Karlton Johnson, Chair of the CMMC-AB Board of Directors and Stacy Bostjanick, Acting Director of Supply Chain Risk Management for the OUSD(A&S) and OCISO(A&S). Remarks included the announcement of Matthew Travis as the new CEO of the CMMC-AB.
3:30 – Jeff Dalton provided a review/overview of the different CMMC ecosystem roles. There were some slight changes to names and acronyms:
- CCP – Certified CMMC Professional
- CCA – Certified CMMC Assessor – (CCA-1, CCA-3, CCA-5)
- CCI – Certified CMMC Instructor
- CCMI – Certified CMMC Master Instructor
8:58 – Jeff Dalton discussed the Provisional Assessor (PA) program.
100 Provisional Assessors were randomly chosen out of roughly 1200 applicants. They have already been trained. An addition 40 are being trained now. By end of April there will be 140 PAs. They will focus on the 10 pilot contracts. DoD estimates that about 800-1200 companies will be assessed under those pilot contracts. CMMC-AB believes the 140 Provisional Assessors should be sufficient to meet that demand. However, as discussed later, additional Provisional Assessors will also be coming as a result of the Provisional Instructor program.
11:00 – Jeff Dalton discussed the Registered Practitioner program. No significant new information was discussed.
12:25 – Jeff discussed AB Licensed Organizations, including C3PAOs, LTPs, and LPPs. There were two minor updates:
- Although the acronym C3PAO is staying the same, the name is now CMMC 3rd Party Assessment Organization (instead of Certified 3rd Party Assessment Organization)
- DIBCAC has completed the assessment of the first candidate C3PAO. Other assessments have been started. No word was given on the assessment results or when the first C3PAO(s) will be formally approved by DoD.
19:00 – Jeff discussed the Registered Provider Organizations (RPOs).
Jeff reiterated that an organization seeking certification does not need to hire an RPO or RP to prepare for a CMMC assessment. However, there are benefits to hiring an RPO/RP. One such benefit is that all participants in the RP/RPO program agree to abide by the CMMC-AB Code of Professional Conduct. Organizations and individuals that violate the Code of Professional Conduct can be removed from the program. There have already been issues that were reported to the CMMC-AB and the CMMC-AB has been dealing with them. The CMMC-AB does not have any leverage over organizations that are outside the RP/RPO program.
21:57 – Ben Tchoubineh discussed the current status of the CMMC-AB credentials/designations.
25:20 – Ben Tchoubineh discussed the status of the certification exams
The CMMC-AB’s training working group created a set of learning objectives that every Certified CMMC Professional and Certified CMMC Assessor needs to know. These learning objectives then form the basis for the training curricula created by the Licensed Partner Publishers and the examinations created by the CMMC-AB’s examination partner, Scantron. Scantron is currently developing the examinations for the CCP, CCA-1, and CCA-3 exams. The CCI exam is expected to be finalized in Q1 2022. The CCA-5 exam is not expected to be ready until Q2 2022 or later.
Only PAs can perform assessments until the CCP, CCA-1, and CCA-3 certification exams are finalized. The hope is to finalize them somewhere between late summer and the end of the year. However, there are many dependencies that may cause this to slip.
26:54 – Ben Tchoubineh discussed Licensed Training Providers (LTPs)
Most of the information was a repeat of previous information. The current target is for CCP courses to be available in late summer or early fall 2021.
29:12 – Ben discussed the Provisional Instructor program (PI)
The CMMC-AB will be training Provisional Instructors on a monthly basis. The first class begins the week of April 5, 2021, and there are expected to be approximately 25 instructors per class. The Provisional Instructors will become Provisional Assessors in addition to PIs. The PI candidates must therefore be highly qualified, with 10+ years of assessment experience. The PI candidates must also have at least 2 years of instruction experience. The PIs will need to provide references, and may need to be interviewed. There are currently about 160 applicants.
32:08 – Ben provided an updated timeline for rolling out training
34:43 – Ben discussed the exam bundles that some people purchased last summer, and the plans for issuing examination vouchers when the program is finalized. No new information was presented.
37:00 – Jeff Dalton and Wayne Boline discussed the CMMC-AB’s revised FAQ page. The page has been updated with answers to many of the questions the CMMC-AB frequently receives. The FAQ covers question regarding ISO certification of the CMMC-AB, the process for becoming a C3PAO, and much more.
40:00 – Q&A
- When it comes to implementing CMMC controls, are work-from-home locations classified as alternate sites or do they need the same physical controls as the primary site? Regan Edens: For Maturity Level 3 organizations, endpoints accessing CUI will have to meet the same requirements as any other controlled environments. That includes a secured, locked door and other requirements for physical offices. The organization’s policies and procedures also need to call out how the organization expects to handle remote access into the workplace. Be prepared for some sampling of organization’s environment, including home environments, rented facilities, etc.
- The CMMC-AB receives very detailed application of the rules/technical questions. How does DoD recommend that those questions be addressed? DoD PMO: E-mail the questions to Stacy Bostjanick and DoD will respond back. [We note that Ms. Bostjanick did not provide her E-mail address]
- Any updates on overseas? DoD PMO: The PMO staff is working closely with International Cooperation Office. Many collaborations are in the works, including agreements with different allies. Many allies have also shared their own cyber requirements to see where we can come together. International agreements are still a work in progress.
- Is there any update on how fundamental research by educational organizations will be handled under CMMC? DOD PMO: If an educational organization has a DoD contract that includes -7012 and -7021 clauses, they will be required to meet CMMC. These same requirements will likely apply to grants. Fundamental research is tougher because it is difficult to define. Once a stronger definition is created, DoD will look to give institutions the ability to publish the research. But it is an ongoing discussion.
- Can 100% of CMMC Maturity Level 3 requirements be inherited from a 3rd party? DoD PMO: Unlikely, but submit your plan to the PMO and they can analyze it.
- Will there be guidelines to help primes know what levels the subs will need? DoD PMO: Each contractor must look at the information being transferred to their subcontractors and those subcontractors must be brining the information into environments certified at the highest level corresponding to the information being sent to them. The contractors are also expected to only give their subcontractors the data they need to do the job. DoD recognizes that more granularity is needed on marking particular pieces of information so that contractors can more easily compartmentalize the information and share only a subset of the information. That subset may be at a lower CMMC level than the set of information as a whole. The CMMC PMO is working closely with PMs to better achieve this goal.
- When is next version of the model is expected to be released? DoD PMO: With rulemaking there is the potential that the comments may impact the model. The most recent expectation is that the next version of the model will be released at the end of the rulemaking process. [no timeline was given for when that might occur] After that, it will be reviewed on an annual basis at a minimum to ensure it meets the threats facing the supply chain.
- Is there an effort for GI Bill to be used to be paid for CMMC education? Ben Tchoubineh – The CMMC-AB needs ISO 17024 certification first, and then ANSI accreditation, which DoD must approve. Once that is in place, DoD should be in a position to allow service members to use the GI Bill to pay for CMMC education. It’s in the plan, but it will take some time.
52:50 – Introduction of Matt Travis and introductory remarks by Mr. Travis