The Cybersecurity Maturity Model Certification Accreditation Body (“CMMC-AB”) held a town hall on April 26, 2021. A recording of the session can be found here: CMMC Town Hall, April 2021 – Town Hall Videos (cmmcab.org)
Matt Travis, the newly-appointed CEO of the CMMC-AB, opened the session with introductory remarks in which he discussed his vision for the CMMC-AB. Mr. Travis described his biggest area of focus as being getting “the machinery of certification moving.” That means ensuring the proper foundations are in place, including legal and policy frameworks. He also emphasized that both the CMMC-AB’s staff and the Board of Directors will be carefully reviewing the ethics policies in place throughout the CMMC Ecosystem, including both internal to the CMMC-AB and with respect to C3PAOs, RPOs, and individuals. Mr. Travis provided his personal E-mail address for those who have specific issues ([email protected]).
Mr. Travis also provided an update on the number of participants in the CMMC Ecosystem. There are currently:
|Type||Position||Acronym||Total Applicants||Total Approved by the CMMC-AB|
|Organization||Registered Provider Organization||RPO||564||526|
|Organization||Certified 3rd Party Assessment Organization*||C3PAO||449||171|
|Organization||Licensed Training Provider||LTP||48||36|
|Organization||Licensed Partner Publisher||LPP||18||16|
C3PAO Assessment Status Update and new Status Indicators
Mr. Travis reminded the attendees that all organizations wishing to become C3PAOs must meet the CMMC Maturity Level 3 certification requirements as assessed by the Defense Contract Management Agency (“DCMA”) Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) team’s CMMC Assessors. To date, no C3PAOs have been Authorized by the CMMC-AB. To that end, to help clarify each C3PAO’s status in their journey to becoming fully certified by the CMMC-AB, Mr. Travis announced that the CMMC-AB will be using a few new terms to describe the C3PAOs’ status. Those terms are:
|Term||Description||Status||April 2021 Counts|
|Applicant||C3PAO Application has been submitted to the CMMC-AB.||Pending Application Review||278|
|Candidate||C3PAO Application has been reviewed and accepted by the CMMC-AB. C3PAO has not yet successfully completed a DIBCAC CMMC Maturity Level 3 assessment.||Application reviewed and accepted by CMMC-AB||171|
|Sent to PMO for Review||154|
|Sent to DIBCAC for assessment scheduling||20|
|Authorized||C3PAO has passed DIBCAC assessment. CMMC-AB confirms successful assessment and the affiliation of PAs/CCAs with the C3PAO.||0|
|Certified||Will replace Authorized once CMMC-AB is ISO 17011 accredited.||0|
Assessment of Candidate C3PAOs
At the completion of Mr. Travis’ comments, Darren King, the Director of the Defense Contract Management Agency (“DCMA”) Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”), provided an update on his teams’ efforts to certify C3PAO environments under CMMC. Mr. Travis’ comments were a summary of the presentation he recently provided during a “brown bag” session with C3PAOs. Our coverage of the information presented during that session, including a copy of Mr. King’s full slide deck, can be found here. During the Town Hall, Mr. King reinforced a few points, including:
CMMC Assessment Duration
- From initial scheduling to completion, DIBCAC’s CMMC assessment process takes approximately six (6) weeks. This includes pre-coordination meetings, documentation reviews, the creation of an assessment plan, the actual assessment, and the post-assessment analysis.
- 2 weeks out is a go/no-go decision for when to launch an assessment. If the Assessment Team isn’t confident in the Assessment Plan and in the documentation they have been provided, the assessment will not take place.
- The on-site portion of a typical CMMC Maturity Level 3 assessment lasts approximately 6 days, which is roughly consistent with their NIST SP 800-171 audits.
- Approximately 90% of the assessment can be conducted virtually, but some controls do require site visits.
Assessment Lessons Learned
Mr. Travis shared some tips and lessons learned across the DIBCAC teams’ 200+ assessments, including the CMMC C3PAO assessments:
- NIST has documentation for SSP, but remember you need to explain how you meet the requirements. Your SSP cannot be just a regurgitation of the requirements.
- Understand the difference between a policy, a procedure, and a plan, and use those terms consistently.
- The Assessment Team really does read your policies, procedures, plans (e.g., SSPs), and other documents.
- During the assessment, the team looks for correlations between what your documents say you are doing (i.e., your procedures) and what is actually in practice. It is often clear that many people haven’t read their policies.
- When you review your documents prior to submitting them to an Assessment Team, ensure that all of the documents are in final form, including those incorporated by reference/linked to. For example, if your IT policy includes a reference to an HR policy, make sure the HR policy is in final form too.
- Ensure your policies are signed by senior executives.
- Do a self-assessment, and be critical. Understand that under CMMC, you must be able to demonstrate that all applicable objectives associated with all practices are being met. No open/unmet objectives or practices are permitted. Have your CISO or other individual responsible for cybersecurity sign your self-assessment, and submit the results as part of the assessment documentation.
- Bring your own device (“BYOD”) creates a lot of complexities for organizations.
- It is important to note that BYOD includes not only laptops, but also mobile phones and other devices.
- Make sure your documents, including your SSP, adequately addresses and accurately reflects your organization’s approach to BYOD.
- Cloud creates a lot of complexities for organizations, especially organizations with “frankenclouds” (i.e., organizations which rely on services from multiple cloud vendors).
- Be sure to include a cloud responsibility matrix in your documentation so it is clear which obligations/objectives are met by the cloud provider and which are met by your organization. Most larger cloud services providers publish matrixes.
- Be aware that not all objectives can be met by the cloud services provider alone. For example, organizations are still responsible for the physical security of their own locations.
The Town Hall closed with a question and answer session. The questions mostly focused on topics which have been covered on previous Town Halls. However, one attendee asked about the status of the DoD’s Pilot contracts. Ms. Diane Knight of the DoD CMMC Program Management Office (“PMO”) indicated that readiness of C3PAOs has caused some delay in the process. Some pilot contracts were withdrawn due to lack of time for coordination, preparation, scheduling and assessment for FY21 contracts. The PMO also indicated that there have been a few instances where contract awards are moving to FY22 for various reasons, and that those contracts may be considered as CMMC pilots at the appropriate time.