By: James Goepel, Kyle Lai, Carter Schoenberg, Tony Buenger, and Derek White
The CMMC Ecosystem is heavily dependent upon on Authorized CMMC 3rd Party Assessment Organizations (“C3PAOs”). The C3PAOs facilitate the assessments of, and issue the certifications to, Organizations Seeking Certification (“OSCs”). This process is the core of the CMMC program and is vital to ensuring its success. The C3PAO authorization process, in turn, relies heavily on the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) team from the Defense Contract Management Agency (“DCMA”), an organization that is already bandwidth constrained. The Department of Defense (“DoD”) and the CMMC Accreditation Body (“CMMC-AB”) have identified target numbers for the serviceable available marketspace. At the current pace of approving C3PAOs using existing DIBCAC staffing, these targets will be years behind and thus impact national security interests of the United States.
In this article, we will explore alternative approaches that can expedite the expansion of the CMMC Ecosystem.
To become a C3PAO, an organization must meet requirements set forth by the (“CMMC-AB”), as well as additional requirements mandated by the US Department of Defense (“DoD”). One such requirement is that the C3PAOs must have their own cybersecurity programs assessed against the CMMC requirements, and the environments in which assessment information is stored must be certified, at a minimum, to CMMC Maturity Level 3. That creates a bit of a chicken-and-egg scenario, since the C3PAOs are the only organizations that are authorized to issue certifications, but until recently there weren’t any C3PAOs.
DoD recognized this issue in 2020 and worked with the CMMC-AB to train the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) assessors (part of the Defense Contract Management Agency (“DCMA”)) on the CMMC Model and the CMMC assessment methodology. The DIBCAC team was then granted special dispensation to award CMMC certifications to those candidate C3PAOs who had met the CMMC-AB’s other requirements. Once a C3PAO’s environment is certified at Maturity Level 3 by DIBCAC, the C3PAO must still meet a few additional, DoD-specific requirements. Those requirements are defined and the process for oversight resides with the DoD’s CMMC Program Management Office (CMMC PMO). After those requirements are met, which can take several weeks, the C3PAO is added to the CMMC-AB’s Marketplace as an Authorized C3PAO.
C3PAOs are Being Authorized, but Slowly
As noted in our previous articles, the DIBCAC team began assessing C3PAOs in March of 2021. The first C3PAO to meet the Authorization requirements was announced during the week of June 7, with the second announced the week of June 16. As of the date of this article, there are over 160 candidate C3PAOs in line for their CMMC assessments by the DIBCAC team. If the DIBCAC/CMMC Program Management Office team continues at their current rate of authorizing one C3PAO a week, the backlog of candidate C3PAOs will not be cleared for over three years. This creates significant delays for those C3PAOs awaiting assessment, pushes out the timeline for the CMMC Ecosystem meeting market demand, lengthens the time during which OSCs must wait to obtain a CMMC certification, and could create market advantages for those C3PAOs who are already authorized.
Less Desirable Options
DoD has several options for addressing this self-imposed bottleneck. These options include redirecting the DIBCAC team, hiring additional assessors for the DIBCAC team, and allowing (and even requiring) existing Authorized C3PAOs to assess Candidate C3PAOs.
Redirect DIBCAC Team
While DoD could refocus the DIBCAC teams to assess only Candidate C3PAOs to clear the backlog, doing so would pull the DIBCAC team away from their primary mission, ensuring contractors are meeting their current cybersecurity requirements. This is likely to create scenarios in which DoD’s valuable information, including Controlled Unclassified Information (“CUI”) which is at the core of CMMC, is actually less safe because the DIBCAC team is not assessing current contractors. That makes this option undesirable.
Hire Additional DIBCAC Assessors
DoD could add assessors to the DIBCAC team to meet the C3PAO assessment demand. However, the government hiring process is inherently lengthy, meaning that it will take at least several months before the first new assessors would be added to the team. The government will also have to attract qualified personnel at a time when there are reported to be at least hundreds of thousands of unfilled cybersecurity related positions. That will make it expensive to bring those employees onboard and attracting a significant number of qualified employees in a timely manner is likely to be difficult. Once hired, those employees will also have to be trained in performing CMMC assessments. This training will make them highly valuable in industry, and the government will face significant employee retention issues. If DoD chooses this approach, one option that should be considered to enhance the Department’s ability to attract and retain employees is to maximize the use of the scholarship for service programs defined at CyberCorps®: Scholarship for Service (opm.gov). This enables a tangible pathway and ensures retention for a period of no less than three years.
Even if the government is able to attract and retain a sufficient number of assessors, once the backlog of candidate C3PAOs has been cleared, these assessors will have to be retrained for other duties.
The long hiring process, difficulty attracting and retaining candidates, and long-term career issues associated with this option make it less than optimal.
Rather than rely on the options outlines above, we propose that once five (5) Authorized C3PAOs are available in the marketplace, DoD permit Authorized C3PAOs to conduct assessments of candidate C3PAOs. Candidate C3PAOs should be permitted, at the candidate C3PAO’s option, to wait for an available DIBCAC assessment team or to hire an Authorized C3PAO to perform the assessment. There are already over 100 Provisional Assessors who are able to meet the candidate C3PAO assessment demand, which is over twice as many assessors as are on the entire DIBCAC team.
Benefits of this Approach
There are several benefits of this proposed approach, including:
- Competition – By waiting until candidate C3PAOs can choose from five Authorized C3PAOs, the approach fosters competition among the Authorized C3PAOs and will help reduce the barriers to entry for smaller C3PAOs.
- Competition – By allowing the Authorized C3PAOs to assess candidate C3PAOs, the Authorized C3PAOs will be creating a more competitive assessment environment.
- Increased Pricing Accuracy – Authorized C3PAOs will have a better sense for levels of effort, assessment team sizes, assessment durations, and other critical pricing-related factors so they can more accurately price OSC assessments once that process formally begins.
- Increased “Real World” Feedback – The CMMC Model, CMMC Assessment Guides, and other attributes of the CMMC program are still in flux and may change significantly over the next few months. Allowing the Authorized C3PAOs to perform assessments of candidate C3PAOs will allow the Authorized C3PAOs to learn additional lessons which can be shared with DoD and help further shape the impending CMMC revisions. This would allow DoD to receive feedback not only from internal DoD employees (i.e., the DIBCAC team) but also from those in industry, whose perspectives and experiences may differ from those of the DIBCAC team.
- DIBCAC Workload – Those candidate C3PAOs who elect to hire an Authorized C3PAO to perform their assessment will be removed from the DIBCAC queue, shortening their overall backlog. (See note below regarding DIBCAC auditing of assessment results.)
Additional Implementation Details
DIBCAC has played, and should continue to play, an important role in the CMMC Ecosystem development process. We recommend that DIBCAC audit a random subset (e.g., 20-30%) of the assessment results to ensure the assessments are being conducted in accordance with DIBCAC’s standards and the CMMC Model. This will give DoD the assurances they may need to be confident in this approach. While this will still increase the DIBCAC workload, the time needed to perform the audit is significantly shorter, and number of personnel significantly less, than is needed to perform an assessment. Thus, the DIBCAC team will likely see a significant decrease in their obligations with respect to candidate C3PAOs.
Unlike the current model where DIBCAC assesses the candidate C3PAO’s environment at no cost, the candidate C3PAOs should be expected to compensate the Authorized C3PAOs for the assessment costs. We have attempted to address this, in part, by creating a competitive environment that will keep the costs down. However, we recognize that for some smaller candidate C3PAOs, the costs may still be significant. We therefore also propose that the CMMB-AB discount the “activation fee” paid by those candidate C3PAOs exercising this option by 50% (i.e., to $1000).
An Authorized C3PAO must not conduct any assessments of the Authorized C3PAO that has assessed them or its subsidiaries due to the concern of conflict of interest. Similarly, no member of the Assessment Team that assesses the candidate C3PAO may perform assessments on behalf of the candidate C3PAO, either as an employee or contractor, for a period of at least 2 years.
Any candidate C3PAO who disagrees with the Authorized C3PAO’s findings can appeal the determination to DIBCAC for adjudication.
To be clear, this is not a criticism of the DIBCAC team or their assessments. From all accounts, they are a highly professional and highly experienced group. Nor is it a criticism of DoD’s use of the DIBCAC team to solve the fundamental chicken-and-egg problem. Instead, it is offered as a recognition that, as the number of Authorized C3PAOs increases, allowing market forces to solve the backlog problem seems the most prudent approach.