2023 is shaping up to be a HUGE year for the CMMC program! DoD closed out 2023 by kicking off the “Joint Surveillance Program” (“JSP”) assessments of some DoD contractors, and many more are scheduled for 2023. If you aren’t familiar with the JSP assessments, they are voluntary assessments that are led by DoD’s DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) team but which include representatives from Cyber AB Authorized C3PAOs as part of the assessment team. These JSP assessments count as “High” assessments under DFARS 252.204-7020, which gives contracting officers a higher degree of confidence in the assessed contractor’s cybersecurity program. They are also expected to result in a fast-track to CMMC certifications for those companies that undergo the voluntary assessments.
Your Country Needs You
Obviously, there are some significant advantages for contractors who participate in the JSP program, and contractors are already lining up for assessments. This means the C3PAOs need assessors! According to the Cyber AB’s Marketplace, there are only 178 Provisional Assessors available nationwide to conduct assessments. Even when we add to that workforce the 54 newly-certified Certified CMMC Professionals (“CCPs”) AND DIBCAC’s own approximately 150 assessors, there are less than 400 people who can conduct CMMC-related assessments. That’s an average of fewer than 8 people per state. Clearly, there is a strong need for additional Certified CMMC Assessors (“CCAs”).
Without an adequate number of CCAs, our nation’s defense supply chain will continue to languish. This will leave us vulnerable to our adversaries’ attacks and, ultimately, threatens our servicemembers’ safety. If you would like to help protect those who protect us and have the proper background, now is a great time to become a Certified CMMC Assessor.
Assessor Demand Set to Increase
As if the JSP program wasn’t enough to help motivate people to want to become Certified CMMC Assessors, DoD is also on track to permit formal CMMC assessments to begin, and CMMC certifications to be issued, toward the middle of 2023. Many contractors have indicated that they are targeting the completion of their CMMC readiness programs by about that same time. So, demand for assessments, and assessors, is expected to continue to ramp up over the coming months.
Adding even more fuel to the fire is DoD’s push to include CMMC certification requirements in contracts starting in mid- to late calendar year 2023. Once CMMC requirements begin to show up in contracts, many of the contractors who have been sitting on the sidelines will be forced to pay attention to CMMC and will need CMMC certification.
All of this activity means we are about to see a huge demand for Certified CMMC Assessors. Estimates from various industry groups have suggested that, to handle the anticipated assessment demand JUST caused by DoD contractors, we will need a pool of 3,000-4,000 assessors. If other federal and state agencies begin adopting CMMC (and several have indicated their intention to), the demand for Certified CMMC Assessors could skyrocket. There is no better time to act than NOW if you want to get ahead of the curve and become a certified CMMC assessor!
Dispelling CCA-Related Myths
I have been working in the CMMC-related training programs since the early CMMC working groups, I am a co-author on Cyber AB authorized CCP and CCA curricula, and I contributed to the CMMC Assessment Process (“CAP”), so I am intimately familiar with many of the assessment and education aspects of CMMC. I also talk to people about CMMC all the time, and I know there is still a lot of confusion about the CCP and CCA courses. Below are some common questions I hear, and my standard answer.
| Question | Answer |
|---|---|
| The CCA courses are expensive. What will my team learn? | The training provides detailed instruction on how to comply with cybersecurity requirements outlined in the Cybersecurity Maturity Model Certification (“CMMC”) framework, enabling businesses to become CMMC certified more quickly and cost-effectively. The training also includes access to highly experienced instructors and assessors. Moreover, the CMMC training teaches companies how to cultivate better internal management processes and procedures in order to manage security risks. With this knowledge in hand, businesses are prepared to handle costly data breaches and malicious attacks with ease. |
| Must I pass the CCP exam before I take the CCA course? | No. In fact, completing (or even starting) the CCP course is not a prerequisite for taking the CCA class. To be clear, you must pass the CCP exam and you must complete the CCA class before you sit for the CCA exam, but you don’t need the CCP certification before you can take the CCA course. |
| I have successfully completed my CMMC Certified Professional (“CCP”) exam, but I was told by our instructor that we MUST participate in 3 assessments in order to become CMMC Certified Assessors; what’s the true guidance? | As some analysts noted, this requirement created a “chicken and egg” problem for meeting the anticipated assessor demand, and it looks like DoD and/or the Cyber AB recently decided to take action. According to the latest CCA Blueprint, published by the Cyber AB on December 14, 2022, the 3-assessment requirement has been, at least temporarily, waived. With more and more Certified CMMC Professionals available to help government contractors meet their CMMC requirements, now is the perfect time to take that next step in your journey so you can lead assessments when the United States Department of Defense gives the green light for them to begin (which is right around the corner!). |
| I want to save costs associated with my CMMC compliance efforts by getting CCA training for my internal team so they can help guide our effort. Is this permissible? | YES! And you have a few different options available. For some organizations, private training may be desirable and some Cyber AB Licensed Training Providers, like Phoenix TS, can provide such training for your organization. For other organizations, having their employees participate in classes with peers from different organizations can be advantageous because the employees get exposure to a broader set of experience and questions. Regardless of which route you take (private or group classes), your employees will gain valuable knowledge and experience that can help to guide your implementation and ensure readiness for your assessment. By attending CCA training, your employees are receiving the same mandatory course currently required for ALL Certified CMMC Assessors. So, not only can they help you implement, they can also provide unparalleled and critical guidance with respect to whether or not various evidence adequately and sufficiently addresses the assessment requirements. |
| I have specific questions related to our organization; will there be an opportunity to discuss my questions with a qualified resource? | YES! The CCA course is structured to include active Q&A sessions that will provide your team and you ample opportunity to discuss your specific needs with a Certified CMMC Assessor and Instructor. |
CCA Training at CIC2023
If you want to save costs associated with your CMMC compliance efforts by providing the SAME training our certified CMMC Assessor’s are REQUIRED to take to YOUR internal team members you are in luck! The VERY FIRST CCA course is being offered in conjunction with the CMMC Information Institute’s CIC2023 conference! For more information, and to registerer for the class and/or the conference, simply click here!