The CMMC-AB held a “town hall” for those in the CMMC Ecosystem (i.e., for Registered Practitioners, Registered Provider Organizations, C3PAOs, Provisional Assessors, and Licensed Publishing Partners). The CMMC-AB had provided program updates for approximately 30 minutes, and then took questions for almost an hour. You can view a recording on Vimeo.

Some key take-aways include:

  • Licensed Software Providers (LSPs): The CMMC-AB will be releasing a set of data models, APIs, and other information to streamline the assessment process. The CMMC-AB will be licensing the use of those APIs and data models to software developers. More details on the LSP program will be announced soon.
  • C3PAO Handbook: A handbook that will guide C3PAOs through the assessment process, including describing their responsibilities in the CMMC Ecosystem, data to be sent to the CMMC-AB and DoD, etc., will be published soon.
  • Ecosystem Timing: The CMMC Ecosystem is still very much a work in progress. The program timeline is currently projected as:
    • February 2021: Begin Training Provisional Instructors
    • March/April 2021: First Courses with CATMs Released by LPPs
    • April 2021: First Certified Classes offered by LTPs (Certified Professional, Certified Maturity Level 1 Assessor, Certified Maturity Level 3 Assessor)
    • May/June 2021: Beta versions of the Certification Exams will be available
    • September 2021: Training and Certification Framework fully implemented
  • Applications open for Provisional Instructors: Applications for Provisional Instructors are now open. More information will be forthcoming on the CMMC-AB website. You must have requisite assessment or professional experience, along with teaching experience. Anyone interested in applying to be a Provisional Instructor can E-mail CMM[email protected] and include a copy of their resume to apply.
  • Processing of Registrations and Applications:
    • 469 individuals have been approved as Registered Practitioners, with an additional 511 registrations still needing to be processed
    • 251 Registered Provider Organizations have been approved with an additional 46 registrations still needing to be processed
    • 20 C3PAOs have been tentatively approved but must be assesses by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team before they can begin assessments, and 369 companies have applied for C3PAO status. The DIBCAC Assessment will be done at no cost to the C3PAOs.
    • 100 Provisional Assessors have been approved (plus an additional 20 DIBCAC team members)
    • 16 Licensed Partner Publishers (LPPs) have been approved and are currently working on training programs (CMMC-AB Approved Training Materials, or CATMs) that will be made available to approved Licensed Training Providers (LTPs) (e.g., colleges, professional training organizations, etc.)
  • Independent Training Review: Under the CMMC-AB’s training program, all LPP training courses must be reviewed and approved by an independent third party to ensure they meet the CMMC-AB’s requirements, including meeting all learning objectives set by the CMMC-AB. Procert has been selected to provide that independent review.
  • Exam Creation and Testing Service: Scantron has been selected to be the CMMC-AB’s develop and provide exams based on the CMMC-AB’s learning objectives.
  • Compensating Controls: Those organizations that have already implemented robust cybersecurity programs may identify certain cases where one or more requirements in NIST SP 800-171 are not explicitly met, but instead they have adopted compensating controls that accomplish a similar purpose. DoD and the CMMC-AB have not finalized an approach for how assessment of such compensating controls should be accomplished under CMMC. In the interim, the CMMC-AB recommends reviewing a memorandum entitled “Assessing Contractor Implementation of Cybersecurity Requirements“, available from the DoD’s Procurement Toolbox. The memorandum lays out the DCMA DIBCAC team’s approach to handling compensating controls when conducting NIST SP 800-171 assessments. The memorandum is not directly applicable to the CMMC-AB or CMMC, but it is expected to provide a good foundation for any organizations looking to perform a gap analysis or other assessment preparation efforts. Look for additional, formal guidance from the CMMC-AB and/or DoD in the future.
  • External Service Providers: Your relationship with your external service providers will determine whether they need CMMC certification, too. As a general rule, if they create, receive, process, store, or secure Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on your behalf, they will need CMMC certification. If they are a cloud services provider who will be receiving, processing, storing, or securing CUI, they will be required to meet FEDRAM Moderate requirements as well. Organizations Seeking Certification (OSCs) may need their external service providers to be involved in any assessments unless/until the external service provider has been certified.
  • Reciprocity with other Standards: Reciprocity is still very much a work in progress. Expect more from DoD and/or the CMMC-AB when the DoD scoping guidance is released.
  • Scoping Guidance: Scoping guidance is projected to be available sometime in the first quarter of CY2021.
  • International Implications: DoD is actively working with foreign partners to craft bilateral agreements that will allow CMMC to be more easily rolled out internationally, including addressing reciprocity with other international standards. Many foreign countries are watching the CMMC program very closely with an eye toward adopting it once it is operational.
  • CEO Search: Closes on January 11, 2021. They hope to make a decision by mid-February.

This entry was posted in and tagged . Bookmark the .