The CMMC-AB hosted a town hall meeting last night with several members of the DoD CMMC PMO, including Katie Arrington, Stacy Bostjanick, and Diane Knight.

You can watch the video here:

There were some technical issues for some of the presentations and there are breaks in the rest For those who have been closely following CMMC, there weren’t any major surprises. Some of the highlights include:

  • The CMMC-AB elected Karlton Johnson to be the Chair of the Board of Directors, with Jeff Dalton serving as Vice-chair.
  • Katie Arrington gave a brief introduction and mentioned that there is “no hint that CMMC isn’t moving forward” in the new administration.
  • Diane Knight gave a thorough overview of the status of the CMMC program that included:
    • Updates to the Interim Rule are not likely to happen until sometime in the April to July timeframe
    • CMMC will not be applicable to micropurchases
    • “Pathfinder” CMMC contracts are almost done.
      • Pathfinder participants were assessed by DIBCAC team against the CMMC Model
      • Assessments were non-attributional, non-punitive, and not for “score”/certification
    • Work on the “Pilot” solicitations with CMMC requirements will begin soon
      • Baseline for the pilots is that CMMC Maturity Level 3 will be implicated (i.e., the Prime contractor will receive or create CUI)
      • Pilot participants will be assessed by CMMC-AB accredited C3PAOs
      • 7 pilot solicitations already identified (up to 15 will be done this year)
      • All solicitations with CMMC requirements must be approved by OUSD(A&S)/OCIO(A&S)
      • The US Navy’s F/A-18E/F Full Mod of SBAR and Shut-off Valve solicitation will likely be the first to work through CMMC process
      • The OUSD(A&S) is not funding the CMMC-related aspects of the Pilot programs
    • Within the solicitations:
      • Section C will make it clear that prime contractors and their subcontractors must have their CMMC certifications by the time the contract is awarded
        • Government will have the right to conduct a forensic analysis in the event of a breach or warning (goes beyond just what is required in DFARS 252.204-7012)
      • Section L will require Contractors to provide their plan for how information will flow between the prime contractor and any subcontractors, how it will be monitored, and how it will be managed
      • Section M will state contractors without appropriate CMMC level will not be considered in the final competitive range for contract award
      • There are some other suggestions coming out of the Pathfinders as to how the contracts will be handled. More details will be forthcoming.
  • Jeff Dalton gave an update on the status of the CMMC Ecosystem
    • Registrations
      • 53 C3PAOs have been approved
      • 100 Provisional Assessors have been trained
      • 339 RPOs have been registered
      • 1060 RPs have taken the training and are now registered
    • Assessments
      • Although the CMMC-AB has approved C3PAOs, they cannot begin assessments yet. DIBCAC must certify their cybersecurity programs against CMMC Maturity Level 3 before the C3PAOs can begin assessments. Stacy Bostjanic mentioned later that the assessment of C3PAOs is expected to begin in March. She also mentioned that C3PAOs will likely need at least a portion of their Certified Assessors to be full-time employees (i.e., they cannot all be 1099 employees).
  • Ben Tchoubineh gave an update on the status of the training program
    • Formal training will not begin until late spring or early summer
    • Formal certification examinations are not expected until September
  • The team discussed that the CMMC-AB will become an ISO Accreditation Body able to accredit the C3PAOs as certification agencies. That process is expected to take approximately 24 months. C3PAOs should hold off on pursuing separate ISO 17020 certification at this time until more details are known.
  • The CMMC-AB will likely be reorganizing at some point in the next 1-2 years to create a separate organization that will coordinate the training programs.
  • The Q&A session covered many topics, including:
    • Guidance on how to evaluate the scope of an assessment (i.e., which part of a contractor’s environment are subject to assessment and included in the certification) was identified by DoD as a missing piece in the CMMC Assessment Guide. This is critical as organizations begin their assessment preparations, and many people voted to make that the top question asked. DoD acknowledged that it was needed, but would not commit to a particular date for the release of the information. They said it was coming “in the very near future”.
    • Another highly-ranked question was whether DoD could provide insight into how long a process needed to be demonstrably in use before it would count as “mature”. No timeline was given.
    • Still another highly-ranked question/issue concerned marking of Controlled Unclassified Information. The DoD representatives recognized that this is an area where DoD needs to make improvements, and they are requiring all relevant staff to undergo training. This is the same training available to contractors here. They are also reworking some of their internal practices to help ensure information is properly marked before it is released to the contractors.

Click to rate this post!
[Total: 0 Average: 0]
This entry was posted in and tagged . Bookmark the .