Dear Prospective Volunteers:

Thank you for wanting to help to create a stronger CMMC Ecosystem!  We want to start off by being clear: The CMMC Information Institute (“CMMC Info” or the “Institute”) is not affiliated with or endorsed by the US Department of Defense (“DoD”) or the Cybersecurity Maturity Model Certification Accreditation Body (“CMMC-AB”).  The Institute was created by industry for industry.  Our goal is to help all organizations, but especially small and medium businesses, improve their cybersecurity, data privacy, and enterprise risk management programs.  We are beginning that process by focusing on helping businesses secure the DoD supply chain by achieving their CMMC certification.  The CMMC Information Institute is a nonprofit corporation registered in the state of Pennsylvania.  Our 501(c)(3) application is pending with the IRS.

This is a long message, and we apologize in advance.  We want to be transparent with you so you know what the vision is and how we plan to get there.  So, let’s get a few things out of the way first:

Your Contributions

By participating in the CMMC Info Working Groups and the CMMC Info Communities (the “Communities”), you will be creating tools, information, and other content (the “Content”) that will be used by the Institute.  That Content will, in most cases, be combined with content we create internally and content from others to create the Institute’s materials (the “Materials”).  You hereby agree to grant, and do grant, the CMMC Information Institute a nonexclusive, unlimited, worldwide, royalty-free, sublicensable, irrevocable right to make, use, sell, offer for sale, import, maintain, modify, create derivative works of, and otherwise enjoy the use of that Content without limitation anywhere in the universe.  To be clear, we are not asking for ownership of your Content.  You own your Content, but you are agreeing that you can’t stop us or anyone who uses our Materials from using any of your Content that might be in the Materials.

The CMMC Information Institute will make most of our Materials available to anyone on an open-source basis.  We have selected the Creative Commons CC-BY-ND license for most of our copyrighted works, and most tools will be released under the MIT license or a slightly revised version of it.  This means that any Content you contribute to the CMMC Information Institute is likely to be made available to the general public and can be used by anyone for both internal business and commercial purposes.  The one caveat to this is that, under the CC-BY-ND license, the people using the Materials cannot distribute derivative works of our materials.  That is, they cannot modify the Materials and then distribute the modified versions to anyone. 

We license the Materials in this way because we don’t want them removing the Institute’s logo and disclaimers from our Materials and redistributing them as their own work product.  We also don’t want them modifying the Institute’s Materials in a way that we don’t approve, such as by removing the liability disclaimers that help protect you and the Institute or by adding incorrect information and passing it off as the Institute’s information.  Instead, we encourage everyone to bring enhancements/improvements back to the Institute so those enhancements/improvements can be incorporated into new versions of the Materials so the entire CMMC Ecosystem can benefit from them.

We appreciate your efforts and want you to be proud of your contributions to the CMMC Ecosystem.  To that end, we will try to recognize your contributions where possible.  However, due to the nature of certain Materials, we cannot guarantee that every contributor will receive recognition or that you will receive equal recognition as other contributors.

How we expect to make money

You probably noticed above that we mentioned that most of our content will be publicly available and released under the CC-BY-ND and MIT licenses.  Some content will be reserved for use by CMMC Info Communities members and/or under other licenses.  That is, in part, to encourage people to become CMMC Info Communities members since that is one of our revenue sources.  The CMMC Information Institute expects generate its revenues from six primary sources:

• Communities memberships
• Jobs listings
• Non-CMMC-AB Certified Training Programs
• Credentials and Badges
• Sponsorships
• Conferences and webinars

Communities Memberships

We recognized that industry needs a trusted source for CMMC-related information, and we created the Communities as a way for different organizations to come together, share experiences and insight, and build consistency in the CMMC Ecosystem.  Most of the Communities content is viewable by anyone (that is, the world has read-only permissions for most of the Communities).  Participation in the Communities, including asking questions of other Communities members, requires membership.  We offer basic monthly individual memberships for $18 per month.  We also offer annual individual memberships and corporate memberships. Corporate memberships are bundles of annual individual memberships.  Annual and Corporate members will also receive additional benefits, including early access to some content, tools, etc.  That early-access content will be released under more restrictive licenses until it becomes more widely available.  Additional details about the Communities memberships are available on our website. 

Jobs Listings

We know that finding qualified talent can be difficult, especially in cybersecurity.  We have a job board on which all corporate members can post new job opportunities.  Our current standard fee for a job listing is $100 per month.

Non-certified Training Programs

The Institute is not currently, and is not pursuing becoming, a CMMC-AB Licensed Partner Publisher (LPP).  We also are not, nor do we currently expect to become, a CMMC-AB Licensed Training Partner (LTP).  However, we recognize that the broader market needs better CMMC-related training.  We are developing training courses aimed at helping those in non-technical roles, such as boards of directors and other senior leadership, better understand supply chain risks, the CMMC program, and their contractual and ethical obligations when it comes to cybersecurity and data privacy.  The course curriculum will be available under the CC-BY-ND license, and can be taught by anyone and/or incorporated into larger training programs.  We will also offer recorded versions of the course for free on our website so organizations can watch and learn from the content at their convenience.  Those videos can also be used by third parties for free, including embedding in their own tools and websites. 

The Institute will offer, for a fee, in-person and virtual training based on our curricula to those organizations wanting to hire us as a vendor-neutral educator.

Credentials and Badges

The Institute expects to offer certifications around at least some of the training courses we will provide.  The credentialing process will involve the users demonstrating their knowledge through one or more quizzes, tests, hand-on demonstration of knowledge, or the like.  We will charge fees as part of that certification process.  The fees will vary depending on the nature of the credentials (e.g., we will likely charge very low rates for highly targeted “micro credentials”).

Sponsorships

The CMMC Information Institute is already generating significant traffic every day and as participation in the Communities increases, we expect the traffic to increase as well.  Sponsorships allow organizations to highlight their commitment to building a strong CMMC Ecosystem and improving our nation’s supply chain security, even beyond just participating in the Communities or the Institute’s other initiatives.  Sponsors are listed prominently on the CMMC Info website and gain other benefits, including participating with us in webinars.

Conferences and Webinars

CMMC Info will be hosting a series of webinars offering information around cybersecurity, data privacy, and related topics.  Some webinars will be available to everyone without charge, while other webinars may include fees to attend and/or co-present with us.  We are also planning a CMMC World Congress for later in Calendar Year 2021.  The 2021 event will be all-virtual, and will include a wide range of sessions, including sessions aimed at those in different roles in the CMMC Ecosystem (e.g., business owners, IT/security, government, etc.).  We will receive proceeds from revenues generated by this event.

Overview of The CMMC Information Institute

With that out of the way, below is an overview of the vision for the CMMC Information Institute.  As you may have picked up on in the preceding conversation, the Institute has four main components:

• Tools and resources
• Communities
• Articles and news
• Training

We want each of those components to be driven by the community, and we welcome your volunteer participation in any/all.

Volunteer Roles

We are looking for volunteers to help with various aspects of the Institute.  Below are some ideas, but, as mentioned above, the Institute is intended to be “by industry, for industry;” if you have suggestions for other initiatives, please reach out!

Tools and Resources

We have created basic FAQs and a glossary, as well as a self-assessment scoring template, a Systems and Information inventory template, Maturity Level 1 Gap Analysis worksheet, and other tools.  We would appreciate assistance with:

• Creating a discussion guide
  • Useful for speaking with state/local government leaders and others about CMMC
• Creating additional FAQ entries
  • We have been collecting questions and can use assistance in both writing answers and in adding still more questions
• Creating a glossary
  • Greg McVerry has done a great job of collecting some of this information, and we’d like to create a glossary on the site using information he created and information from others
• Enhancing the Systems and Information inventory template
  • Are there fields that should be added?
  • Is there any automation, color coding, etc. that can be added to make the template more valuable?
• Enhancing the Maturity Level 1 Gap Analysis worksheet
  • Are there fields that should be added? (e.g., current status of each of the examine, interview, and test Objective Evidence creation/collection efforts)
  • Should additional information be added to the drop-down fields?
  • Is there any automation, color coding, etc. that can be added to make the template more valuable?
• Creating a Maturity Level 3 Gap Analysis worksheet
  • Import in the practices and objectives;
  • Can a basic SSP template be created and the spreadsheet automated based on the SSP?
  • Enhance POA&M piece and other aspects
  • Add automation, color coding, etc. to make the template more valuable
• Building a Hackathon around creating Maturity Level 1 and Maturity Level 3 Sample Environments
  • Companies need help creating ML1 and ML3 environments. Most companies don’t want to (and shouldn’t) broadcast their network architectures, etc. to the world. So, we’ve decided to define 3 fictitious companies, and to host a Hackathon in which teams create sample environments supporting those companies. We need help with:
    • Adding more details about the sample companies
    • Creating the Hackathon rules
      • Weighting for implementation costs, passing simulated assessment, other factors (e.g., self-assessment scoring using DoD self-assessment scoring system)
      • Describe the outputs expected (e.g., working sample environment vs paper based, objective evidence, scoping analysis, etc.)
    • Creating training for Hackathon participants
      • They will most likely not be that familiar with CMMC, so we’ll need to create some basic training for them
    • Identifying judges
• Creating Maturity Level 3 Sample Environments and,
  • Same as above for the Level 1 Sample Environments, and include not only the CMMC-specific requirements but also Section 889, DFARS 252.204-7012 (cyber reporting and other requirements beyond NIST SP 800-171), etc.
• Creating sample processes, policies, and procedures to help organizations meet the Maturity Level 2 and Maturity Level 3 requirements, including illustrations of how the processes, policies, and procedures will vary depending on the nature of the organization and the environments.

Training

We will be creating training curricula aimed at people in different, non-certified/registered roles in the ecosystem.  We need volunteers to proofread the curricula to ensure it is accurate and easy to understand (within reason, given the audience and complexity of the subject matter).  If you enjoy video editing and animation, creation of intro/outro animated clips or other features for the video aspects of the training would also be appreciated.

Communities

We need help testing the Communities and other aspects of the site before we open them up to a wider audience.  For now, memberships must be approved by a CMMC Info administrator before anyone can participate.  Some minor expenses (less than $10 per person) may be involved in this process.

We will need moderators to help ensure the conversations in the Communities stay within appropriate bounds.  We know it can be painful sometimes, but we are open to constructive criticism of the Institute, the CMMC program and documentation, and the CMMC-AB.  What we don’t want are people coming in and instigating trouble or creating a hostile environment, including openly and repeatedly bashing a specific individual or organization.  We all, service providers, vendors, DoD, the CMMC-AB, OSCs, and especially the Institute, will make mistakes.  But we need to be moving forward and trying to make things better, not simply tearing the system or each other apart.  Moderating forums can be a tough challenge.  If you’re up for it, we’d like to hear from you.

Articles and News

The training will provide overviews of CMMC, its objectives, and other aspects of the CMMC program.  Communities can help people get individual assistance with issues, from interpreting requirements to configuring systems and everywhere in between.  There is a big gap in between the role of the Communities and the training, though, and that’s where the articles come in.  We need help building out a robust set of articles that walk people through different practices and processes, talk about experiences and lessons learned during assessment preparation/assessments, etc.  We are also looking for forward-thinking, academic articles that address enhancements to CMMC, supply chain security, cybersecurity, data privacy, enterprise risk management, and related topics.  If you have an idea for an article, please reach out to us.

Our goal is to have all articles peer reviewed before they go live to ensure the accuracy of the articles.  As noted above with respect to the Communities, the reviews are not intended to stifle conversations about ways to improve CMMC, etc.  Our goal instead is to ensure that any articles are based on an accurate understanding of CMMC, cybersecurity, etc.  For example, we will not publish an article whose premise is that the CMMC-AB shouldn’t be conducting assessments because it would be more efficient for industry to do it, since the CMMC-AB will not be conducting assessments.  By contrast, we would welcome an article that constructively analyzed the advantages and disadvantages of the CMMC-AB’s proposed certification program versus the ISO 17019/17020 standards or other approaches.  If you are interested in reviewing articles before they are published to ensure they are accurate, please reach out to us.

Usability and Appearance

The Institute uses WordPress to power much of its functionality.  This is great for content management, but some user interfaces and other aspects are a bit clunky still.  If you have experience writing PHP code, CSS, or other relevant functionality, we’d like to chat about ways we can make the site easier to use.

What’s in it for you?

We’re asking for a lot of help.  As mentioned above, we will attempt to recognize your contributions in various ways on our site and in our Materials as appropriate.  We will also extend a limited number of free memberships to those helping us in these early stages as we continue to build out the site and its content.  These members will also receive a special CMMC Information Institute Founding Contributor badge and special recognition on our site.  In the future, we will likely offer discounted memberships to those acting as moderators and helping in other capacities. 

Conclusion

Again, we know this is a lot to ask.  We are grateful for your interest in helping us create a strong CMMC community.  If you are willing to help, we look forward to your participation!  Please visit https://mailchi.mp/cmmcinfo.org/volunteers and fill out the form.

Sincerely,

James Goepel and Paul Flanagan

Co-Founders, CMMC Information Institute Inc.