The private organization tasked with administering the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC) program began accepting its first tranche of applications this week, one of the most significant steps to date toward DoD’s ambitions of redefining its approach to cybersecurity in its supply base.
On Monday, the CMMC Accreditation Body (CMMC-AB) opened the process to five types of organizations and individuals, including the would-be certified third-party assessment organizations (C3PAOs), the umbrella organizations that will one day hire and manage individual cybersecurity assessors, and “certified professionals,” the experts who will actually perform the cyber assessments DoD will eventually demand for each of its vendors.
“This is an important milestone for the CMMC program,” Ty Schieber, the accreditation body’s chairman said during a conference call with reporters Tuesday. “It’s a result of months of incredible teamwork and sacrifice by thousands of individuals across the stakeholder base who have volunteered their time and good thinking in shared commitment to the mission.”
The CMMC-AB also announced some of the initial fees it will charge to take part in the CMMC “ecosystem.” Prospective third-party assessment organizations will pay a $1,000 application fee, plus another $2,000 per year if they’re accepted into the program. In addition, they’ll pay fees ranging from $300 to $750 each time one of their assessors actually performs a cyber assessment for a company.
Meanwhile, individuals hoping to become certified assessors will pay application fees of $200 before they move onto more steps in the process, including background checks and a training and testing curriculum that the AB is still developing.
Scheiber said during the “soft launch” on the first day of the application period, 34 organizations applied to be C3PAOs and 87 people registered to be certified professionals, but the board expected a much larger wave of applications to flow in after it notified the more than 5,000 people who’ve expressed interest in CMMC.
Aside from the groups who will be directly involved in the CMMC accreditation process, the AB has also started taking applications from companies and individuals who want to advise companies on how to get ready to undergo a CMMC inspection.
The Pentagon warned the contracting community in February that there were numerous outfits offering advisory services that falsely claimed they could get a company certified under CMMC – well before the AB published the final guidelines.
“The RPOs and the registered practitioners are an opportunity for those who want to be consultants or coaches in the field to not only get training and get some qualifications in CMMC, but also be associated with the CMMC ecosystem, through a listing in our marketplace and our logo,” said Jeff Dalton, the chairman of the accreditation body’s credentialing committee. “It also gives the AB an opportunity to understand who’s doing what out in the field. You obviously don’t have to have that designation to do work in this space, but we’re trying to build an ecosystem of people that all work together.”
By 2026, the Pentagon plans to require all of its contractors to earn a CMMC certification before they’re eligible for new awards. The type of work they’re bidding on will determine which of the five levels of CMMC accreditation they’ll need.
The department has said it plans to test the process in an initial set of 10-to-15 “pathfinder” contracts beginning this year, and has not yet announced which procurements it plans to use in the dry-run.
But the accreditation body said C3PAOs and assessors who want to take part in certifying companies for those pathfinder contracts will need to earn an earlier, separate, “provisional” certification, even if they’ve already submitted applications for the CMMC “baseline” process that opened this week. Officials said they plan to open the application process for the provisional program by July 6.
“Those who will go through [the provisional program] will help us perfect CMMC and improve it, and they’ll work with us and DoD closely to look at pilot projects, and we’ll learn from it,” said Ben Tchoubineh, the chairman of the accreditation body’s training committee. “When the formal educational program begins, which is going to be in either late 2020 or early 2021, we’re going to start to educate people in earnest, and then people can become assessors. So what we’re doing right now is selling vouchers for those exams ahead of time so people can reserve their spots. And those provisional assessors that are going to help us perfect the program will still have to go through the formal program to become certified assessors.”