Even for the government, the Defense Department’s Cybersecurity Maturity Model Certification program is a complicated apparatus. Its goal is ultimately to ensure that DoD agencies can be reasonably sure their data held by contractors and subcontractors is secure. Central to CMMC is a group known as the Accreditation Body. Here was an update from the Chairman of the Accreditation Body Board of Directors, retired Air Force Col. Karlton Johnson on Federal Drive with Tom Temin.
Insight by Carahsoft: Learn about the major efforts going on across government to not only secure the technology supply chain, but have a long-lasting impact on all users of technology by downloading this exclusive e-book.
Tom Temin: Col. Johnson, good to have you on.
Karlton Johnson: Thank you, I’m looking forward to having a great conversation.
Tom Temin: And if you would just review the moving parts, the major moving parts of the CMMC, because you’ve got the agencies, you’ve got the creditors, you’ve got the accreditation body, you’ve got a lot of people making sure this all happens – a lot of groups.
Karlton Johnson: Yeah, absolutely. And it’s kind of interesting to watch how this has unfolded. If you don’t mind, I’ll just talk a little bit about what the ecosystem looks like, and how the parts and pieces play together at a big level. So of course, it starts with the federal government and their requirement. And they have this information called controlled unclassified information that will – or maybe in certain contracts. And if you aggregate this – CUI is what it’s called – you need to protect it in a way that you’re helping to protect sensitive information. So to do that, what we were asked to do and what we have done is established an ecosystem that allows people who received this to have certain levels of standards to protect it. It starts with the CMMC Accreditation Body. We’re set to be volunteers, I’d like to say professionals, who have answered a nation’s call. And we’ve come together to build an ecosystem that includes certified third-party assessors, or C3PAOs. Those are the entities that will be charged working with companies like Lockheed or Boeing or others. And those entities are called organization seeking certification, or OSCs. They work with those entities and let’s say Lockheed or whoever says ‘I’d like to be certified.’ The C3PAO then reaches out to assessors in the field. And those assessors me either work for the C3PAOs or come from independent locations. And they descend upon the OSC, they perform the assessment. And then once the assessment is done, that information is bundled up to and through the C3PAO to the Accreditation Body. And together we make sure that the Ts are crossed, the Is are dotted. And then if all that works out, the C3PAO issues out the certification. So we’ve built that portion of the ecosystem. In addition to that, we have started to – and field it – licensed training partners, licensed posts and partners, and those are parts of the ecosystem that will help create content to help people understand what CMMC is about, and also create instructors so that this becomes a scalable effort. So holistically, you have the C3PAOs, the assessors, you have the organizations seeking assessment – OSCs – and then you have the training end. In addition to that, because we knew that people wanted to get an early start, we identified what we call registered practitioners, RPs, and registered provider organizations, RPOs. Those are people who are not certified, but they do have a level of IT expertise, and we give them CMMC training. And essentially, they go out and work with businesses to help consult, if you will, and they advise. The key behind the RPs, RPOs – just so you know – an RP and RPO cannot certify you, but they can help you get ready for CMMC.
Tom Temin: Yes, you answered my next question so that you keep all the parts separate so that there’s no conflicts of interest that could creep into the system otherwise?
Karlton Johnson: Absolutely. And that’s an excellent point. I’m glad you brought that up. There is a clear separation of the various parts of the ecosystem to exactly do that. For example, if you’re an assessor, and you have worked for the company that you would assess, you can’t assess them. So we built into the ecosystem, different levels of conflict mitigation, and remediation.
Tom Temin: Sure. And I guess the main question for this time in history, are there enough assessors to go around to get everybody assessed, because my understanding of this is there’s 300,000 potential companies that need to have that assessment?
Karlton Johnson: And here’s how I’m gonna answer that: This is not supposed to be a – we descend and do 300,000 assessments today. It was never envisioned to be that. As the government has articulated, this is a crawl-walk-run program. And so the initial tranche that we’ve been asked to provide, which is approximately I think the number’s about 150 assessors we have already trained, those were for the initial pilots and programs that were established within this fiscal year. Keep in mind that we’re building all of this in 2020 COVID land. And so despite COVID we have been able to field the initial 150. Once the license and training partners and publishing partners, get the instructors going, now we’ll be able to see scale that up further. And as the government and industry identifies the requirements, expectations, we’re going to scale to that demand.
Tom Temin: We’re speaking with Karlton Johnson, he’s board chairman of the CMMC Accreditation Body. And does the body oversee the [C3PAOs] and the assessors only? Or do you also oversee the registered practitioners, the RPOs, that end of things also?
Karlton Johnson: That’s a great question. And so I guess I’ll answer that this way: We manage and created the entire ecosystem. We provide oversight and governance for those constituent parts of the ecosystem. So we do work with the C3PAOs, and the assessors work through the C3PAOs. The RPs and RPOs, essentially what we do is given that initial training, as I mentioned, and then they’re off to do what they need to do. Now that said, Here’s why the RPO and RP program’s important – we provide them not only with the CMMC training, but we also require them to sign ethics documents, and ensure at least identify that they are going to follow those standards. So when you come to our marketplace that we’ve been asked to create by the government, you have choices, you can go out and find somebody on your own to do work with you. But just like any event, you pay for what you get. At least by coming to our marketplace, you have people who have gone through a level of checks – by the way … a background check, I didn’t mentioned that – and they do have a certain level of training, so you’re getting a certain level of quality by going with them. But that’s the extent of what we do with the RPs and RPOs. Everything else falls under our umbrella at this time.
Tom Temin: And you mentioned the board members are volunteers. And I want to get back to that. But let me ask you this – is the expectation of this program that someone who becomes an assessor can make a living at it? And if that’s the case, how do the assessors get connected with the organizations seeking certification? Is that an open marketplace? Or is there some kind of match up system?
Karlton Johnson: It’s an open marketplace. And what we do is we establish that marketplace. So let’s say that, again, you’re a company wanting to get certified. You come to our marketplace, we’ll have the C3PAOs identified, and then you would connect with that C3PAO. That C3PAO would then go out into the marketplace and get assessors. And those assessments will come from the system that we have created to get assessors certified and approved. Those assessors may already work for a C3PAO. But they would have gone through the exact same certification process. And that is pretty rigid. That’s a strict process to ensure the credibility and viability of the program. So can an assessor make a living of that? Well, 300,000 companies out there looking for CMMC. And we’re hearing other government sectors want to start adopting this. And we’re hearing also from international people. So I suspect that assessors will have a lot of ability to do well in this market. But the other piece I’ll tell you is that the adversary is remaining agile. So as long as there’s somebody who’s looking to get into the systems and networks, and steal IP and so forth, this is going to be a market for assessors.
Tom Temin: You bet and the assessors, what types of skills do they need to have?
Karlton Johnson: If you go to our website, we list specifically what each assessor needs to have. I’ll just kind of talk high level. Of course, they have to have a certain level of IT background. Certain number of years being in the marketplace and demonstrated that they have that level of skill. They go through extensive CMMC training, and they have to take tests. They also have to sign documents regarding ethics, and so forth. And once they’ve been vetted through that entire background checks, and so forth, they’re approved through our system.
Tom Temin: All right, and let’s get back to the board. They’re volunteers. And are you a volunteer? Or do you have a day job in addition to this? Because it sounds like it’s probably something that would take up most of your time?
Karlton Johnson: I’m kind of smiling here because, yes, I am a volunteer. No, I don’t get paid for this. Not a single member of the board gets paid for this. And yes, it’s a lot of work. I personally have been on this program – I think it’s like 18 months. And the question I typically get from people is, yeah, “Do you have a day job? And why are you doing this?” And the answer is, absolutely. I do have a day job. I have several things I do, in addition to CMMC. That said, one of the things that struck me about this program, being a cyber guy and having actually defended my nation,\ against those who want to do us harm, I recognize how important cyber hygiene is in cyber readiness. So I’m willing to devote the time and energy to do this. And as with anything you find the right balance in your day to do what’s important to you. This is probably one of the most important things I’ve done in my I live next to serving my country in the military, and also trying to raise my family and everything else to do the right thing. And everybody who’s on the board has volunteered to do this. So this is a passion for me and a labor of love. Will I do it forever? No, at some point, I need to move on, and let the next team come up and take the reins. But I’m in this to defend my country against all enemies, foreign and domestic.
Tom Temin: And of course, volunteer boards can be terrific, but you also need to sustain them. What’s your vision for how the board will operate, and how to maintain it so that it’s attractive for the volunteers to be on the board?
Karlton Johnson: So as we came together, as this group of professionals, who stepped up to the plate to do this, we needed to be all hands on deck, but I’d like to call director doers. Now that we have Matt Travis on board, our CEO, a gentleman who was very well accomplished in the industry, very well respected, and the right man to do this – now with a CEO, we’re going to start bringing on professional staff. And as the professional staff comes on, we will baton handoff the functions that the directors have been doing. And over the next few months, my expectation is that you will see the board transition from a board of director doers to a governing board focusing on the strategic aspects of the system. And then Matt Travis and his team will do the operational and tactical as well as some of the strategic. And we’ll actually run this as it’s been envisioned to be – a full-fledged company with all professional staff who are paid to do that.
Tom Temin: And zooming back out to the CMMC program as a whole, how would you describe where it is now in history? Have any companies, for example, been assessed and have paid the assessment and now can hang a shingle that says, “We’re okay with CMMC, at least for now”? Where does it all stand?
Karlton Johnson: Well, we just had a town hall last night where we talked about the assessments that are going on with the C3PAOs. There’s an organization called DIBCAC [Defense Industrial Base Cybersecurity Assessment Center] that works for [Defense Contract Management Agency] that will check the C3PAOs for a CMMC level three, and once they are approved, then we’ll identify them as approved to be in the marketplace and go live. That process is going on right now. And no one has been completed yet. But we’re close to doing that. As soon as that happens, you guys will know, everybody will know that we have the first tranche of C3PAOs out there, we’ll post them on the marketplace. And we’ll move forward from there. So to be clear, I have seen different parts of the marketplace. And when I say the marketplace, let’s just say on the net, companies that are seeing their CMMC level X ready to go. That’s incorrect. No one has been checked yet. When in doubt, ask the CMMC-AB it will let you know groundtruth.
Tom Temin: Got it. And the Biden administration and its military team has come in and indicated they want to take a look at the program. Have you gotten any advice, any program direction any expectations or wish lists from them yet?
Karlton Johnson: We’ve had our initial conversations, I can’t go into detail about that. What I will say is this: When it comes to cybersecurity, my belief, and this is my belief, cyber and the adversaries in this case are agnostic of the politics. So this is a bipartisan issue. And as a result, I would expect any new organization, any new administration to comment, ask questions about what’s going on with an important program like this, get the sense of where things are, and then use that information to make better decisions on what to do during the term of that team. This is [a] normal part of the operation. And so what I intend to do is we’ll continue to be transparent with the questions we’re asked, we’ll continue to talk about the great things we’re doing, we’ll remain open to listening to how we can do things better. Now, at the end of the day, we want a partner for success with the ecosystem, and with the administration and the government writ large to make this a success.
Tom Temin: And a final question: What is your personal metric for success of this program, say, two, three years down the line?
Karlton Johnson: Wow, see, you’re making me think today,. I guess I need to get my triple espresso. So all right. Three years down the road, this is what I would expect – I’d expect to have a full team on board on that privacy side. We would have by then cycled through an initial group of directors and brought on some additional high profile people in industry who want to bring in senior executive leadership expertise to help Matt and his team move this forward. I would expect to see several assessments not only done as tickets awarded, but getting better insight into how things can be better. And that’s where I’d say year three, I would like to see CMMC being adopted across different industry lines, not just in the defense sector, and then opening the door up more with our international partners where possible, so that we’re leveling the playing field, and cyber hygiene is status quo. And a CMMC level one for everybody – for X percent of the marketplace CMMC level three. And then as the adversary gets agile, we calibrate that up. And we’re able to do that with agility, with speed, and on occasion, a little audacity, so we can respond back to those adversaries and push the class back to that.
Tom Temin: And what about the civilian side of government? Can you see a CMMC universal?
Karlton Johnson: You know? And that’s a good question, too. I personally believe Yes, here’s how I would answer this in a different way: If I’m a company – small, medium, or large – and if I don’t do basic cyber hygiene, it’s not really an issue for, say government, per se, it’s more of an issue for me to protect my IP. So I want to have some level of cyber readiness. So the civilian sector definitely can benefit from this. And if you want to go to that next level of excellence to say CMMC level two or three, it’s just the right thing to do. And from a civilian perspective, it gives you, I believe, an opportunity to go to the other table and say, “Not only do I offer a significant amount of capabilities that you really want to know about, I’m also cyber ready. And I’m going to protect your data, at the same level that the government protects theirs.” That is a terrific business case. And I’d rather partner with somebody who thinks about this, and wants to protect my data, as well as they want to protect theirs. It’s great.
Tom Temin: Karlton Johnson is board chairman of the CMMC Accreditation Body. Thanks so much for joining me.
Karlton Johnson: Thank you. And thanks for what you’re doing on this. The fact that you’re communicating this story is big, and it’s very helpful to all the people on the net. I just want to thank you for the ongoing support to the program. And I look forward to great things in this year in the years to come.