CMMC Accreditation Body looks ahead to voluntary assessments, growing ‘ecosystem’

The CMMC AB is gearing up for voluntary assessments and is also looking to recruit more cybersecurity assessors, but the timeline for CMMC remains as unclear as...

The Cybersecurity Maturity Model Certification is at least months away from showing up as a requirement in defense contracts, but the CMMC Accreditation Body is gearing up for voluntary assessments and is also looking to recruit more cybersecurity assessors.

The voluntary program could start this this spring, according to Matthew Travis, chief executive of the CMMC Accreditation Body. The AB has a contract with DoD to train and accredit assessors who will carry out the certification of defense companies.

“We’re still pushing to get to the interim voluntary period,” Travis said during a Feb. 22 town hall hosted by the AB. “I hope certainly by the next quarter, and we’ll keep you informed on where we stand on those issues.”

One of the key issues has been finalizing the new CMMC Assessment Process Guide, or the CAP, detailing how assessments will be carried out. Travis said the AB recently received feedback on the document from the Defense Department’s program management office.

The AB is hoping the CAP will be finalized and posted in “two to three weeks,” he said.

“We like to think we’re on the final lap around the track with the review team and the PMO,” Travis said. “We had to make all the CMMC 2.0 changes, but also, the original draft that was first penned well over a year ago or so, as the model has evolved a bit, we want to make sure that there’s not inconsistencies in the document.”

CMMC was conceived nearly three years ago to audit defense contractor compliance with cybersecurity requirements for protecting controlled unclassified information, but the program has yet to yield any certifications.

The Pentagon had been moving toward initiating CMMC pilots last year, but that plan was scrapped amid a months-long review of the program that led to a major overhaul announced in November. The review was driven by concerns that the requirements would push many companies out of the defense industrial base, especially small- and medium-sized businesses.

The “CMMC 2.0” changes mean most of the 220,000 companies in the industrial base won’t have to obtain CMMC certification from a third-party assessment organization (C3PAO) accredited by the CMMC AB.

Still, DoD recently signaled up to 80,000 defense contractors may one day require a third-party assessment. Travis said the AB is continuing to grow the “CMMC ecosystem” of accredited trainers, consultants and assessors to meet the future demand.

He said the number of “licensed training providers,” who train CMMC assessors, grew by 126% over the last year to 77 providers.

Travis said the number of “registered practitioners” grew by 83% to more than 3,200 over the past year. Registered practitioners provide “advice, consulting, and recommendations to their clients,” according to the AB website.

Meanwhile, the number of trained assessors has grown from 111 to 759 over the past year, according to Travis, including both “Certified CMMC Professionals” and “Certified CMMC Assessors.” He described the former position as an “entry-level” assessor, as they are able to assist with assessments, but can’t lead them like a full-fledged assessor can.

Travis said the assessors are the most important position for growing the CMMC ecosystem to one day meet the demand for assessments from defense contractors.

“We’re encouraged by these numbers, but we’ve got to do more,” Travis said. “You’re going to be seeing promotional campaigns from us here this spring, to really encourage Americans to think about becoming assessors. It’s a great way to enter the cybersecurity field.”

CMMC timeline unclear

The timeline for putting CMMC requirements into contracts remains unclear. After taking over the program earlier this month, DoD Chief Information Officer John Sherman said his office would move quickly to initiate the rulemaking for CMMC.

But officials have previously estimated the rulemaking process could take anywhere between nine months and two years.

Late last year, a Pentagon official also said DoD was considering “incentives” for getting contractors to achieve CMMC certification or a similar cybersecurity standard before the rulemaking takes effect. But DoD has yet to offer any additional details on those plans.

Travis noted even before the CMMC 2.0 changes, the Pentagon wasn’t planning to fully implement the requirements across all contracts until fiscal year 2026.

“I think that’s a fact that a lot of people just kind of lose sight of and so we certainly have a sense of urgency, but it’s also good to know what the runway is supposed to look like,” Travis said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (AP Photo/Charles Dharapak)An aerial view of the Pentagon, in Arlington, Virginia.

    Congressional auditors point to challenges ahead for Pentagon’s CMMC program

    Read more