CMMC set for trial run, but criticism abounds for highly anticipated ‘CAP’ document

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Pentagon’s contractor cybersecurity certification program took a major step forward this week with confirmation that voluntary third-party assessments will kick off next month, while at the same time a newly released process document is causing consternation in industry.

The Cybersecurity Maturity Model Certification program is in the early stages of rulemaking after undergoing a major revision late last year, but voluntary CMMC assessments are scheduled to begin Aug. 22 and continue for several weeks, officials confirmed.

“I’m really excited that we are at the point now that voluntary assessments have actually been scheduled,” Cyber Accreditation Body Chief Executive Officer Matt Travis said during a Tuesday town hall meeting.

The voluntary assessments will be conducted under the Defense Department’s “Joint Surveillance Program.” Travis said four companies have signed up to be evaluated. CMMC Third-Party Assessment Organizations (C3PAOs) will conduct the evaluations, overseen by DoD’s Defense Industrial Base Cybersecurity Assessment Center.

Travis said DoD has communicated that companies who pass assessments during the voluntary phase will be receive CMMC Level Two accreditation once the requirements becomes effective. DoD still needs to go through a lengthy rulemaking process for that to happen.

The Cyber Accreditation Body also released a “pre-decisional draft” of the CMMC Assessment Process, or the “CAP.” The document is critical to the certification program, as it lays out how CMMC Third Party Assessment Organizations (C3PAOs) will prepare for and conduct assessments of defense contractors.

The draft CAP is expected to help guide C3PAOs as they conduct the initial voluntary assessments starting next month. The assessors will be overseen by the Defense Contract Management Agency pas part of what officials are calling a “joint surveillance voluntary assessment.”

Stacy Bostjanick, who leads CMMC implementation for the office of the DoD chief information officer, said there was a “huge push” to release the CAP. The Pentagon wants contractors to be “early adopters” of the CMMC standards.

“Because that’s what’s going to get the C3PAO started and able to start moving,” Bostjanick said in reference to the CAP during a Wednesday event hosted by Summit 7 Systems. “And we are working very hard to make sure that we get that nailed down and approved as soon as possible.”

The document been kept under tight wraps for the past year as the Cyber Accreditation Body developed the document in conjunction with DoD.

But following Tuesday’s release of the document, there have been numerous rumblings on LinkedIn and other forums, where commenters have pointed to missing information and a lack of quality control in the draft CAP.

“There are many, many stunning and bewildering issues with the CAP,” Jacob Horne, chief security evangelist at Summit 7 Systems, wrote on LinkedIn.

Several commenters have pointed to missing appendices for crucial information, including for issues like Plans of Actions and Milestones and for resolving disputes over how a control is assessed.

During Tuesday’s town hall, Travis acknowledged the CAP may have typos and other missing information. He said the current version is an “80 percent solution, if not more.” The board is currently accepting comments on the CAP through Aug. 25.

“We don’t think we have a monopoly on good ideas,” Travis said. “We put a lot of effort into trying to architect a sensible procedure for how assessments should be conducted. . .  I think we’ve got enough to be good conversation starter.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.