A few weeks ago, details of the assessment and certification processes under the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program leaked or somehow was mistakenly-made public. While it would be easy to focus on the details of the requirements or the hundreds or thousands of dollars it could cost to become a trainer or certifier, what the information really did was shed some bright light on the accreditation body’s (AB) thinking. It’s important not to focus on the prices or some of the other obviously pre-decisional information.
What’s important to focus on about the details that the CMMC let slip out are the continued questions of whether this effort remains too big to succeed?
“The two questions that came to my mind when I looked at where we are: Why are they rushing? Are they making this too complex?” said Bill Solms, the general manager and president for government solutions at QOMPLX, which is partnering with Dunn & Bradstreet to help companies prepare for the CMMC audit, in an interview with Federal News Network. “DoD knows this is critical and our key intellectual property gives us the edge over potential adversaries and we know it has been harvested aggressively for the last several years. So, something needed to be done quickly to stop that and you can’t blame DoD for wanting to roll this out fast. On the other hand, you have industry saying this is coming fast and there is uncertainty. It’s not clear there will be time to iron out the wrinkles.”
The uncertainty and complexity Solms talked about is exacerbated when there are mixed messages from DoD around how many “pathfinders” will test out the CMMC approach and when the initial training and requests for information will roll out.
“DoD and the AB deserve a lot of credit for the mission they are taking on. I’m interested to see how it shakes out,” said Brian Haugli, the managing partner and co-founder of SideChannel, a cybersecurity consulting company and who posted the leaked or mistakenly-made public CMMC information on LinkedIn. “I hope they aren’t creating something that will favor one company over another. The CMMC assessor and certification process has to be fair and equitable for whomever wants to be involved in it. There is a lot of work in front of everyone as it’s no small undertaking to get CMMC going.”
The good news for many companies is the CMMC accreditation body expects to issue final details on the certification and assessment plan on or about June 1.
In final preparations
Mark Berman, the chairman of the communications committee for the body, said in an interview that a lot of the details and processes will become clearer in early June.
“Over the last 3-or-4 months we have been working to build out a system by taking the best of what has been done before, but not just copying it because then we wouldn’t exist if the perfect system had been created,” Berman said. “We are in final preparations that will provide details about how the third-party assessment organizations who house the certified assessors will work, including a framework and roadmap. We have not fixed prices yet, but we are at a point where we are settling in areas. We have been revising our plans and have been talking and mostly listening to stakeholders in and out of government to make sure it’s affordable, consistent and clear to the entire industry.”
Berman said on or about June 1, industry will be able to see the prerequisites, the application, the fees and training requirements for assessors and third-party organizations (C3PAOs).
He said the C3PAOs will be organizations and individual assessors will either work for them or be independent contractors.
The contractor will engage the C3PAO to become CMMC certified. The third-party assessment organization is accountable to the accreditation body.
The information released through LinkedIn said the initial program would include 70 assessors and 60 C3PAOs.
While Berman wouldn’t confirm those exact numbers, he said there will be a limited number of assessors in the initial effort.
“We are in a learning mode with the provisional assessments, and there are multiple ways we will learn,” he said. “That is one reason we will have a limited number of assessors at first. The number of C3PAOs may or may not be limited as that is something we are still figuring out. We do need a number of assessors to have learning experiences so they can tell us how it goes, what the process is like, how to improve it. With each provisional exercise, we will learn and apply those lessons so when we get to full field of assessors, we will have incrementally improved the system from first to last one.”
ISO certification required
Jeff Dalton, the chairman of the body’s accreditation and credentialing committee, said on a recent video that the C3PAOs eventually will have to be ISO 17020 certified to conduct assessments at level 3 or higher. He said the initial set may not have time to meet that requirement as there will be some sort of grace period to earn the accreditation.
3PAOs under the Federal Risk Authorization and Management Program (FedRAMP) also have to be ISO 17020 certified.
“In the next couple of weeks, we will release a new site specific to companies applying to become C3PAOs,” Dalton said. “The credentialing committee is defining the data and the requirements that will be part of the application process. Each application will be evaluated by the accreditation body.”
Katie Arrington, DoD’s chief information security officer for acquisition, said in an email to Federal News Network that the “requirement for ISO 17020 is in line with recognized assessment standards and provides strong guidelines with regard to conflict of interest. If C3PAOs handle controlled unclassified information (CUI) they must be compliant with current DoD guidelines.”
The AB will have a group of third-party assessment companies who are ready to go because of the FedRAMP requirement. Mike Hettinger, president and founding principal of Hettinger Strategy Group, said there are about 40 3PAOs under FedRAMP, though only about half have actually done assessments.
SideChannel’s Haugli added the ISO 17020 requirement brings CMMC a little closer to having reciprocity with FedRAMP. A group of industry associations called on DoD and the accreditation body to bring those to programs closer together.
Dalton said the AB is expecting DoD to have 15 pathfinders for CMMC this summer and into the fall.
“Don’t know how many companies will be part of those 15 pathfinder contracts. Some say it could be 800 or some say it could be as many as 1,200. We just don’t know the number,” he said. “We do need a set of assessors to participate in the initial effort and to be part of our retrospectives and after action reviews to help us improve assessment method.”
Dalton added that the goal is to get through the first 15 contracts with that limited number of assessors and then open up the market to others.
While the accreditation body finalizes its plans for training, Dalton said it looks as though the requirements are:
Certified professional—A pre-assessor role that assures the person is well versed in the CMMC model. That will require 24-to-28 hours of training.
Certified assessor—This will require the person receiving the training to be a certified professional and then go through another 16-to-24 hours of training that is specific around the assessment methodology, how to formalize, plan, execute and report on an appraisal.
Certified instructor—This person can teach the professional or assessor track and must be assessors at the level they are teaching so a level 3 assessor can teach up to the level 3 class.
Master instructor—This person teaches the instructors, and will likely be someone who works for the accreditation body at first, but eventually will be an independent contractor.
Certified quality auditor—This person is on the AB’s side to ensure the assessments have been executed in accordance with methodology and meets the standards so the body can stand behind the accreditation decision.
“We are working on the adjudication process if a company needs the AB to weigh in if an assessor and a company disagree,” Dalton said. “Assessments are human events while an audit is a ‘yes or no’ answer. CMMC has a human component starting in level 2 with processes and institutional actions, and you can’t do that with tools. You have talk to people to understand policies or procedures. So the assessments will be a combination of of tools, templates, checklists and things like that.”