Dale Carnegie once remarked that it takes almost 10 years of higher education in order to get a license to pull a tooth. If a lucrative dental profession doesn’t appeal, though, consider becoming a cybersecurity assessor under the Defense Department’s Cybersecurity Maturity Model Certification program. Compared to what it costs to become a dentist, it’s a bargain — only $1,000 for four days of instruction.
The course is the first from the CMMC Accreditation Body, a non-profit part of the CMMC ecosystem. The first class of graduates will fan out into the industry and start to figure out how the assessments will work in practice. This interview with attorney Rob Metzger ‘splains the whole system.
Assessors who can examine a contractor’s cybersecurity posture will form a linchpin in the complicated apparatus DoD has devised to, in theory at least, guarantee the safety of its supply chain. Given that some level of security maturity will become a requirement for doing business with any component of DoD, the third party assessors — be they sole practitioner consultants or working in larger organizations — will have a captive and willing set of potential clients.
Third party certification is central to the program. Relative to self attestation, it provides more assurance to DoD that contractors have basic cybersecurity in place.
Obtaining certification as an assessor isn’t quite as simple as going to a four-day class and forking over a G-note. Read further down the CMMC Accreditation Body’s web page and you’ll see you also need at least 10 years experience “conducting evidence-based assessments in cyber” or “proven experience” in cybersecurity for at least 20 years.
To qualify for any medical doctor degree probably costs, say, $500,000 for undergrad and med school. Plus residency.
True, the payoff can be big if you become a sought-after specialist. I don’t know what a cyber assessor will be able to earn, but the initial class of them will number only 72. They’ll have a head start. Training starts August 31st so you better get going. Note that you’ll only be a provisional assessor. Later on, you’ll need to take another class and exam to become fully certified.
If you believe the CMMC program will take flight, think then of the market it presents. At a recent Bloomberg Government webinar, the CMMC program manager, Katie Arrington, said 300,000 companies will have to undergo certification. Dozens of companies are already promoting their services in prepping other companies to become CMMC ready.
Like any good sales opportunity, the CMMC program brings repeat business. Companies in the Defense industrial base, or DIB, will have to undergo re-certification every three years. Not even all of the cosmetic surgeons in L.A. combined have that big an opportunity.
One big missing piece of the CMMC machinery is the regulation, as Metzger put it, “by which contracts will include clauses that require a CMMC certification.” There’s nothing even out for comment yet. But that won’t hold up the training, testing, and issuing of credentials for the first 72 provisional assessors.
A bridge exists between CMMC and another DIB cybersecurity effort, namely, the ban on telecommunications equipment from given Chinese suppliers. The ban goes into place Thursday, and in theory contractors can’t obtain DoD business unless they certify they don’t have that equipment in place. The rules are both voluminous and vague — and I’ll be writing more about that. But for CMMC certification above the most basic level will require contractor visibility into their network infrastructures.