Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET REGISTER HERE
UPDATE ON CMMC-AB: CEO SHARES WHAT’S BEEN LEARNED AND IMMEDIATE GOALS
The Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) held its latest virtual Town Hall meeting last week to update stakeholders on the progress of the CMMC model, accreditation process for certified third-party assessment organizations (C3PAOs), and goals for the CMMC-AB.
The virtual event was held on Tuesday, April 27, 2021, and started with a brief introduction of Matt Travis, the new chief executive officer (CEO) for the CMMC-AB, by CMMC-AB Chairman Karlton Johnson. Travis, who took over as CEO a just four weeks prior to the meeting, said he hit the ground running in his new role the first week with an in-person meeting with the Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar.
Thoughts from the New CEO
Travis discussed his background in the Navy, as a defense contractor, and a small business owner involved with the defense industrial base (DIB). He explained his understanding of the cost concerns associated with achieving CMMC certification in order to conduct contract work for the U.S. Department of Defense.
“I am acutely aware of, in some cases, the financial fragility of firms in this sector and that anything the CMMC does needs to be very cognizant of that business balance of needs and prioritization every company in the DIB has to weigh,” said Travis during the town hall.
During his time working with the government and as a government employee, Travis said he had learned the government isn’t always able to move at the speed everyone would like to see but people need to appreciate how ambitious the CMMC program is and the coordination it requires between various departments. He also said the reality of threat intelligence by cyber actors is very real.
“I saw it,” Travis said, underscoring the need for CMMC. “It was very clear those adversaries, nation states such as Russia, China, Iran, and North Korea and the global bad actors who affiliate with them, are putting full effort toward undermining our security, our economy, and our defense through digital attack. We’re really talking about some activity of consequence which can affect our national security and frankly why this role for me was so attractive.”
CMMC-AB Goals and Objectives
Travis went on to talk about how the CMMC-AB is the connection between the DoD and industry. As such, he said he wants to make communications and accreditation as smooth as possible for everyone involved. He outlined his more immediate goals and objectives for the CMMC-AB.
Getting the CMMC Ecosystem Producing Results- Ensuring individuals and organizations are getting their certifications which involves getting the data, policies, and legal framework done.
Professionalize the Staff- The CMMC is shifting from volunteers to hiring a professional staff to achieve organizational goals and transitioning the volunteers to their roles as a board of directors. A full-time professional staff is expected to be in place by the end of 2021.
Achieving CMMC Certification- Assuring the CMMC-AB becomes CMMC certified so individuals and businesses have confidence in working with the accreditation body because it has been through the process itself.
Implementing Cost Effectiveness- Making sure the work the CMMC-AB does is less costly and more affordable for those in industry.
Ensuring the Process Works- Individuals and businesses seeking CMMC accreditation need to know the process will be worth their investment of time, money, and intellectual cost.
Be Accessible- Expect that the CMMC-AB is accessible and will listen to stakeholders.
Ethics- The CMMC-AB will be more transparent and held to a high ethical standard through communicating lines of conflict of interest, how those can be mitigated, and how those conflicts will be adjudicated.
As part of his pledge of accessibility, Travis shared his email address at firstname.lastname@example.org. He said this is a great place to contact him with questions and points of “criticism, not cynicism.”
Assessments and the DIBCAC
Darren King, director of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), said his organization has been working with the DoD to conduct preliminary CMMC assessments for the last two years. The DIBCAC has worked with more than 200 companies in that time and has learned many lessons through its initial CMMC assessments.
King said there are several things companies need to get straight if they intend to go through the CMMC accreditation process. Those items that stuck out most as points for attention include:
Documents- System Security Plan (SSP), policy, and procedures assessment need to be ready and not in “draft” form.
Self-Assessments- Complete self-assessments in advance using the CMMC Assessors Guide.
Plans of Action- Ensure nothing is left open.
Procedures- These need to be repeatable (know your procedures) and adequate to implement each practice and ensure practice objectives have been met.
Cloud- Examine the Cloud Customer Responsibilities Matrix (inheritance matrix clearly related to your SSP, policy, and procedures) and know what your company’s responsibilities are versus your cloud provider’s responsibilities.
Bring Your Own Device (BYOD)- There should be an explanation in your SSP, documented diagrams, and documentation on how technical controls are being met.
CMMC .997, .998, and .999- All of these require documentation of how your organization is meeting these specific requirements.
King encouraged organizations to ensure their readiness for assessment ahead of time since his team’s time and resources are limited. He said every organization should look at the certification assessment readiness review (CA-RR) before scheduling their accreditation assessment.
The C3PAO Accreditation Process
Another portion of the town hall focused on the accreditation process for C3PAOs. For C3PAOs, the DIBCAC will provide a CMMC Level 3 assessment over a period of six weeks. He said at the end of the six-week assessment process, the DIBCAC provides and outbrief within 10 business days. That post assessment will provide a finding of “Not Met” or completed full assessment.
If a candidate C3PAO comes close to meeting their Level goal but fell short on a few practices, they’ll have an opportunity to request a “remediation assessment,” according to King. He said the DIBCAC will review requests from candidate C3PAOs for a “remediation assessment” (AKA “delta assessment”). Those requests will be approved or denied.
If approved, the candidate C3PAO will be reassessed on the missed practices within 90 days of the outbrief and practices must demonstrate persistent use. The assessment team will review the requested practice areas to include updated objective evidence, verify and determine if they have met or not met the requirements, and report the results to the Office of the Under Secretary of Defense (OUSD) within 10 business days of the “delta assessment” completion.
If the candidate C3PAO does not pass the majority of Level 3, a “remediation” appraisal will not be granted.
King said he is the DIBCAC point of contact and invited anyone with questions or concerns to contact him via email at email@example.com.
Another point of interest touched upon in the meeting included a brief update on the CMMC pilot program. The program has had to make adjustments this year, most often in contract timelines. This is due to the fact that many organizations who applied for pilot contracts were not able to coordinate CMMC assessments with C3PAOs in time to complete the contract obligations. With that in mind, many fiscal year 2021 contracts have been pushed to FY 2022.