Once bracing for a spike in demand, CMMC AB now worries about a shortage

The Department of Defense’s recent dramatic paring down of its contractor cyber requirements could collapse the market of cybersecurity assessors, the CEO of the accreditation body tasked with setting up that market told FedScoop.

David McKeown, the DOD’s chief information security officer, said Wednesday that the number of companies that will need a Cybersecurity Maturity Model Certification (CMMC) assessment could be as few as 40,000 — a small fraction of the initial 300,000 that was projected before the requirements where changed Nov. 4 with the introduction of CMMC 2.0.

Following McKeown’s comments, CMMC Accreditation Body (CMMC-AB) CEO Matthew Travis told FedScoop he thought that estimate would cause a shortage in demand for assessors, which the AB has been racing to accredit to work with what it thought would be 300,000 defense contractors that needed an assessment.

“While I am not familiar with that particular estimate, that number would strike me as too low,” Travis said in a statement.

The AB is the sole organization with authority to accredit the third-party assessors, trainers and consultants that make up the CMMC ecosystem. Ironically, mere weeks ago Travis was working on an “aggressive” recruiting push to get CMMC assessors into the market to meet the expected demand for assessments of 300,000 companies.

Now he is working on the opposite problem: drumming up demand to meet supply.

“We have some concerns about making sure the market space is available to the ecosystem,” Travis told FedScoop in an interview. He added that he remains optimistic and “there’s still plenty of assessments to be had.”

Travis added that he was supportive of the overall changes to CMMC, despite some concerns for demand on assessors.

How many companies will need assessments is yet to be finalized as DOD has yet to release guidance on what sensitivity of the information will necessitate one. Scoping guidance is expected to be created in the forthcoming rule-making process.

CMMC 2.0

The changes to CMMC came after outcry from small businesses that the stringent requirements would pose too high a barrier to entry for companies to work with DOD.

“There is no consistent method or message from DOD,” Michael Dunbar, a small business president who testified before Congress in June on behalf of HUBZone Contractors National Council. “A lot of small businesses have been ignored.”

The new model shifts from five tiers of assessments into three tiers, with level two being the first level to require a third-party assessment for some contractors. Level three assessments would be handled in-house by DOD assessment teams, taking further demand away from AB-accredited assessors. Only about 500 companies are expected to need a level three assessment, McKeown said.

To get companies that were reluctant to make the investment to still get a CMMC certification, Travis said the AB will engage more with industry and push the message that being CMMC-certified is good for business in the long run.

Travis also expects civilian agencies to follow suit and require CMMC certifications from some of its contractors.

“A CMMC certification ultimately is going to be the coin of the realm,” Travis said.

He said the AB will also be remaking its website as part of a rebrand.

Not all companies are worried about the CMMC 2.0 changes. TalaTek, a certified third-party assessment organization that jumped into the CMMC market early, all along expected to largely work with what are now level two companies.

“I feel this will have little to no impact on C3PAOs,” Johann Dettweiler, director of operations at TalaTek, told FedScoop. “Every single potential CMMC client that we’ve spoken to since the release of CMMC has stated that they process, store and/or transmit [controlled unclassified information].”