CMMC assessment requirements could be changing, potentially raising costs for some
The cost of some Cybersecurity Maturity Model Certification assessments could soon increase as the Department of Defense considers introducing new requirements, four people familiar with the matter told FedScoop.
DOD and the CMMC Accreditation Body are working to finalize requirements that could mandate having more experienced — and expensive — assessors conduct the needed tests of contractor networks that transmit controlled unclassified information. In effect, it could raise the price for some assessments as the per-hour cost of provisional assessors is higher than the original plan.
“Anything that is going to drive up the costs … is going to be detrimental to the small business community,” Michael Dunbar, a small business owner who recently testified before Congress on behalf of the small business trade association HUBZone Contractors National Trade Council, said in an interview.
CMMC requires third-party verification that all DOD contractors meet one of five levels of security established under the rule. DOD has maintained the majority of contractors will only need to meet level one, with least number of security controls.
While the proposed requirement is not finalized and would only apply to CMMC level three assessments for companies that handle the department’s controlled unclassified information, it is part of a growing list of ideas that the DOD CMMC Program Management Office is generating that several people familiar with the process worry will negatively impact the program’s cost and timely implementation.
Two people directly familiar with the process described it as DOD throwing out ideas without fully thinking through the effects, adding that the final requirements have not been published because DOD continues to add to them.
Under the changes, for an assessment at level three, Certified Third Party Assessor Organizations (C3PAOs) would need to hire four full-time provisional assessors. It was previously understood that these authorized assessment companies would only need to hire one assessor and three “registered practitioners” — entry-level assessors that do not meet the standards needed to become an assessor — to conduct a level three assessment.
To be eligible to be an assessor for level three assessments, an applicant needs at least four years of cyber or IT experience and to pass through on levels one and two first, according to the CMMC Accreditation Body’s website, which manages the ecosystem.
The proposed change to requiring four assessors has already been communicated to at least one of the first C3PAOs that will be doing level three assessments. Other potential changes include having quality control employees and new standards for the assessors be imposed on organizations.
“It’s my understanding that they are moving away from having the provisional assessors and registered practitioners and just having provisional assessors doing assessments,” Justin Padilla, CMMC lead at Kratos, said in an interview.
Padilla sees it less as an issue around costs or quality but as another reduction in the supply of resources necessary to implement the CMMC program. With 300,000 contractors eventually needing assessments at one of the five levels, and now even fewer people eligible to conduct level three assessments, the possibility of a demand crunch is growing.
“It’s more of a limited resource issue,” Padilla said, adding that Kratos has been lucky to have a few employees be selected to take the provisional training.
The DOD and the CMMC Accreditation Body did not return a request for comment.
