The independent organization that oversees accreditations under the Defense Department’s new Cybersecurity Maturity Model Certification program has given defense contractors the greenlight to undertake voluntary CMMC assessments as they await a final rule from the DOD.
The Cyber AB — formerly known as the CMMC Accreditation Body — issued a draft document Tuesday detailing the assessment process that third-party organizations will need to follow in certifying that DOD contractors can securely handle the department’s sensitive information, as will soon be required by the CMMC program.
But while that assessment process is in draft form and the Pentagon finalizes its rulemaking for CMMC, contractors in the defense industrial base are now able to undergo voluntary assessments jointly conducted by CMMC-accredited third-party assessment organizations and the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), Matt Travis, CEO of the Cyber AB, told FedScoop.
Travis announced the draft CMMC Assessment Process and the new voluntary assessments under what he called the “joint surveillance voluntary assessment program” at a regularly held Cyber AB town hall meeting Tuesday.
“Back in November, when the department announced the changes to CMMC, they acknowledge that … there’s been investment from DIB companies [that] have already implemented [National Institutes of Standards and Technology Special Publication] 800-171. There’s an ecosystem that’s been built, and they wanted to support voluntary assessments,” Travis told FedScoop.
CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements 800-171 and 800-172. After reforming the program late last year, the Pentagon is working on issuing a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.
The new joint voluntary assessments allow for “if you’re a DIB company that has implemented 800-171 and you want to go ahead and get assessed voluntarily — because obviously, without the rulemaking, there are no mandatory requirements yet — you could hire one of the 16 authorized [third-party assessment organizations] to conduct that assessment” along with the partnership, oversight and existing authorities of the DIBCAC, until CMMC has a final rule, Travis said.
Travis said as he understands it, the final rule will include reciprocity provisions so that any contractors that are voluntarily assessed and meet DIBCAC High requirements will be transitioned to a CMMC Level 2 certification.
The draft CMMC Assessment Process explains that, once CMMC’s final rule takes effect, it will be the “doctrine providing the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organizations seeking CMMC Certification.”
The released draft version of the assessment process applies only to level 2 of the CMMC framework. With the introduction of CMMC 2.0 late last year, DOD contractors that handle controlled unclassified information must meet one of three levels of certification, and the majority will fall under levels 1 — which allows a self-assessment — and 2, which requires some contractors to pass an assessment conducted by a third party.
“The CAP, developed and maintained by the CMMC Accreditation Body … is an element of official CMMC canon and adherence to its procedures is required by C3PAOs and their Assessors,” the document reads. “While tailored for specific use by C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), it is intended as a resource for the entire CMMC Ecosystem.”
The process goes on to explain the four phases of an assessment to ensure that it meets the goals of accuracy, fidelity, and quality, maximized consistency among various assessors, and ultimately improved “cybersecurity defensive posture and the cyber resiliency of the DIB.”
Travis called it “a reference that is going to enable consistent assessments.”
“That’s really what the CAP seeks to achieve, is that whether you’re in California or Rhode Island, as a DIB company, you’re gonna get assessed by a C3PAO, the procedures are going to be uniform. Obviously, the environment and from company to company is going to change, but the way assessments under CMMC are conducted will have repeatability and consistency.”
The Cyber AB is accepting comments on the draft for the next 30 days.
“Nothing is going to be final-final until rulemaking is completed,” Travis said. “But we felt like we had a solid enough draft to go out and put it out there in the ecosystem, take some comments over the course of the next month, and then see where we can improve it where we can add more fidelity, where we can clarify things better.”
DOD officials have said they anticipate an interim final rule for CMMC to be issued by March 2023.