The most critical part of the Department of Defense‘s new cybersecurity standards requires third-party assessments for every contractor in the industrial base. On Wednesday, an initial group of assessors were selected to start training for the job.
It’s a major step in setting up the ecosystem that will be critical to the success of the new standards, the Cybersecurity Maturity Model Certification. The assessors and all other parts of the CMMC ecosystem will be overseen by the nascent CMMC Accreditation Body, which is currently an all-volunteer board, separate from the DOD, that one day will be a fully staffed organization.
Training for the 73 assessors will begin Aug. 31 and those who pass will be able to participate in assessing companies involved in DOD’s pathfinder contracts — the initial contracts with CMMC language in them that will test the program before it becomes a requirement.
“It’s time to get Assessors into the field and test the process. The Provisional Program is designed to do just that,” CMMC-AB Chairman Ty Schieber, said in a news release.
The provisional assessors won’t be giving official thumbs-up or thumbs-down to contractors. Instead, they will be doing mock assessments to give feedback to the AB, the DOD and the participating contractors. Once the AB accredits certified third-party party assessment organizations (C3PAOs) and assessors, they will be able to charge companies for assessments, and the first cohort of assessors will be in high demand. All 300,000 companies in the defense industrial base will be required to get a certification for each of their networks, with exceptions for some suppliers of commercial-off-the-shelf goods. All contracts must meet CMMC requirements by 2025, DOD officials have said.
The provisional assessor training includes four days of sessions, including coursework about the model, assessment standards and methodology, according to a LinkedIn post by an AB member. The AB has control over maintaining the CMMC standards and works with DOD on creating the assessment methodology, according to the MOU signed by the two organizations. The nature of the AB’s relationship with the DOD could change, as it is continues to work out an arrangement for a new no-cost contract that will solidify the two entities’ relationship. The DOD anticipates completion of the contract by the end of August, a DOD spokeswoman told FedScoop.
A draft of the statement of work that would be in the new no-cost contract shows some changes to the proposed responsibilities of the AB and the DOD. The department would be in charge of establishing reciprocity with other cybersecurity standards like the Federal Risk and Authorization Management Program (FedRAMP) and maintain a database of CMMC assessment information. The changes do not appear to be final and it is unclear how they will be phrased in with the eventually signed contract. Discussions between the AB and the DOD had grown contentious over the SOW as some board members saw the new terms as undermining of their authority.