There were a lot of unanswered questions during the September 2021 CMMC Accreditation Board (CMMC-AB) Town Hall.

We counted over 90 different individuals asking questions throughout the meeting.

The topics discussed added to the number of questions that the ecosystem had for the CMMC-AB this meeting. Questions ranged from ethics, training and lessons learned from a C3PAO.

The CMMC-AB acknowledged there were more questions during this meeting and a lack of time to answer them all. An interim meeting was held on October 12th to answer some of the questions that had been building over the past several months.

But the CMMC-AB only answered one of the questions that we planned on covering during the Q&A Town Hall. Thus, we’ve created this massive list of questions and answers.

• Takeaway 1: Technical Difficulties

• Takeaway 2: Ethical Dilemmas

• Takeaway 3: Ethical Requirements

• Takeaway 4: Fraud Scheme Update

• Takeaway 5: Prevent Price Gouging

• Takeaway 6: DoD Comments

• Takeaway 7: DoD Approved Materials

• Takeaway 8: LTP Classes

• Takeaway 9: Control Clarification

• Takeaway 10: Acronym Map

• Takeaway 11: Takeaway 11: One Certification

• Takeaway 12: Certs Across Environments

• Takeaway 13: Cost Breakdown

• Takeaway 14: Realistic for Small Business

• I don't see an "answered" bucket. Different zoom interface?

The most liked question at this Q&A Town Hall was where to find the answers tab in the Q&A dialog box.

The Q&A dialog box is different when viewed through the Zoom application vs a web browser.  We had both open during the last Town Hall and we can confirm the CMMC-AB did not provide any answers via the Q&A dialog box this past meeting.

Zoom Q&A Dialog Box using Chrome Browser

The number of likes for each question will determine their order in the dialog box (the CMMC-AB Town Halls usually have this feature enabled). This makes it more difficult to track the questions as they come in since they start at the bottom of the queue before they have any likes.  The total number of questions will be visible at the top of the Q&A dialog box and answered questions will appear on a separate tab within the dialog box.

Zoom Application using a Chrome OS

When viewed through the zoom application, the order of questions doesn't change based on their likes. The number of likes is not shown.  When answered in the zoom application, the answer will appear below the question.  If you were wondering if you were looking at the right place to find the answers, chances are you were.

Before we dive into some of the ethics questions, let's review some of the complaints that Matthew Travis addressed at the onset of the Town Hall.

We traced the origin of most, if not all, of these complaints to a Formal Complaint dated February 12, 2021, and published by Oxebridge Quality Resources International LLC.

Allegation #1

Board member (Ty Schieber) falsely declared tax-exempt status for CMMC-AB on a CAGE code application. We found this aligned with Allegation #1 of the Oxebridge Formal Complaint.

The CMMC-AB found this didn’t violate their Code of Ethics and Conflict-of-Interest Policy since the filing for tax-exempt application was pending.

The Board voted Chairman Ty Schieber off the CMMC-AB in September 2020. 

Allegation #2

Board member (Mark Berman) operated a company that provided a CMMC-related product. We found this aligned with Allegation #2 of the Oxebridge Formal Complaint.

The CMMC-AB found this didn’t violate their Code of Ethics and Conflict-of-Interest Policy since the AB formed from industry and board members were not expected to quit their jobs as they were volunteering for the Board.

The Board also voted Head of Communications Board Member Mark Berman off the CMMC-AB in September 2020.

Allegation #3

Board member (Regan Edens) operates a company that provides products and services marketed to the CMMC Ecosystem.

We found this aligned with Allegation #3 of the Oxebridge Formal Complaint. The CMMC-AB found this did not violate their Code of Ethics and Conflict-of-Interest Policy for the same reason as allegation #2.

Mr. Travis elaborated that ISO 17011 prohibits Board members from consulting in the ecosystem that they accredit and pledged that this is something they will continue to work towards.

Allegation #4

Board member (Regan Edens) used his status as CMMC-AB Board member in marketing materials for their own company.

We found this aligned with Allegation #3 of the Oxebridge Formal Complaint as well. As Mr. Travis explained, this allegation cited a publication that put the Board member’s company’s logo along with an account of his role as an AB Board member.

This publication was also cited in the Oxebridge complaint as an interview published on the website Security Boulevard.

The AB accepted the explanation that the Board member had nothing to do with the publication of his company’s logo in the publication.  

Allegation #5

Board member (Jeff Dalton) improperly granted himself CMMC Provisional Assessor (PA) status. We found this aligned with Allegation #4 of the Oxebridge Formal Complaint.

The CMMC-AB found this didn’t violate their ethics or conflict-of-interest policies.

The cited social media posting was from a Provisional Assessor who mistakenly identified the Board member as the first Provisional Assessor.

Jeff Dalton remains on the CMMC-AB as Vice Chairman.

Allegation #6

Board member (Ben Tchoubineh) promoted his own company while participating in a CMMC webinar as a Board member.

We couldn’t align this allegation to the Oxebridge Formal Complaint.

However, the Oxebridge blogs dated 4/27/21 and 5/15/21, discuss this allegation in more detail.

The CMMC-AB found this did violate their Code of Ethics and Conflict-of-Interest Policy since Board members cannot use their status to promote their own business.

Ben Tchoubineh stepped down from the CMMC-AB in March of 2021.

Allegation #7

Board members (Ben Tchoubineh or Regan Eden or both) publicly endorsed the products of a partner vendor for CMMC compliance purposes.

Mr. Travis introduces this allegation as belonging to the same event as Allegation # 6. We found that this allegation may be referring to the interview referenced in allegation #4 since the transcripts from allegation #6 don’t show Mr. Tchoubineh endorsing any products or services.

The board concluded that this allegation violated the Code of Ethics and that Board members shouldn’t endorse any products or services from any company.

Allegation #8

Board members (Regan Eden) company used his status on CMMC-AB Board in direct marketing materials.

Mr. Travis elaborated that there was an email that cited the Board member’s status.

The board concluded that this allegation violated the Code of Ethics, Conflict-of-Interest Policy, and the Code of Professional Conduct.

We were unable to find any supporting documentation for this allegation other than the CMMC-AB tied this allegation together with Allegation #9 in their summary of findings.

Allegation #9

Board member (Regan Eden) promoted unauthorized CMMC-related “training“ while mischaracterizing his CMMC status.

The board concluded that this allegation violated the Code of Ethics, Conflict-of-Interest Policy, and the Code of Professional Conduct.

We were unable to find any references to allegations 8 or 9 belonging to Regan Eden other than Mr. Travis’ statement that in response to the investigations they asked for and received the resignation of the Board member involved with allegations 8 and 9.

Board member Regan Edens resigned from the AB in June 2021.

• Is there a publicly available copy of the Ethics requirements? If so, where is it?

So Matthew Travis listed several policy documents as guidance for the accreditation board including, most of which are available online:

• CMMC-AB Board Code of Ethics

• CMMC-AB Conflict of Interest Policy

• CMMC-AB Directors Agreement

• CMMC-AB Code of Professional Conduct

• CMMC-AB Memorandum of Understanding with DoD

• ISO/IEC 17011

• What is the status of the one AB-selected C3PAO and then got caught in a huge DoD fraud scheme?

Searching the internet for insight into this question takes us right back to Oxebridge.

If the individual who asked this question in the Town Hall is referring to the same authorized C3PAO discussed by Oxbridge, the timeline is backward.

April 14, 2021, was the date of the original news article and only names the DoD employee who admitted to laundering about $600,000 in bribes from an unidentified government contractor.

The authorization of the C3PAO occurred after the publication of this article.

• As there are only 4 C3PAO's what prevents price gouging? 

Only you can prevent price gouging.

DoD hasn’t issued rulemaking and no assessments have started yet.

We’re getting closer to that point, the first Licensed Partner Publisher’s content has been approved. Thus, paving the way for the first Licensed Training Providers to schedule training to begin certifying professionals (followed by assessors in the not too distant future?).

As an OSC you can begin talking to C3PAOs and receiving quotes but until rule-making occurs the scope of those assessments may change.

The only requirement today is to self-assess and have a NIST 800-171 score uploaded into the SPRS.

That doesn’t mean that you shouldn’t be working towards shrinking your Plan of Action & Milestones and expanding your System Security Plan.

• I know this isn't a chat, but it's highly disappointing that CMMC-AB has not addressed the DoD's comments on changing how certification happens.

We attended the CMMC Summit at Walsh University in North Canton, Ohio and we listened to what Matthew Travis said during his keynote.

The CMMC-AB cannot speak on behalf of DoD.

They can only speak to what they know and what they are doing to prepare the ecosystem for third-party certifications via CMMC.

During his speech at the Summit, he discussed the final documentation component of CMMC.

DoD is still working to provide C3PAOs with access to Enterprise Mission Assurance Support Service (eMASS) as well as the finalization of the assessment process, dispute resolution process and a scoping addendum.

• How can the AB be setting up training when DoD hasn't approved the materials yet? 

The CMMC-AB maintains the Body of Knowledge (BoK). The BoK encompasses the DoD-approved CMMC Model and Appendixes.

The CMMC-AB has created learning objectives from the BoK at the domain and task level.

The LPPs use the learning objectives provided by the CMMC-AB and create content.

The LPP licenses their content to the Licensed Training Partners (LTPs) who use it to create their courses. The CMMC-AB will administer exams to measure understanding of these learning objectives as part of the certification testing.

It’s possible that DoD could change the CMMC Model or add appendices, which in turn would update the BoK but it is unlikely they will make significant changes given the recent approval of the first LPP's training content.

It’s more likely that DoD will provide further guidance on topics such as dispute resolution and scoping.

• My question on LTP is more for those that don't have time to sit in a 4-5 day boot camp training from the get-go. Are LTP classes going to include learning at your pace style training?

In a previous blog, we detailed that several license training partners have advertised forthcoming modalities that would include asynchronous training modules.

As of early October 2021, none of those license training partners have advertised their CCP training as authorized by the CMMC-AB.

Furthermore, during Kyle Gingrich’s presentation in the September Town Hall, she mentioned only those modalities of virtual and in-person when describing the different types of training that will be available.

• Is there a contact within the CMMC that can help current RPO's with questions and clarification on certain controls?

Aside from the basic training by the CMMC-AB during the registered practitioner onboarding, any authorized training will likely come through the LTPs.

RPs and RPOs can register for CCP training or look to outside training providers for advice and clarification on certain controls.

Another source of information helpful to members of the ecosystem has been discord. 

This group is two years old and includes a large group of members with a wide range of experience and specialization.

I would recommend researching advice from non-accredited channels like discord, but you’re likely to find others there who had the same or similar questions related to certain controls.

• Can we get an acronym map specific to CMMC? Tough to follow as a new participant.

• AAC - Acquisition Advisory Council

• AB - Accreditation Board

• C3PAO - Certified 3rd Party Assessor Organizations

• CCA - Certified CMMC Assessor

• CCP - Certified CMMC Professional

• CI - Certified Instructor

• CUI - Controlled Unclassified Information

• CTI - Controlled Technical Information

• DIB - Defense Industrial Base

• DSC - Defense Supply Chain

• FCI - Federal Contract Information

• IAC - Industry Advisory Council

• LPP - Licensed Partner Publisher

• LTP - Licensed Training Provider

• OSC - Organizations Seeking CMMC Certification

• PI - Provisional Instructor

• RP - Registered Practitioner

• RPO - Registered Provider Organization

• SPRS - Supplier Performance Risk System

• Does the CMMC-AB expect prime contractors with many programs to have one enterprise certification or have CMMC on a program-by-program basis?

Most organizations will not need more than one CMMC certification and certifications aren’t specific to a single contract. A certification is an indicator of the kinds of information that an organization can receive.

The more mature the organization, the more sensitive information they can receive.

• Can organizations obtain multiple certifications if they have two separate environments?

Yes, larger organizations can achieve a maturity level 1 certification while smaller enclaves within that organization can achieve maturity level 3 certifications.

• What is the true (ballpark) cost of materials and labor required to meet req's of the DIBCAC assessment?

This was recently discussed at the Ohio CMMC Summit.

We had several contractors walk through the pricing aspects of what tools they have purchased, what in-house and external resources they have allocated.

Before the cost of the actual assessment, the annual self-reported external costs were between $96,000 to $120,000 per year for a Tier 2 defense contractor with about 20 employees handling CUI.

For organizations that need external support to document practices and policies, the estimate was $30,000 to $50,000 as a one-time investment to prepare for the assessment.

Another $30,000 to $50,000 should be set aside for the certification assessment itself.

Amortizing the assessment and preparation costs over three years puts the ballpark cost at $116,000 to $153,333 per year.

• How realistic is it for a small business to get there?

Most small businesses would be better served if they hired a consultant to help with the documentation and implementation of controls.

Businesses will need to determine if DoD-related business will offset this investment. There is also a cost to not implementing these cybersecurity controls.

The average cost of ransomware remediation has doubled in the past year, costing organizations on average $1.85M per attack.