The CMMC-AB held two Town Hall events in October to address a backlog of questions from the ecosystem.

During the October 12th Town Hall, the Body addressed many administrative questions. But, their queue actually grew longer, receiving over 100 new questions during that meeting.

Members of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) participated in the October 26th Town Hall. They provided much-needed insight into the current CMMC assessment process ongoing with C3PAOs.

The CMMC-AB also did a better job during this second Town Hall answering questions as they arose in the Q & A Dialog box.

Since participants may not have seen some of those responses, we'll cover several that we felt were significant. Then, we'll discuss our selected unanswered questions from the October Town Hall meetings.

• Takeaway 1: DoD Ruling Within 2 Weeks?

• Takeaway 2: Assessment Changes Forthcoming

• Takeaway 3: Board Member Guidance

• Takeaway 4: Slow to Certify C3PAO

• Takeaway 5: 150 Provisional Assessors During Pilot Phase

• Takeaway 6: At Least 30 Provisional Assessors Still in Training

• Takeaway 7: CCA-1 Class Without Assessment

• Takeaway 8: It Starts With CCA-1

• Takeaway 9: FAR 52.204-21 is self-attested

• Takeaway 10: Policies Don’t Need to Match 1-to-1

• Takeaway 11: Renewal Fees Differ Based on Level

• Takeaway 12: Certification Cost Recouped in Bids

• Takeaway 13: Delineation Between General Definitions

• Takeaway 14: SSP and CUI Labeling

• Conclusion

• Question: Can you please give an update on the proposed changes to CMMC requirements? What exactly is being changed?

• Answer provided by Jeff Dalton - The DOD has not announced any potential changes yet. But we hope to hear from them within 2 weeks.

This was the first of two written responses that hint the CMMC-AB has reason to believe DoD will be issuing a final ruling on CMMC by mid-November.

Matthew Travis alluded to this during the meeting when discussing the scheduling of the next Town Hall meeting.

November 30, 2021, is the next Town Hall meeting. But, Travis stated that if DoD issues rule-making before the next scheduled Town Hall, the CMMC-AB may schedule another interim Town Hall.

• Are four Certified Assessors still required to conduct an assessment?

• Answer provided by Jeff Dalton - We are awaiting guidance from DoD on this. That was their requirement two months ago, but we expect them to announce any changes to that within a couple of weeks.

Here again, Mr. Dalton indicated that CMMC-AB expects DoD to make some type of announcement regarding changes to the CMMC program by mid-November.

• Can someone clarify the “RETEST” policy for CCP with Scantron? Is there a certain number of attempts within a time period? A cost associated with each retest?

• Answer provided by Kyle Gingrich - The drafting of this policy is underway and publication will be in November.

This response is less indicative of imminent DoD rulemaking. Yet, it does substantiate that a second Board Member also expects further guidance published in November.

• How many teams are performing assessments for C3PAO candidates? It seems that the rate for authorizing C3PAO candidates is <1/month which is not sufficient for CMMC.

• Answer provided by Jeff Dalton - Agree. We're very aware of this risk.

We knew that five C3PAO’s had passed the DIBCAC assessment before the second October Town Hall.

What the DIBCAC was able to inform us during the meeting was that 13 C3PAOs hadn’t made it past the scoping phase and 7 had not made it past their readiness review phase.

Another 7 were under evaluation and one had withdrawn their candidacy after starting the DIBCAC process, giving us a total of 33 candidate C3PAOs referred to them.

The DIBCAC team also outlined their 5-6 week timeframe for the readiness review and assessment process.

If we assume that the first authorized C3PAO (Redspin) was one of the first evaluated by the DIBCAC, then we could say early May 2021 was when they started assessing C3PAOs.

In 5 months, they’ve evaluated, to some degree, 33 C3PAOs. At that rate, it would take 29 months to assess all 192 Candidate C3PAOs currently listed in the marketplace.

The most shocking metric here was that 21 out of 33 C3PAOs didn’t make it through the DIBCAC assessment.

We assume these organizations have more resources and experience in preparing for this certification assessment than an average DIB company. The DIBCAC representatives listed the reasons why C3PAOs had not passed the assessment process:

• How many assessors and C3PAOs will the CMMC-AB need to assess the DIB every 3 years? How many for the first year (pilot programs)?

• Answer provided by Jeff Dalton - We estimate 150 for the pilots (we have 150 Provisional Assessors now). Full implementation will require 2,000+ (as it is currently scoped).

Unfortunately, the part of the question related to C3PAOs still largely remains unanswered.

Mr. Dalton stated that they needed 150 provisional assessors for pilot assessments in the first year, although the marketplace lists only 119 at the time of this publication. We assume some provisional assessors are still working on their authorization.

The shortfall of assessors was recently discussed in a FedScoop article.

In total, there were over 2,000 registered practitioners listed in the CMMC Marketplace at the time of writing this article.

The prerequisites of 4+ years of cyber experience along with the high cost of completing many levels of training and exams will prevent many registered practitioners from becoming Certified CMMC Assessor for Maturity Level 3 (CCA-3). FedScoop quoted Mr. Travis in the article “We need to do a more aggressive or proactive job of recruiting”.

• Why is it you say there are 150 provisional assessors? The CMMC-AB told me that they closed the provisional assessor program?

• Answer provided by Jeff Dalton - Because we have 150. We trained 150 prior to closing the temporary pilot program. It was always a short-term program, and now that the CCP training has started, that path is available to everyone.

Again, with only 119 provisional assessors listed in the Marketplace, we assume that at least 30 provisional assessors are currently undergoing their certification.

For anyone that didn’t make it into the provisional assessor program, they will have to take the certified assessor route as shown on the CMMC-AB site.

• Last time you stated that to take the CCP exams, you have to be at assessments. What if people are doing it for a company for internal expertise?

• Answer provided by Jeff Dalton - Do you mean CMMC certified assessor ML1 (CCA-1) and ML3 (CCA-3)? You can take the CCA-1 class without being on an assessment.

This question comes from the perspective of an OSC looking to learn as much as possible about the assessment process to better prepare their own organization.

Looking at the roadmap for a CMMC certified professional (CCP), there is no need to be part of an assessment to become certified. The roadmap for a CMMC certified assessor (CCA-1) does require observation on an assessment but this is the last step prior to certification.

Jeff’s answer provided a way for an OSC to take the course and exam for a CCA-1 but never achieve certification as an assessor if the intent was only to better prepare their own organization for an assessment.

• How are OSCs supposed to get the information for an ML3 assessment if they can't take the classes?

• Answer provided by Jeff Dalton - The CCP and CCA-1 classes will cover everything you need to know on the assessment. The CCP class is an in-depth survey of the model itself. 

Jeff indicated that an OSC could attend a CCA-1 course and take the exam but if they didn’t want to take part in an assessment, they wouldn’t receive a certification as an assessor.  Since CCA-1 certification is a prerequisite of the CCA-3 course, the individual wouldn’t be able to take a CCA-3 course without CCA-1 certification. There’s a valid concern here from the OSC standpoint given the significant gap in requirements from ML-1 to ML-3.

It’s reasonable for an OSC to want to know to what level of detail assessors check for when evaluating ML-3 practices, processes, procedures, and plans. Based on Mr. Dalton’s answer, if an OSC did want to pursue CCA-3 training, the process would require their staff to first become certified on a CCA-1. This would include performing an assessment observed by an AB Staff member or independent senior assessor contracted by the AB.

So what is the difference between the L1 and L3 classes? We’ll have to move this over to the unanswered questions section because Mr. Dalton didn’t provide an answer.

• Question: We are a small business and we don't store customer data outside of product quotes. Are we required to have an outside review for Level 1?

• Answer: Unanswered

CMMC will require any contractor or subcontractor dealing with Federal Contract Information for the DoD to have a Maturity Level 1 (or higher) certification before the award of any contract containing DFARS clause 252.204-7021. Until this DFARS clause appears into a contract that you take part in, adherence to FAR 52.204-21 is self-attested.

• Question: Question for the DIBCAC... 997 has 9 assessment objectives per domain, 998 has 3, 999 has 7... do you verify every assessment objective for each domain?

• Answer: Unanswered

The DIBCAC representatives at the October Town Hall clarified that the policies don’t need to be a one-to-one match to the seventeen domains.

It’s possible to have more or fewer policies as long as they meet the assessment objectives for each domain and it’s clear to an assessor how the policies govern each required domain.

998 Procedures are the documented processes used to carry out the practices. Each practice (130 for ML3) must have a documented process that meets the three assessment objective requirements (documenting & followed; specify the activities required to carry out the policy; reviewed and updated).

997 are plans that detail the implementation of policies. Since the DIBCAC representatives clarified that policies don’t need to be a one to one match to the seventeen domains, it’s possible to have more or fewer plans, as long as they meet the assessment objectives for each domain and it’s clear to an assessor how the plans govern each required domain.

• Question: Is the renewal the same fee as the initial?

• Answer: Unanswered

The annual renewal fees listed on the CMMC-AB website are as follows:

• Certified CMMC Professional - $150

• Certified CMMC Assessor Level 1 - $250

• Certified CMMC Assessor Level 3 - $500

• Registered Practitioner - $500 (not listed)

• Question: Early publications indicated that the cost of getting certified could be recouped in bids. How will that work?

• Answer: Unanswered

A June 2021 article from National Defense quoted Stacy Bostjanick, Director of CMMC Policy in the Office of the Undersecretary of Defense for Acquisition and Sustainment “You could include up to [CMMC] Level 3 in your indirect rates. So, you don’t get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business.” This helps address how prime contractors can pass the cost along but suppliers are still beholden to their contracts and relationships with their primes.

• Question: The definition of CUI seems to be evolving. Some definitions include “contracts” which means that all companies doing business with the federal government resulting in a contract will require CMMC certification. Do you expect the government to refine these very general definitions?

• Answer: Unanswered

There is a delineation between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC will require all companies doing business with the federal government that have FCI to get an ML1 certification (or higher).

They must receive their certification before the award of a contract containing the DFARS 252.204-7021 clause.

We estimate 50,000 companies within the Defense Industrial Base have CUI. CMMC will require all companies doing business with the federal government that have CUI to get an ML3 certification (or higher).

They must receive their certification before the award of a contract containing the DFARS 252.204-7021 clause. 

• Question: Is there guidance about CUI labeling of a System Security Plan (SSP)?

• Answer: Unanswered

There has been considerable discussion about this question and the DoD has yet to provide a clear answer.

The answer may also depend on whether the covered information system manages CUI today or anticipates handling CUI in the future.

We cannot see any scenario in which an OSC would consider their SSP as CUI if they are only seeking an ML1 certification and have no plans on working with CUI in the future.

There’s precedent for considering non-federal SSPs CUI.

For example, the SSP Template available for download from the FedRamp website comes with cover markings for CUI. 

Paragraph H of DFARS 252.24-7012 states “the Government shall protect against the unauthorized use or release of information... derived from information obtained from the contractor under this clause that includes contractor attributional/proprietary information...the Contractor shall identify and mark attributional/proprietary information”.

There were fewer questions and more accolades from the ecosystem in the Q&A Dialog Box compared to the last several Town Hall meetings.

Participation from the DIBCAC eased some of the ecosystem's concerns that the DoD was not invested in CMMC and provided some solid technical guidance. We will stay on top of any future developments forthcoming in November.