The CMMC Accreditation Body (AB) kicked off a new year of Town Hall events on January 25, 2022.

Given the updated DoD guidance for CMMC 2.0, there was a key theme surrounding this town hall. How will their mandate move forward in 2022 with final rulemaking not expect for another 6 to 21 months?

Before the meeting, the AB outlined and provided updates on six actions it’s currently taking to prepare the ecosystem…

• Installation of professional staff to handle day to day operations

• Training Certified CMMC Professionals (CCP)

• Authorizing Certified 3rd Party Assessor Organizations (C3PAO)

• Finalizing and Publishing DoD Approved Documentation

• Working with a marketing agency to promote CMMC 

• Working towards ISO Accreditation

• Professional Staff

• Training Certified CMMC Professionals

• Authorizing Certified Third-Party Assessors (C3PAOs)

• Finalizing and Publishing DoD Approved Documentation

• Working with a Marking Agency to Promote CMMC

• Working Towards ISO IEC 17001 Accreditation

• Conclusion

In December 2021, the board elected then Vice Chairman, Jeff Dalton. He will be the next Chairman of the Board following the departure of Karlton Johnson.

As his first order of business, Jeff announced that effective January 1st, 2022, the volunteer board of directors stepped back. They turned over all responsibilities to the professional paid staff at the CMMC-AB.

In his view, the CMMC-AB should be a predictable, process and policy focused organization that doesn’t have a lot of surprises.

He acknowledged that with all the changes over the last two years, there were a fair number of surprises.

His primary goal as chairman is to stabilize CMMC-AB. More specifically, he’ll remove future surprises by establishing processes, policies and procedures. He intends on receiving outside help. Specifically by including guidance from the National Association of Certified Directors (NACD).

CEO, Matt Travis, acknowledged that one of his top priorities in 2022 was to increase enrollment in Certified CMMC Professional (CCP) classes.

CCP classes started as early as October 2021. But, the introduction of CMMC 2.0 delayed the previously scheduled exam dates. This push back required the Licensed Publishing Partners (LPPs) and Licensed Training Partners (LTPs) to align their curriculum with new blueprint objectives.

The CMMC-AB drafted the new set of objectives for the CCP curriculum and exams. The DoD approved those on January 21.

Four days later, the CMMC-AB reviewed those objectives with their LPPs and LTPs. LPPs will be reviewing the updated objectives and resubmitting their updated CMMC 2.0 content for approval from the CMMC-AB.

All training materials approved by the CMMC-AB will display the CMMC Approved Training Materials (CATM) logo. Since CMMC 2.0 mostly removed content, the CMMC-AB doesn’t believe that it will take very long for LPPs and LTPs to update their content.

The updated CCP exam is still under development. The CMMC-AB expects to publish new exam dates during the next Town Hall at the end of February.

For many, CCP is the first step towards becoming a CMMC Certified Assessor (CCA). DoD has received the updated objectives for CCA and the CMMC-AB expects to receive an approval back within the next couple of weeks. 

The CMMC-AB is encouraging individuals to schedule CCP training now before LPPs and LTPs update the content.

The new training will not include the delta 20 practices or maturity processes. So, students of future training would actually receive less content than is available today. The CMMC-AB has also committed to providing delta training for anyone who receives CCP training. It's distributed through a LTP using the version 1.0 approved training and has a registered CPN on the CMMC-AB website.

During the Q&A session of the meeting, Jon Hanny mentioned that he had a call scheduled to resume C3PAO assessments. During which he'd work with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

With the CCP and CCA training delayed, a lot remained unclear. Specifically with candidate C3PAOs. They need to figure out how to meet the requirements of maintaining an association with at least one CPP, CCA, or Provisional Assessor (PA). A provision for DIBCAC assessments.

Since exams for CCP and CCA aren’t yet available, the only option for candidate C3PAOs at this point is to contract with a PA.

Matt Travis noted that a number of PAs are self-employed and available for hire.

He has also considered exploring options with the DoD to augment the C3PAO assessment teams with a number of PAs that are still waiting on DoD suitability determinations. As long as they don’t have access to controlled unclassified information.

Shortly after the January Town Hall, the CMMC-AB marketplace listed the sixth authorized C3PAO.

DIBCAC currently has 200 candidate C3PAOs in the assessment queue. They likely won’t get through all the queued candidate C3PAOs until rulemaking is complete. This comes based off of the self-reported pace of C3PAO assessments from the DIBCAC in the October Town Hall.

The CMMC-AB acknowledged DoD is still in the process of reviewing several documents that incorporate the CMMC 2.0 provisions.

These documents include:

• CMMC Assessment Process (CAP)

• MSP/CSP FedRAMP Equivalency Policy

• Dispute Resolution Process

The equivalency policy will specify whether assessors will evaluate non-FedRAMP cloud service providers (CSPs) or managed service providers (MSPs) used by organizations seeking certification (OSCs).

Right now, C3PAOs aren’t authorized to make that equivalency determination.

Matt provided an overview of the CAP, which guides the overarching procedures for CMMC Assessments. The purpose of the CAP is to provide consistency. It ensures that each assessment has the highest possible accuracy, quality and fidelity.

The CAP consists of 4 main phases:

• Phase 1: C3PAO and organization seeking certification (OSC) plan the assessment. 

• Phase 2: conducting the assessment (using the assessment guide)

• Phase 3: reporting results into Enterprise Mission Assurance Support Service (eMASS)

• Phase 4: discusses remediation, now that CMMC 2.0 allows some plans of action & milestones (POA&Ms)

Provision assessors received an interim draft of the CAP shortly after the launch of CMMC version 1.0.

CCP training classes provided students with a working draft of the CAP. But, individuals had to sign a non-disclosure agreement to receive their copy.

The current draft, which is about 40 pages long, is currently under review with the DoD. One the review concludes, the CAP will be a publicly available document.

Voluntary assessments cannot start until DoD approves the CAP.

During the Q&A, Matt Travis acknowledged the need to promote CMMC. It needs more exposure in the DIB and amongst cybersecurity professionals.

If the CMMC-AB hopes to start voluntary assessments this year, they’ll need to demonstrate how DIB companies will get a return on the investment of paying for a certification assessment. Next, if they hope to scale their ability to conduct assessments, they’ll need assessors to enter the training pipeline soon.

The heavier lift might be convincing DIB companies to voluntarily take part.

It’s widely believed that many DIB companies would not pass a CMMC level 2 assessment today. The few that have implemented NIST SP 800-171, will likely be looking for a return on their investment to pay for the assessment.

November's Town Hall included several suggested incentives from industry including:

• DoD paying for the assessment

• Offering an extended validity date on the certification and grandfathered for any changes

• Extended time allowance for time-bound POA&Ms

• Offering dual certifications (for example ISO 27001)

In order to scale assessments to the estimated 50,000 DIB companies that will require level 2 certification, the CMMC-AB needs to start adding assessors to their pipeline.

It’s likely that the making training and certification exams removes some recruiting obstacles. Establishing demand for voluntary certifications further reinforces the CMMC assessor career path.

In January, Matt alluded to having retained a marketing agency and during December’s Town Hall, Matt announced plans to update the website in and refresh the brand.

We’ll have to wait and see what the details of their marketing approach will be. But, it would appear they understand the challenges and have started on a plan to address them.

Matt addressed the question about compliance with ISO IEC 17011 in the Q&A session.

The CMMC-AB also acknowledged its lack of accreditation. However, Matt mentioned that it can still authorize C3PAOs under their contract with DoD.

According to the FAQ section of the CMMC-AB website, they have until the end of 2022 to obtain their ISO certification.

ISO accreditation is also required for other components of the ecosystem. C3PAOs must undergo an assessment that complies with ISO/IEC 17020 but they have a 27 month grace period to do so. The CMMC-AB will soon spin off the CMMC Assessors and Instructors Certification Organization (CAICO). They'll need to comply with ISO 17024 requirements.

The long ISO journey continues for both the AB side and the CAICO and they plan on continuing to update the ecosystem on where they stand.

The CMMC-AB has three distinct groups of stakeholders; DoD, DIB, and the ecosystem.

By satisfying the needs of the DIB and the ecosystem, they fulfill their contract with DoD. Much of their focus has been on standing up the ecosystem, it needs to serve the DIB. But, now we see them starting to pivot and at least think about how to approach the DIB directly.

The voluntary assessment period will require them to market the benefits of CMMC using carrots before DoD finalizes the rulemaking stick.