The Cybersecurity Maturity Model Certification (CMMC) Accreditation Body held a Town Hall Apr. 27 to present updates on the progress of the CMMC roll-out and some insight into the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments.
The CMMC-AB’s recently appointed CEO Matt Travis kicked off the virtual event.
Travis talked about importance of the DIB to the DoD’s mission and national security and why CMMC is a need.
“If what you did wasn’t important, we wouldn’t be asking you to take these steps to improve your baseline in cybersecurity,” he said.
He also talked about the AB’s future goals to ensure the entire ecosystem is successful in bringing together the defense industry and government to ensure everyone is satisfied with how CMMC is being implemented.
- the overall strategic goal of delivering this ecosystem of CMMC,
- ensuring the AB is doing what it can to get individuals and organizations certified, including building the data foundation, legal factors & policies, etc.,
- onboarding professional staff to build the internal infrastructure and transition the current AB to the “Board of Directors” role it was intended to fill,
- maturing the AB to facilitate it accreditation and certification at ML3, and
- advocating for industry in reducing the cost as much as possible.
Travis stressed that the AB will be accessible and transparent. He encouraged honest feedback and promised to make ethical standards clearer and address potential conflict of interest issues in the future. The AB will continue to run monthly Town Halls and share information about progress as much as possible.
DIBCAC Director Darren King presented information on how the organization is approaching assessments for small businesses interested in becoming Certified 3rd Party Assessor Organizations (C3PAOs). The assessment process from start to certification takes approximately 6 weeks, he said. DIBCAC typically conducts a Certification Assessment Readiness Review (CARR) two week ahead of a schedule assessment to look over documentation and ensure the organization is ready to be assessed. In this process, they’re checking to ensure the SSP, policies, and procedures are not in draft and match up with each other, that the scope of the program is clear, POAMs are ready and that assessors can easily determine who to interview and what to test.
The standards used for assessment are the same across all organizations:
- CMMC Version 1.02
- CMMC Level 3 Assessment Guide Version 1.10
- CMMC Glossary and Acronyms
- CMMC Appendices Version 1.02
- CMMC Errata Version 1.10
King strongly recommended organizations conduct a self-assessment to get a clear idea of what they need to add or improve prior to an official assessment.
King also stressed a few important areas that have traditionally been the most challenging for companies:
- Documentation – If you SSP, policies and procedures are clearly and comprehensively documented, it sends the message to the assessors that you know what you’re doing and have your program together. All documentation must be completed, not in draft, and it’s important that your employees are reading and following that documentation.
- POAMs – For CMMC, nothing can be unfinished.
- Cloud/Customer Responsibilities – It’s vital that organizations understand they can’t hand all the responsibility for their program to a cloud provider. There are areas of responsibility that cloud providers won’t cover (e.g., personnel security, training, etc.)
- Bring Your Own Device (BYOD) – If you allow personal devices to connect to in-scope networks, you must explain that in your SSP and have clear policies and procedures for how security controls are being met.
- Process Maturity – The process maturity practices are proving to be one of the biggest challenges assessors have seen. To achieve Level 3 certification, you must document a policies and practices for each domain. Additionally, you have to establish, maintain and resource a plan that includes each domain. This is what makes clearly documenting your SSP, policy and procedures so important.
King presented the timeline for progression of the first 10 C3PAO candidates. One of the ten voluntarily withdrew from the process, but King said he expects the nine remaining candidates will be certified by the end of the fiscal year.
He also stated that any company that does not pass their accreditation test will have 90 days to remediate any issues found during the assessment. Once those areas are reassessed, the “delta assessment” will be reviewed by the DIBCAC Governance Board.
Due to COVID restrictions, DIBCAC is currently using a hybrid approach, with about 90% of assessments done virtually and onsite assessment only for controls that require viewing physical security features. For onsite, companies should have protective procedures in place that follow CDC guidelines. As vaccination rates increase, this will become less of an issue.
The DIBCAC invites questions, which can be submitted to firstname.lastname@example.org. King said the organization receives about 200 questions per month and they strive to all of them within two business days.
Other noteworthy items from the Q&A session:
- Readiness of C3PAOs has caused delays in the pilot contracts. Some pilot companies withdrew due to lack of time for coordination, preparation, scheduling and assessment for FY21 contracts. There are a few instances where contract awards are moving to FY22 so those may still be viable. Ms. Diane Knight of the CMMC PMO is starting to coordinate applications for FY22 pilots.
- Prepaid exam vouchers for certification exams remain valid. Certification exams are still being developed. Before they are released vouchers will be sent out to those who have purchased them and will be good for a year after issue. The clock doesn’t start until the exams are made available.
- This cost of CMMC certification will be incorporated into overhead and recouped through the application of indirect rates for up to Level 3 certification. The PMO is still determining how to address this up to Level 5.