Version 1 of the US Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) framework and audit program has been publicly available since January 31, 2020. But when will CMMC requirements start showing up in RFPs? When will auditing start and how will it look?
We recently got the latest update on these and many related questions from Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber and the DoD’s point person for the CMMC rollout. We were honored to have Katie as our guest for the opening episode of Pivot Point Security’s new The Virtual CISO Podcast.
According to Katie, because the new CMMC program “will cost money and will impact the US economy,” there will be public comment leading up to a DFARS rule change. This won’t take place before October 2020, so no CMMC requirements can appear in RFPs prior to then. Once the DFARS rule change is in place, the DoD will gradually apply CMMC requirements, most likely starting with a chosen subset of contracts.
“In practice, it will be a gradual process spanning several years before all the DoD’s supply chain is CMMC-certified.”
When CMMC language starts appearing in DoD contracts, your company will need to be CMMC certified to the specified level to bid on those contracts. All companies doing business with the DoD will eventually need to be CMMC certified at least to Level 1, even if they don’t handle controlled unclassified information (CUI).
Getting CMMC certified means passing an audit at the appropriate CMMC level, which will be conducted by a certified auditor working for an independent, accredited third-party. (According to the CMMC website, some high-level assessments may be performed by DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA)).
With something like 350,000 suppliers in the Defense Industrial Base (DIB), where are all these auditors going to come from? Katie explains in our podcast the DoD has supported industry to “self-form” a nonprofit accreditation body, which gave itself the catchy name CMMC Accreditation Body (CMMC-AB). These folks will onboard the hundreds of Certified 3rd-Party Assessment Organizations (C3PAOs) needed to make this process work. The C3PAOs will, in turn, train and certify the cadres of auditors (Katie refers to them as “a coalition of the willing”).
Katie further explained that as of now, “We know what the program exactly looks like, how audit firms will be accredited and how individual auditors will be accredited. We [the DoD] gave the accreditation body the training materials for the certification process—the curriculum.” The CMMC-AB will “… have a marketplace up soon where you can register for the training classes.”
If you’re interested in becoming an auditor, Katie indicated that classes should be ready to go starting in late April or early May, “… with the intent that as we roll RFIs out in June that we’ll have our first round of certified auditors able to go out and start doing assessments.” Linking auditors with C3PAOs will need to happen in that same timeframe.
Katie also clarified the recertification interval and scope: “The MOU is that recertification is going to be every three years for companies. And we want the certification to be good for the whole of the DoD—the Army, Air Force, Navy and Marine Corp. So we’re buying down the cost, because right now the cyber requirements for the Navy aren’t the same as the Air Force, and companies are having to invest to meet all those.”
In practice, it will be a gradual process spanning several years before all the DoD’s supply chain is CMMC-certified. Clearly there will be some competitive advantage in achieving certification sooner rather than later.
Is your business ready to start dealing with CMMC? Contact Pivot Point Security to talk with an InfoSec expert about your goals and where you are today.