Last Updated on August 3, 2020
US Department of Defense (DoD) subcontractors of all sizes are gearing up for compliance with the new Cybersecurity Maturity Model Certification (CMMC) standard. The mind-boggling scale of the assessment/certification effort dictates a methodical rollout approach by the CMMC Accreditation Body (CMMC-AB)
One element of the CMMC rollout that hasn’t yet received much press is the pilot or provisional program, which will help lay the groundwork for the full-scale program by testing out documentation, methodologies and practices for assessors.
What do these programs look like, when will they be underway and who will participate?
This issue is covered in-depth in a recent “insider edition” of The Virtual CISO Podcast. Our special guest was Ben Tchoubineh, Chair of the CMMC-AB’s Training Committee. Ben knows as much as anyone about what’s coming with the CMMC assessments (“Don’t call them audits!”).
“The provisional program is the one where we’re going to use a limited number of assessors, going to train them and work with them directly to learn from them based on what we’ve already developed,” clarifies Ben. “We have processes and methodologies that we’ve developed in draft form that are not publicized yet, a lot of amazing documents … about the support to assessors in terms of all kinds of criteria and methodologies, and so forth.”
“We then need to take these documents and actually put them to use and use them in the real world using these pilot programs. That’s really what this provisional program is about,” adds Ben.
Another provisional effort currently underway within the DoD is the CMMC’s integration into DoD processes and the creation of rules (including DFARS [Defense Federal Acquisition Regulation Supplement] rules) associated with the CMMC. This activity needs to conclude before full-scale assessments for Organizations Seeking Certification (OSCs) can begin.
What will the pilot CMMC assessments look like?
Ben explains: “We’re going to use a select number of assessors that we train. Then, we’ll use pilot programs and pilot contracts that the DoD selects. We would go through these assessments and, hopefully, learn from them.”
What’s the timeframe for the pilot program?
“That will take us through to late this year , early next year timeframe, where we will have a better understanding of our documents and make sure they work in the real world,” Ben shares. “That’s the goal of the provisional program.”
At the same time, the DOD will have completed its rulemaking process and integrated CMMC into the DFARS. “We’ll come out wiser, more experienced and ready for the large-scale program that would ensue,” says Ben.
How many assessors will the CMMC-AB train for this pilot program?
“We’re saying between 60 and 70, depending on how many we decide to use in the program,” Ben notes. “If we see that we need more, we could train more later. That’s a lot of assessors, honestly, when you think about it, for this kind of program.”
To get detailed insider coverage on the CMMC rollout, you’ll want to listen to the show with Ben Tchoubineh all the way through. To access this episode and the others in our continuing podcast series, click here.
If you’d rather not use Apple Podcasts, you can access all our episodes here.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.