As the Pentagon moves ahead on its Cybersecurity Maturity Model Certification (CMMC) effort, officials leading the program’s accreditation body said the assessment process to certify third-party auditors is likely to begin again by late January.
During a town hall discussion on Monday, accreditation body officials detailed the latest on CMMC 2.0 as the Pentagon aims to begin voluntary cyber security assessments while the federal rulemaking process moves forward.
“The expectation is that everything will be worked out early to mid-January and then the assessments will resume,” Jon Hanny, the CMMC Accreditation Body’s director of operations, said during the discussion. “We are ramping up as much as we can while trying not to completely bury the Defense Industrial Base Cybersecurity Assessment Center (DIB CAC).”
The DIB CAC is responsible for assessing and approving interested CMMC Third Party Assessment Organizations (C3PAO), which will then evaluate companies against the new cyber security contracting standards.
Hanny noted that C3PAO candidates being processed when the original CMMC effort was paused have already had their assessments rescheduled to start by late January.
The Pentagon in November rolled out CMMC 2.0 after a nine-month review process of the original effort, with the new model reducing the number of tiers of compliance from five to three and allowing for more self-assessment opportunities on certain types of programs (Defense Daily, Nov. 4).
While the rulemaking process to implement another interim CMMC policy may take nine to 24 months, the Pentagon said it was looking at providing incentives for contractors to voluntarily obtain a CMMC certification in the interim period.
Matthew Travis, CEO of the CMMC Accreditation Body, noted the first voluntary assessments against the new CMMC 2.0 model will begin in 2022 after C3PAOs can be approved to conduct evaluations.
“At that point, it’s not mandatory but they’re going to be available to [defense industrial base] companies to go ahead and get certified,” Travis said. “This is where that interim voluntary period comes into play, where the department has recognized the investments that [defense industrial base] companies and members of the ecosystem have already made and also recognize that the cyber threat actors who do us harm are not sitting and waiting for rulemaking to finish either.”
Travis noted since CMMC 2.0 was announced in November DoD has released a “Scoping Guidance” for Levels 1 and 2, a Self-Assessment Guide for Level 1, an Assessment Guide for Level 2 and an Artifact Hashing Guide.
“This is very tangible evidence that the department is gearing up to allowing voluntary assessments starting here soon,” Travis said. “Download those [documents], get some eggnog, cuddle up against a fire and spend some holiday time learning more about the particulars of CMMC 2.0.”