The accreditation body shared timelines for working groups that will shape key features of its program.
About 3,500 people have registered for the first of a series of webinars organizers are planning to meet the high demand for knowledge of how the Pentagon’s Cybersecurity Maturity Model Certification program will work.
The CMMC Accreditation Body—newly incorporated as a nonprofit in Maryland—emailed stakeholders Wednesday touting its activity so far in standing up a system to manage audits of defense contractors’ cybersecurity and outlining the next steps.
Implementation of the CMMC will end the current policy of defense contractors self-attesting their adherence to specific security controls, such as those outlined in National Institute of Standards and Technology Special Publication 800-171.
The program has made many in the industry anxious about exactly what auditors will want to see in order to hand over the certifications necessary to do business with the Defense Department and created an ecosystem of independent third parties eager to profit from the system.
Two weeks ago, Ellen Lord, undersecretary of Defense for acquisitions, issued a statement dispelling claims some were making that they could provide the sought-after certifications.
“Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD,” she said. “The requirements for becoming a CMMC third-party assessment organization [C3PAO] have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners.”
The accreditation body will dive into the details of C3PAOs and other CMMC topics such as the training prospective auditors will need to undergo in a series of webinars starting April 6.
“The CMMC-AB is still building the CMMC ecosystem, so we don't have all of the answers yet. But we are working on them,” reads the group’s email. “As this work continues, we are listening for, and depend upon, your feedback. We encourage you to participate in the National Conversations and our newly-formed Working Groups to help us shape the CMMC ecosystem.”
According to CMMC-AB’s website, work has already begun and will be ongoing within its standards committee to “decide the thresholds for validating that an organization has met the standard for each control.”
The standards committee will rely on a working group of no more than 10 people and “will also look forward beyond today's standard to make recommendations to DoD for future inclusion in the CMMC model,” the website states.
Other working groups include those for committees on credentialing and training.
Deliverables, such as a training and certification framework document for approval by the CMMC-AB Board of Directors are expected first on April 17, followed by the contours of an exam for assessors on April 24.
By April 30, working groups are expected to have reviewed a provisional CMMC assessment method definition and to have given feedback and suggestions on the methodology used to conduct consistent CMMC certification assessments with a demonstration of its iteration.
Specific exam questions for assessors aren’t anticipated till May 27. The application deadline to participate in the working group that will develop them is April 15.