Pentagon’s Cybersecurity Accreditation Board Seeks First Class of Auditors


The group seeks experienced professionals to help shape an ecosystem of education and training possibilities for aspiring cyber auditors. 

School’s in for summer. The accreditation body responsible for implementing the Defense Department’s Cybersecurity Maturity Model Certification program will soon start accepting applications for the first set of students to fine-tune its assessor training program.

With the finalization of an acquisition rule change this fall, the CMMC will institute a system of independent third-party audits to validate the cybersecurity practices of companies within the defense industrial base. For the most part, defense contractors are currently just pledging their adherence to required security controls. 

DOD will soon finalize a training course prospective auditors will have to pass.

Then, “once we have the training course ready and we’re happy with it, we’re going to go out to industry and recruit what I call the first class of assessors who are going to sit through this course,” said Ben Tchoubineh, chair of the CMMC Accreditation Body’s training committee.

Tchoubineh illuminated the body’s planned training program in a recording the group posted today.

The 60 students selected to be in the first class should actually be highly experienced assessors, who Tchoubineh said would provide feedback on the training and help them “perfect the system before they really open up to the world.” 

Once the accreditation body chooses the 60 individuals from its application pool, training will start in the summer and will be capped by an exam. Assessors will then be able to audit an initial set of companies seeking certification. 

That will be the first phase of rolling out the training program, which should be completed within three to six months, Tchoubineh said, and is meant to enable meeting DOD’s timeline for certifying companies. 

Trainees and companies undergoing the audits will incur costs, but Tchoubineh said the initial group of both can expect discounted rates, yet to be established.

Thanks to COVID-19, the first phase will also all happen remotely, Tchoubineh said. The group is exploring online training options and is “working with organizations within the DOD who have had experience doing remote assessments,” he said, “and we’re looking at the processes thereof.”    

In a second phase, the accreditation body will roll out the formal training program by the end of this year or early 2021. The board then will scale up the program by partnering with other organizations, including colleges and universities that have already expressed interest, Tchoubineh said.

Tchoubineh said having multiple content and training partners will promote innovation, quality and flexibility “through competition.”  

To ensure quality and standardization, the CMMC accreditation body will establish a centralized “body of knowledge,” known as the CMMC BOK, he said, which will specify training objectives for various assessor certification levels. 

In addition, there will be Licensed Publishing Partners (LLPs) to create the curriculum based on the training objectives, and Licensed Training Partners (LTPs) which will actually conduct the training. 

And finally, Tchoubineh said, the accreditation body will “very soon” issue a request for proposal for an examination delivery partner, which will help with developing and proctoring final tests “throughout the globe.”

The accreditation body and the DOD is hoping to make the training program accessible to a diverse set of candidates who could start to see a path toward creating their own entrepreneurial practices.

Tchoubineh said one person could conceivably function as an assessor, an instructor, a certified third-party assessment organization, an LLP and an LTP.

Eligibility for the very first level could come from having “some cybersecurity experience”—as demonstrated by existing certifications, perhaps—having a college degree or having served in the military. 

Tchoubineh said Katie Arrington, the chief information security officer for DOD’s acquisitions office and the CMMC program leader, specifically told the accreditation body that all veterans should be eligible to apply.