Look for trainers working on the Cybersecurity Maturity Model Certification program to realign their efforts to support recent changes to the certification process in 2022.
The Defense Department’s unified cybersecurity program for contractors got a reboot in 2021 that altered and streamlined many program elements. Further changes are still possible, but 2022 is expected to be the year for realignment for the training entities that are charged with providing education needed for the individuals who will eventually assess the cyber fitness of defense contractors.
Kyle Gingrich, vice president for training and development at the Cybersecurity Maturity Model Certification (CMMC) program’s Accreditation Body, told FCW that CMMC 1.0 would have led to a capacity issue when it came to developing and churning out assessors over time. Now, with the new version, the accreditation body is working with its partners to develop new exams and coursework to accommodate the changes, she said.
One key shift is that CMMC switched level 1 certification – designed to cover basic cyber hygiene – to self-attestation, eliminating the need for outside assessments.
The governing body, which originally planned to launch a beta version of its assessor exam last month, is now working on guidance that will then be used by licensed partners and publishers to develop training courses and materials, but it is still waiting on documentation and instruction from the Defense Department on how self-attestations will be managed for CMMC level 1 and, when applicable, CMMC level 2.
“So we are kind of in a holding pattern right now,” Gingrich told FCW in December. “Right now they've only released the scoping documentation and the hash documentation. There are also assessment guides that still need to be released that will speak to level 1 and level 2. We don't know what's in those guides yet. So we don't know what that's going to speak to, we don't know if it will speak to [plans of action and milestones], if it will speak to remediation.”
Those documents from DOD, when paired with the accreditation body’s CMMC assessment process documentation, will help redefine the objectives needed to develop the coursework and provide free online “delta training” that fills in the gaps between CMMC 1.0 and 2.0 training.
Right now, there’s only a draft form of the assessment process documentation available to certified third-party assessment organizations, Matt Travis, the organization’s CEO said Dec. 20 during a town hall meeting. DOD still has to sign off on it, but once finalized it will become publicly available, Travis said, estimating that it could be approved in January.
Gingrich said that while not required under the new model, there is some industry demand for CMMC level 1 assessments in addition to self-attestation, particularly for larger defense companies that use subcontractors.
“We do know that there are primes that are out there that may be looking to have their subcontractors go through some kind of training and verification to ensure that when they hire them they understand the rigor required to be an assessor and how to do it properly, as opposed to just relying on self-attestation,” Gingrich said.
“Now clearly, that's not mandated by the DOD. But that is something that we are hearing in the industry that ... if you're going to represent us as an organization, we want to make sure that you have done the proper due diligence.”
Stacy Bostjanick, the director of CMMC policy for the Defense Department, told FCW via email that “companies who only need to perform a self-assessment their documentation will be verified through their submission in [DOD’s Supplier Performance Risk System] and attestation by a senior company official. We are working on releasing guidance as soon as possible.”
Bostjanick said DOD is also preparing final documentation that needs leadership approval for how companies seeking CMMC certification can work through plans of action and milestones, and that the main goal for the coming months is to “work through rulemaking activities.” No specific date or time frame was given.
“The catalyst will be what the DOD provides us and then what that delta looks like,” Gingrich said, who expects the accreditation body to have “complete clarity” on CMMC objectives and guidance ironing out the differences between versions 1.0 and 2.0, plus new exam dates by the end of the first quarter.
This article was updated Jan. 6, 2022.