Defense
Schieber told FCW that the training schedule will be solidified once the rela- tionship is codified via a memorandum of understanding and once DOD and the Accreditation Body “mutually agree upon what we can do and what that means in terms of hitting those guide- lines.”
DOD officials are currently drafting that memo to establish rules, roles and responsibilities for the two parties. Lord said the memo will address conflicts of interest such as ensuring auditors do not review their own companies.
Once the Accreditation Body is up and running, companies will be able to apply for certification via a marketplace portal, Arrington said. The CMMC certi- fication will be good for three years and
will allow companies to bid on contracts across DOD and the military services. DOD officials said they would share
the guidance as it is being developed, but CyberVista’s Petrella said compa- nies should start figuring out whether they have the right personnel as soon as possible.
“This entire framework is getting fleshed out around everything from your audit logs to your incident response plan,” Petrella said. “Just to be a Level 2, you have to ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
Performing that assessment is essen- tial, she added. “If you don’t have the right people with the right competencies
to do all those other activities that are required, either you have to outsource it all or you’re not going to be able to meet that minimum threshold.”
In the meantime, DOD is in the initial stages of creating CMMC databases and infrastructure and planned to launch some test projects with a select group of contractors in March, with further beta testing in July.
Arrington said officials have tested each iteration of CMMC to measure how long it takes for someone who’s never seen the model to run through an assessment. “We’ve been doing that the entire process, so we have a pret- ty good understanding of how long it takes to go forth with a certification,” she added. n
CMMC training underway for auditors
The initial round of training of third-party assessors for the Defense Department’s Cybersecurity Maturity Model Certifica- tion will be completed by June, after which the first requests for information that incorporate the new standard will be released, according to DOD officials.
Ellen Lord, undersecretary of Defense for acquisition and sustainment, told reporters at a Defense Writers Group event in January that the new CMMC Accreditation Body is develop- ing training and certification requirements for
trade organizations, such as the Professional Services Council, were looking into it.
“One of my biggest concerns was really about small and medium businesses because that’s where a large part of inno- vation comes from, and we need that,” she added. “We want to retain them.”
DOD officials have said they are working with the Accredi-
the third-party assessment organizations that will evaluate companies.
Earlier,Ty Schieber, chairman of the Accredi- tation Body and senior director of executive education at the University of Virginia’s Darden School Foundation, told FCW that the organiza- tion has working groups focused on governance, standards, adjudication, organizational structure, change management and budget.
Lord said the Accreditation Body “will incor- porate semi-automated processes \[and\] include a tool that certified third-party assessors will employ for audits and collecting metrics to inform risk.”
Ellen M. Lord
tation Body,
prime contractors and industry organizations to brainstorm ideas for making sure CMMC imple- mentation is cost-effective. However, Lord said, there is no way around complying with CMMC, and waivers were not being considered.
“We have not discussed that because cyberse- curity is so critical \[that\] it becomes a differentia- tor,” Lord said.
She added that CMMC certification has multiple levels, the lowest of which adheres to basic cyber hygiene practices, and they can be tailored to any system.
“We do understand this is an ecosystem \[for supply chain security\], and frankly we often forget
Compliance with CMMC will be mandatory for all DOD contractors by 2026, and concerns have been raised about whether small businesses will have the money and expertise to comply.
When asked whether DOD has done an impact study to see how CMMC would affect small businesses, Lord replied that
that,” she said. “When you look at an integrated supply chain, you have six, seven, eight, nine levels down, and it’s that six, seven, eight, nine levels that we are really, really concerned about.”
DOD officials plan to complete the federal rulemaking pro- cess for CMMC by the end of the year.
— Lauren C. Williams
34 January/February 2020 FCW.COM