The wheels of government turn slow but grind exceedingly fine. It’s going to be a long-road to full roll-out of CMMC – lasting perhaps five years before fully implemented on every contract, according to the Department of Defense.
But even so, the initiative is so large, things are constantly changing. Here are the most recent compliance-related developments surrounding the CMMC Roll-out, compiled from a variety of published sources.
Update: March 11, 2021
Two members for the body governing the DOD’s Cybersecurity Maturity Model Certification program have resigned, according to Federal Computer Week.
CMMC board member Nicole Dean, the chief information security officer for Accenture, and Ben Tchoubineh, the CMMC accreditation body’s chair for training, have voluntarily resigned.
The resignations come as the volunteer-run CMMC-AB is working to train enough assessors that will be needed to survey defense contractors’ cybersecurity readiness — a critical component to implementing the program.
This summer is expected to be a crucial turning point for establishing the training ecosystem with organizations that develop course materials and train potential assessors. Tchoubineh previously indicated that training materials and classes should be ready by the summer as DOD prepares to release up to 15 pilot programs that will use CMMC in contract language later this year.
Source: Federal Computer Week
Update: February 8, 2021
According to Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, CMMC will certainly go outside the DoD framework, but when and how remains to be determined.
“They understand that they’re losing data, that they’re losing capability through cyber breaches in their supply chain, just like DoD is, and they need to do something about it,” he said. “I think you’ll see some kind of coordination step between the major entities in government, sort of whole of government approach, but as to when or how or who, I have no insights into that.”
Theresa Payton, the CEO of Fortalice Solutions and a former White House chief information officer, said the recent SolarWinds attack has made agencies and businesses more aware of the need to protect the supply chain.
Source: Federal News Network
Update: Dec. 16, 2020
The CMMC Accreditation Body (CMMC-AB) held a town hall webinar last night (12/14/2020).
There will be 15 contracts with CMMC requirements spread across the military branches in fiscal year 2021, which ends September 30, 2021. All other new and renewing contracts are covered by the Interim Rule.
There won’t be any certifications until the CMMC-AB is accredited as a certifying body through ISO. Then, the Certified Third Party Assessor Organizations will need to be certified by the CMMC AB. They are expecting training for assessors to start sometime in April, 2021. Here is the timeline presented during the webinar.
Source: Semel Consulting
Update: Oct. 11, 2020
The Information Technology Acquisition Advisory Council (IT-AAC), a public/private partnership serving the public sector, announced the establishment of a new Cybersecurity Maturity Model (CMMC) Center of Excellence (COE) intended to advance the goals and objectives for improving the cyber and supply chain security and resilience of the Department of Defense (DoD) global Defense Industrial Base (DIB) network of contractors, suppliers, and vendors.
The CMMC-COE will focus on bringing together the many disparate cyber and national security communities of interest under one roof to reduce complexity, improve awareness, and accelerate industry effort to become more cyber resilient against the growing threats from nation states and criminal enterprises.
The CMMC-COE partner network will be sharing a wide range of capabilities from member organizations, including: cyber standards frameworks, education, solution architectures, cyber mentoring, workforce, and other elements needed to scale to the demands of the entire DIB market place in the US and abroad (400,000 contractors).
Source: CMMC COE
Update: Sept. 29, 2020
The Defense Department released an interim rule for its Cybersecurity Maturity Model Certification program that will require contractors to prove they are keeping up with key cybersecurity measures.
The rule, which goes into effect Nov. 30, was published in the Federal Register Sept. 29.
Under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts.
Update: Sept. 11, 2020
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) just announced 11 companies as Licensed Partner Publishers (LPPs) who will develop curricula for the Department of Defense’s (DoD) new cybersecurity standard for its supply chain companies.
“This is just the first wave of organizations that will support the certification process with training curricula,” said Ben Tchoubineh, a member of the CMMC-AB Board of Directors and chair of the training committee, in a prepared press release. “This is exciting for us because we now have partners that are in this with us together and can help us scale to meet demand.”
The companies will take the exam objectives in development by the CMMC-AB and create educational curricula that align with those objectives. The curricula will be used to help assessors and others meet the exam objectives. The CMMC-AB is currently in the process of selecting an exam agency to deliver the exams, according to the release.
Update: Aug. 27, 2020
So far, one Pathfinder contract has been evaluated and another is planned to start evaluation in September. These Pathfinders are “nonpunitive and not for attribution”. See CMMC Pathfinder program
Here’s the description:
This procurement has been identified as a CMMC Pilot activity. This will not be a condition of award, but will be a voluntary opportunity to participate in CMMC assessments of the prime and select members of the supply chain. These assessments will be not for attribution or for certification. These assessments will provide the Government and contractors with awareness of their cyber vulnerabilities. There will be a post award conference held between the Government and contractor to identify the Controlled Unclassified Information (CUI) and map it through the supply chain. Based on this mapping several contractors who would handle CUI would have a CMMC Level 3 assessment performed and those not handling CUI would have a CMMC Level 1 assessment performed, again not for attribution or certification.
Update: July 13, 2020
The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors.
The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when the amendment is approved, it will signal the official start of the CMMC requirement for Defense Contractors.
Katie Arrington CISO for acquisition and sustainment in the DOD, gave the following status updates:
Update: June 24, 2020
The private organization tasked with administering the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC) program began accepting its first group of applications this week, one of the most significant steps to date toward DoD’s ambitions of redefining its approach to cybersecurity in its supply base.
On Monday, the CMMC Accreditation Body (CMMC-AB) opened the process to five types of organizations and individuals, including the would-be certified third-party assessment organizations (C3PAOs), the umbrella organizations that will one day hire and manage individual cybersecurity assessors, and “certified professionals,” the experts who will actually perform the cyber assessments DoD will eventually demand for each of its vendors.
“This is an important milestone for the CMMC program,” Ty Schieber, the accreditation body’s chairman said during a conference call with reporters Tuesday. “It’s a result of months of incredible teamwork and sacrifice by thousands of individuals across the stakeholder base who have volunteered their time and good thinking in shared commitment to the mission.”
To give contractors more confidence in companies that deliver truly beneficial advisory services, the board is also offering certifications for what it calls “Registered Provider Organizations” and “Registered Practitioners.”
Update: Mar. 13, 2020
The Department of Defense‘s soon-to-be rolled out Cybersecurity Maturity Model Certification (CMMC) won’t require all contractors on a contract to meet the same level of requirements, depending on the type of information they will be handling, Katie Arrington, CISO for acquisition and sustainment in the DOD.
The department’s new plan to secure the industrial base from cyberattacks, CMMC will require all DOD contractors to go through third-party cybersecurity assessments and receive accreditation for the level of sensitive defense information they are secured to handle — from level one, the department’s least sensitive data, to level five, the most sensitive controlled information. All levels will be certified by independent assessors who will conduct in-person checks.
“One size doesn’t fit all for security,” she said, adding that the government is trying to be cognizant not to squeeze out contractors from the defense industry by requiring too many expensive security measures.
Arrington and other officials working on CMMC have previously stated how the vast majority of the more than 300,000 defense contractors will only need level one certification. But big contractors working on highly sensitive material will need levels four or five to be able to continue handling sensitive information.
Once assessors have been trained and accredited to become CMMC certifiers, they will need to physically verify every DOD contractor’s cyber-compliance to the CMMC standards. Requirements for certification will start to appear in contracts this year, and continue to roll out over the next five years.
“We are giving business opportunities (and) plenty of runway to get there,” Arrington said.