Summary of the CMMC-AB Framework for Credentialed Professionals and Accredited Organizations

CMMC Accreditation Body

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) recently posted a video of their credentialing committee chair, Jeff Dalton, with a discussion of their credentialing plans. CMMC is coming. As the Accreditation Body continues to mature the processes, companies should be preparing for their mandated certification in order to bid on and receive DoD contracts in the future.

With 17 CMMC security domains, the five levels of CMMC certification involve multiple areas of risk that should be regularly reviewed by any company, and especially those supplying goods and services in the interest of national defense.

Consider even just the basic Level 1 certification. It requires limiting access to systems that contain Federal Contract Information (FCI). Katie Arrington, the Chief Information Officer for the Undersecretary of Defense for Acquisitions and Sustainment, has said that most government contractors will only need Level 1 certification. For companies that handle Controlled Unclassified Information (CUI), however, a Level 3 or higher certification will be necessary. Access to systems will need to be role-based and restricted to authorized users and devices. Also, external information systems ranging from mobile phones and personal computers to websites or social media are prohibited from accessing FCI and CUI.

In the video, Jeff Dalton introduces the five certified roles for CMMC assessors, talks about the beta period at the beginning of the certification process and gives more details on the organizational roles companies can perform to support the accreditation process.

Individual Roles

The process of getting certified begins with assessment of your networks, policies and processes by third-party assessors approved by the Accreditation Body. The CMMC-AB is still finalizing what the certified roles are and how they are defined, and there are more roles than you might think. Jeff Dalton discussed the different roles assessors will have.

There are 5 certified roles – from “Certified Professional (CP)” to “Certified Quality Auditor (CQA).” Being CP certified is a prerequisite for any Assessor or Auditor role. The training is more robust in terms of course hours as you progress from CP to CQA.

Individuals are “credentialed.” Organizations are “accredited.” The descriptions below summarize what roles individuals can play in CMMC Assessments once credentialed by the CMMC-AB.

Certified Professional – A gateway certification. This basic designation can be assigned to any individual who wants to be part of an assessment team.

Certified Assessor – An individual authorized to perform assessments from Level 1 to Level 5. *Note – Assessors for Level 5 will require more coursework in order to achieve that level.

Certified Instructor – An individual authorized to train assessors.

Certified Master Instructor – A “Train the Trainer” role ensuring instructors are delivering the proper information.

Certified Quality Auditor – A CMMC AB individual who puts the final “stamp of approval” on assessments.

These roles will be filled by members of the AB at first, but it would behoove companies who work a lot with the Federal Government to have individuals who are at least CP certified on staff.

As independent assessors start evaluating CMMC certification requests, there will be an assessment guide developed for each level of CMMC certification. The assessors will use this to grade certifications from one standard. There will be tools developed to help QA all of the assessments that take place in the future.

The CMMC-AB is mindful of the impact of Covid-19 has had on everyone, including the development of the CMMC process. There will have to be a rigorous virtual element to assessment. Additional planning will be needed if and when Covid quarantining continues to accommodate for the fact assessors will not have access to as much face-to-face interaction as previously expected.

The Beta Period

How will this all work when it starts? Who will get to be certified first? How will the CMMC-AB ensure the efficacy of the processes … particularly when this certification is mandated for bidding on and receiving DoD contracts?

The CMMC-AB plans to use “Provisional Assessors” and “Provisional Assessment Team Members.” These are Beta roles for a short-term Beta period. The AB plans to advertise for these positions soon.

The DoD will pick 15 new contracts (in the post-RFP/pre-award phase) to be assessed. And the provisional assessors will conduct the assessments against these contracts as a means of testing out the efficacy of the assessment process. This will help improve the assessment method and instills more QA into the process. The length of time of this measure could be anywhere from 3 months to 6 months.

**Note – Primes need to understand that all sub-contractors included in their proposals must be CMMC-certified, or their bid will not be considered. The Beta period will help communicate this possible trip-up to big bidders on DoD contracts.

If you are self-assessing and preparing now, the CMMC certification process will be quicker and easier for you. But be careful in how generous you are in your self-assessment. There are different definitions of “goodness.” This model was built to help companies work from one standard.

Organizational Roles

As CMMC advances to full maturity, interested companies can fill roles in support of the CMMC-AB. The companies are seeking accreditation in these roles. These are the options and how they are defined:

Certified 3rd Party Assessment Organization (C3PAO) – Companies can be C3PAOs that perform assessments across the Defense Industrial Base. Companies can sign up on the CMMC site as an interested party to fill this role. The formal application process will be published in the coming weeks. Companies will need to be CMMC certified at Level 3 to qualify.

Licensed Training Provider (LTP) – A commercial or academic organization licensed by the CMMC AB to leverage materials to deliver training for certification.

Licensed Partner Publisher (LPP) – A commercial or academic organization licensed by the CMMC AB to produce the training curriculum used by LTPs.

Organization Seeking Assessment (OSC) – This is a company looking for an assessment.

Summary

The video with Jeff Dalton is an excellent primer for companies who need CMMC certification and want to “speak the language.” It is another sign of the impending arrival of the CMMC process. In the end, companies need to be planning now and conducting a self-assessment.

Need help with CMMC? Do you want to ensure your networks are safe? Do you want a free planning session to help jumpstart your journey to cyber maturity? We offer that. We will assess your business operations and infrastructure and help you build a plan for achieving the level of maturity you need to continue working with the government.

Additionally, if you decide to implement our recommendations, we’re offering a program for the month of June with payment options that fit your needs as you navigate your business through CMMC, Covid and beyond. Options include:

  • No upfront implementation cost
  • Flexible invoicing
  • Up to a 25% discount for customers who pay in full

We’re here to help. This offer expires June 30. Contact us to schedule your free planning session now at 833-682-8270 or info@ardalyst.com.