The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) will remain the sole accreditor and oversight board implementing the Department of Defense’s new cybersecurity standards for contractors, despite rumors that there could be other organizations in the mix.
The body and the DOD recently signed a no-cost contract containing a new statement of work that defines the relationship between the Pentagon and the third-party organization charged with implementing CMMC.
Discussions to close the deal have been going on for months, which at times grew so heated some members threatened to resign. But on Nov. 25, the two parties officially signed the contract to solidify the AB as the sole accreditation body in the process, sealing its place as the key player in the CMMC ecosystem of trainers and assessors.
CMMC is the new five-tiered cybersecurity standards model that all defense contractors will need to get assessed against. It carries a range of security controls designed to keep controlled unclassified information safe from digital theft. The AB accredits the assessors that will inspect the networks of contractors, making it the key player in getting the program off the ground and sustained with enough assessors to conduct potentially hundreds of thousands of detailed audits. The AB also oversees the training and consulting landscape by licensing teaching organization and charging consultants for CMMC-specific training.
The stability brought by the new contract paves the way for a professionally staffed AB that can move faster with its work to roll out the program.
“We talked past each other more than we probably should have,” Jeff Dalton, a founding AB board member, said in an interview about the process.
The AB and DOD both consulted with outside experts on issues like international standards, which fueled rumors that DOD wanted to go with a different accreditation body. Officials from the AB and DOD have denied those rumors.
The new statement of work reflects much of what was in the AB’s first memorandum of understanding, Dalton and fellow board member Wayne Boline told FedScoop. Katie Arrington, the lead DOD official overseeing CMMC, has previously said the SOW will be made public.
Having a contract that carries more legal weight than an MOU allows the AB to hire more staff and finalize its search for a CEO. The AB continues to operate as a volunteer board that makes both long-term and day-to-day decisions, a situation many board members are eager to move beyond. The DOD said it will not provide funds to the AB as it works to implement the program.
The contract “relieves a lot of ambiguity in our future,” Boline said. “We are planning on bringing in a CEO in the next few months.”
The AB experienced a turnover of several high-ranking board officers, including its chairman, during the negotiations on the terms of its relationship with DOD. Ty Schieber was forced out after the AB launched a controversial scheme that some saw as pay-for-play, along with the AB communications chair. Karlton Johnson remains acting chairman.
New members have joined the board, who Dalton and Boline said greatly helped the AB to reach a sound SOW with DOD.
“The new board members are really great experts,” Dalton said.
The new contractual relationship comes as a Defense Federal Acquisition Regulation rule change takes effect on Dec. 1 that allows DOD to finally start putting CMMC requirements into contracts. While the DOD plans to roll out the requirements over the next five years, having CMMC requirements in a contract makes the AB’s work of accrediting CMMC assessors and certifying contractors’ assessments even more important.
“Can’t stop momentum,” Arrington posted on her LinkedIn in reaction to the news.