Cyber

CMMC Accreditation Body must split to meet requirements of new contract

A new contractual mandate is finally public, requiring the AB to spin off its training and testing arm into a new organization.

By Jackson Barnett

February 3, 2021

The Air Force Memorial and the Pentagon in Arlington, Virginia. (REUTERS / Joshua Roberts)

The third-party accreditation body implementing the Department of Defense‘s new cybersecurity standards for contractors will split into two entities to meet international standards mandated through a no-cost contract it signed with the department last fall.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) will split off the part of the organization that trains and tests assessors, creating the CMMC Assessors and Instructors Certification Organization (CAICO), according to contract language that mandates the shift. The AB will retain the responsibility of accrediting assessors that will do the cybersecurity audits of defense contractors’ networks.

The mandate was a focal point of the months-long negotiations between the accreditation body and the DOD on the no-cost contract’s statement of work (SOW), which defines the relationship between the two. Those discussions grew contentious at times, especially over control and responsibilities of the CMMC “standard,” sources told FedScoop.

The contract was signed in November, but only became public on Feb. 1 following a Freedom of Information Act request from Inside Cybersecurity. FedScoop filed a separate FOIA in early December that has not been returned.

The AB has said the split will not substantially impact assessors within the ecosystem, adding that the move is necessary to meet international standards that guard against conflicts of interest in assessment organizations.

Some board members have hinted at the AB looking different in the months and years to come while still providing the same services to those seeking to become assessors.

“There is a lot to this; this is not going to happen next month,” Jeff Dalton, the new vice-chair of the AB, said during a recent town hall. “We are going to start moving toward these things over time.”

The split outlined in the SOW is tied to ISO 17011, which does not permit accreditation bodies to control both the training and accreditation process. Housed under one entity, there could a conflict between the quality of the training and the scrutiny of the accreditation.

The split will not impact other parts of the CMMC ecosystem the AB has oversight over, board members have said.

The AB will need to have the organizational split completed by Oct. 31, 2022, according to the contract.

The board is now in a race to accredit enough assessors to begin the long process of certifying the roughly 300,000 contractors in the defense industrial base. CMMC requirements are being rolled out into contracts over a five-year period. Once fully in place, contractors will need to be certified at the appropriate one-to-five cybersecurity maturity level to work on a DOD contract. The scale is based on the sensitivity of the information contractors will be given permission to handle on their networks — level one requires basic security hygiene practices and level five includes elaborate security for networks.

The statement of work replaces a previous memorandum of understanding and gives the DOD considerable oversight over the AB. Now, the board’s financial decisions must be reported to the DOD. The department will also conduct quarterly reviews of the AB to ensure it’s in compliance with DOD policy and “alignment” with the contract.