The Department of Defense‘s new cyber standards program is facing a possible shortfall of assessors that will form the core of its implementation.
The Cybersecurity Maturity Model Certification (CMMC) will require all 300,000 DOD contractors to get a cyber inspection to ensure they meet a range of new controls — but to do that there need to be enough assessors to meet demand. The third-party organization overseeing those assessors, the CMMC Accreditation Body, is now working to recruit enough people to meet eventual demand.
“I think we need to do a more aggressive or proactive job of recruiting,” CMMC AB CEO Matthew Travis said during CyberWeek presented by CyberScoop.
Previous bottlenecks have surfaced around ensuring there would be enough assessment companies cleared through the several required hurdles, including an inspection from DOD’s own cyber assessors. Now, Travis said that making sure there are enough individual assessors within those companies or freelancing is his top concern.
“In terms of a framework we have a pretty strong architecture, the real x-factor is are there enough Americans who are interested in becoming assessors?” he said. “I know it’s a tight labor market, so that’s probably the one thing I worry most about.”
The ecosystem was designed so private companies would be certified as assessment organizations, employing certified assessors who would be contracted by industrial base companies for an inspection that hopefully would lead to a CMMC certification. The current plan is that by fiscal 2026, CMMC certification will become a requirement to win a contract, although the program remains under review.
“I think we need to do a more aggressive or proactive job of recruiting,” Travis said.
He said the AB will target assessors who work on other inspection regimes like Capability Maturity Model Integration (CMMI).
“Appraisers can make a pretty good living doing this type of work,” he said.