NIST will help create CMMC standards for third-party assessors

Having CMMC training, assessing and credentialling all housed under the one accreditation board has triggered questions about a potential conflict of interest.
(NIST photo)

The National Institute of Standards and Technology will play a “core” role in setting standards for third-party assessors to participate in the Defense Department‘s new Cybersecurity Maturity Model Certification (CMMC).

While NIST will be critical in creating those standards that organizations will have to meet to become a third-party assessor for the cybersecurity certification process, the governing CMMC accreditation board will have the ability to “modify” them, Katie Arrington, the CISO for the DOD acquisition and sustainment and top CMMC official, said Wednesday.

The board will oversee the greater training and credentialing of the third-party assessors. Once certified, those organizations will be charged with testing defense contractors to ensure they meet one of CMMC’s five levels of standards.

Having training, assessing and credentialing all housed under the one board has triggered questions about a potential conflict of interest. But NIST’s role will help mitigate conflicts, and “the executive board has very stringent ethical rules,” Arrington assured during an FCW webinar.


The DOD doesn’t want to create a “self-licking ice cream cone,” she added. Any member of the CMMC accreditation board who works on standards will not be able to participate in the training or certifying of the assessors, Arrington said.

NIST did not return a request for comment before publication.

The board is comprised of several different committees — including separate training and credentialing committees — and many working groups designed to focus on specific parts of CMMC implementation. Several new working groups were just opened for defense industry members to enroll in, according to the board.

Arrington said the first cohort of assessors to be trained by the board is expected to be comprised of roughly 25 to 30 companies. Training will start by the end of April or early May and take place online due to social-distancing requirements during the coronavirus pandemic, she added.

After the first cohort, the CMMC board will look to scale up training to ensure there will be enough certified assessors to inspect the more than 300,000 contractors that make up the defense industrial base.


CMMC guidelines will start appearing in contract requests for information this summer with requirements being implemented in contract bids by October, Arrington said.

The scheduled rollout of CMMC hasn’t changed, despite the larger disruption across the DOD supply chain caused by the COVID-19 response. “We have to have continuity of care, the mission is important,” Arrington said of keeping on track.

Latest Podcasts