With a new CEO, CMMC AB board will boost focus on strategy, chairman says
It’s a busy time to be in supply chain cybersecurity, especially for the board chairman of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Karlton Johnson.
At a time when the federal government is still reeling from the recent widespread SolarWinds hack, Johnson leads the volunteer organization charged with implementing the Department of Defense’s new CMMC standards for all defense contractors that many hope will stop the next pilferer of DOD data.
Now, Johnson’s leadership of the AB board is reaching a pivotal point: He is focused on hiring professional staff and transitioning what was a board of directors intimately involved in the day-to-day operations into one that can strategically guide a scaled organization.
In his first extended interview with FedScoop, Johnson said the board he leads will move from a body of “director do-ers” to become a “governing board.”
That means new faces on the board, new hires at the staff level and new ethics policies.
“I haven’t really seen the work changing significantly; actually I’d say it’s become more laser-focused,” Johnson said. “Especially bringing on the CEO.”
The board recently made one of its most important hires, bringing on Matthew Travis to be CEO of the AB. Johnson spoke highly of Travis, describing him as “sharp” and bringing necessary skillsets to the job. Travis is just the first major hire of many the AB wants to make in the coming weeks and months, filling out staff positions to carry out the massive undertaking before the organization, Johnson said.
“We are pretty excited because it’s a significant milestone,” he said of hiring Travis, who started last week. The most important part of the accreditation body’s developing role “is that professional staff we are bringing on,” Johnson said.
Johnson said Travis will take on some of the roles the chairman and other board directors currently fill, like managing the relationship with the CMMC Program Management Office and leading the daily operations of the organization.
The road ahead
The program the AB is implementing is DOD’s latest attempt in securing its manifold IT supply chain from hackers. The CMMC model has five levels of cybersecurity strictness— with level one being the most basic and level five including hundreds of complex controls — that all contractors will need to be certified against or risk losing access to DOD contracts.
Raising the army of assessors needed to inspect all the networks of the 300,000 defense contractors will be the AB’s responsibility. Beyond just credentialing assessors and assessment companies, the AB will also license training and testing providers, give stamps of approval to consultants willing to pay and generally oversee the quality of the complex CMMC ecosystem.
“I am focused on delivering that capability; I am focused on taking it to the next level,” he said.
To deliver the CMMC “capability,” more work remains for the board and the new staff alike. While consultants abound, contractors still await fully licensed assessors and Certified Third-Party Assessment Organizations (C3PAOs) who will be able to actually certify a company. Although full implementation of CMMC requirements will be phased in slowly through fiscal 2026, there is concern in industry over a demand crunch where assessments take more time than anticipated and there aren’t enough assessors to fan out across the defense industrial base.
Johnson says he is confident in the AB’s ability to meet demand. The AB has trained about 100 provisional assessors and cleared roughly the same number of assessment organizations through its initial application screening. But much remains to be done to turn them into fully credentialed assessors, like DOD completing its own assessment of assessors through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
“We remain on target,” Johnson assured.
Johnson was reluctant to disclose current timelines or estimates the AB is using to determine what that target is, or how it will meet it. But he did commit to engaging with industry and the media more regularly when the AB makes those decisions.
“Today, [based] on what we were asked to do, we are able to meet that demand,” he said.
New faces, same concerns
The daunting task of making CMMC work has come with its share of controversy and consternation from those it will impact. One of the most consistent criticisms has been a lack of communication and questions over conflicts of interest with the volunteer board members.
Johnson partially attributes the latter to “malicious influencers” spreading falsehoods or context-less information about the volunteer board. Regardless, he said the board will continue to increase its public engagements and work directly with industry to answers questions.
He also hinted at adding new ethics policies.
“From day one we have had conflict of interest policies in place. Those policies not only continue to be in place, but we are strengthening those as we go,” he said.