Defense

Pentagon’s CMMC assessor training is coming soon despite hurdles, board says

Training to become a CMMC assessor has taken longer than expected to start, in part due to the pandemic.

April 24, 2020

(DoD photo by Army Sgt. Amber I. Smith)

The Department of Defense‘s new cybersecurity certification program meant to shore up its leaky industrial base will soon have certified third-party assessment organizations to test the systems of all department contractors.

But some hurdles remain before those Cybersecurity Maturity Model Certification (CMMC) assessors will be fully trained, according to the program’s leaders.

The nonprofit accreditation board that will train and certify that army of third-party cybersecurity assessors said it is in the “final stages” of getting its training system worked out. It’s a complicated process that has been impacted by the coronavirus pandemic. But the chairman of the board, Ty Schieber, stressed the body is working to create a pipeline for third-party assessors to be trained and become certified within the next 30 days.

“We are nearing completion,” Schieber said of the process. The CMMC board’s website, however, still tells prospective assessors “there is much work to complete.”

CMMC is a new five-level system through which all contractors that work with the DOD — from big prime contractors to small subcontractors — will need to earn a certification from third-party assessors in order to continue working with the department. Level one will require contractors to conduct minimal cybersecurity controls. On the opposite end, level five will require extensive procedures that less than .06 percent of the industrial base will need to meet.

The most critical part of CMMC is that the maturity of contractor cybersecurity practices will now need to be checked by third-party assessors, ending the days of self-assessment. CMMC requirements will begin appearing in requests for proposals this fall and be gradually rolled into all DOD contracts over the next five years, Katie Arrington, CISO for acquisition and sustainment and “mother of CMMC,” has said.

For companies to be certified to a CMMC level, though, there need to be trained assessors ready to inspect their networks. Initially, DOD officials signaled training would begin in April and expand through the summer to ensure enough qualified assessors are available. That deadline has come and gone with no assessment organizations trained.

“We don’t know exactly what the throughput demand is going to be right up front,” Bill Solms, president of government solutions at QOMPLX, told FedScoop. But it could be a “tsunami” of companies rushing to become certified with a limited number of assessors and auditors available, he said.

How initial demand will be met remains unclear, and the board’s website doesn’t yet have a portal for organizations to sign up for training. And now with the pandemic, many contractors that would have sought CMMC assessment are now just trying to stay afloat, said Steven Senz, CEO of ASCERTIS Solutions, a cybersecurity firm waiting to become a third-party assessor.

“While we are encouraging our small- and medium-sized company clients to take this time to prepare for the CMMC requirements, the COVID-19 pandemic is causing many of these companies to focus on survival rather than cyber hygiene,” Senz said in an email.

A new tool for assessments

The CMMC board posted a request for proposals Wednesday seeking tools that could provide automation to contractor security checks. Final authorization will ultimately hinge on in-person visits from certified assessors, but between visits, the board is seeking technology to provide “continuous monitoring” of contractors that have been assessed to make sure they stay up-to-snuff.

“CMMC-AB intends to augment organizational assessments, which are anticipated to occur at three-year intervals, with continuous monitoring of already-certified DIB organizations and alert them to externally visible vulnerabilities,” according to the RFP. Proposals are due May 1.

The tech would alert assessors of a client’s risk of slipping below standards between required three-year check-ups. The software the CMMC AB is looking for would only serve to extend assessors’ monitoring into the defense industrial base and not outright replace the cybersecurity testing certified companies will be conducting.

“We never want to take the human out of the loop,” Arrington said during an AFCEA CMMC virtual event Thursday.