The Department of Defense’s new program for third-party cybersecurity assessments of contractors is starting to answer some of the important questions about who those third-party assessors will be.
The Accreditation Body (AB) that is overseeing the program — known as Cybersecurity Maturity Model Certification (CMMC) — has released new videos and requests for information that shed light on how assessors will be trained and credentialed.
The board acknowledges the process is “very complicated” and a massive undertaking, says Jeff Dalton, head of the AB’s Credentialing Committee. To cover the entire U.S. defense-industrial base, tens of thousands of assessors will likely need to be certified in the next few years. The training and credentialing videos show that the process to become an assessor is sequenced, meaning that each individual will need to go through each level of training to get to the next step, according to the board. Each level will require somewhere around 20-30 hours of coursework and exams to test a trainee’s grasp of the model and assessing methodology.
All 300,000 DOD contractors (except for providers of commercial-off-the-shelf goods) will need to get an in-person assessment and be certified to one of the five levels of cybersecurity maturity by an assessor in order to be awarded a contract from the DOD.
“People need to appreciate the volume here, the volume of CMMC assessors will … far exceed everything out on the market today,” Dalton says in a video detailing the latest update from the board. “We really want to make sure we have all the right roles.”
The assessors themselves will need to be certified by the AB and be a part of a Certified Third Party Assessment Organization (C3PAO) licensed by the AB, which will consist of experienced cybersecurity firms, assessment organizations and groups with industry expertise.
This is the process for individual people, as outlined in the credentialing video:
- Certified Professional (CP): step one requires an individual to pass an exam demonstrating basic understanding of the CMMC controls and take more than 20 hours of training. Being a CP allows an individual to be a part of an assessment team and is the “gateway” to the next steps, Dalton said.
- Certified Assessor (CA): CAs will be the foot soldiers in the army of new CMMC industry. They will be allowed to certifying contractors after taking additional training, passing the CP exam and being a part of a licensed C3PAO.
- Certified Instructor (CI): Training the assessors will be the CIs. These individuals will be certified to train at specific levels of the maturity model and must first go through the first two steps of CP and CA to make their two-letter acronym be CI.
- Certified Master Instructor (CMI): Trainers who train the assessors will need training of their own, right? The Master Instructors will be those at the top of the pyramid of training and work for the AB, which has yet to staff-up an organization under the board.
- Certified Quality Auditor (CQA): Finally, CQAs will be the arbiters of quality in the assessment process. The first will likely be a board member.
The training to start moving individuals through the steps of certification will take place in two phases, Ben Tchoubineh who leads the training committee, said in a separate video. Phase One will be a pilot program aimed to whisk potential assessors through the training and credentialing to meet DOD’s “aggressive” timeline for CMMC implementation. The board will select 60 experienced cybersecurity organizations that will be “beta” learners to test-run the training and credentialing. Those assessors will handle the companies bidding in the fall on the contracts that will be the first to include CMMC requirements, Tchoubineh said.
The board will take in revenue from all of the levels of training. Final pricing is not yet published, but accidentally published drafts indicate the cohort in Phase One could see costs around $5,000 per organization and other training services from the board costing a few hundred dollars.
The second phase will be the long-term one, with the goal of bringing in enough organizations and individuals to meet the demand for CMMC assessments.
The training itself was developed by the DOD and is under review by the board, Tchoubineh said. The relationship between the government and the accreditation body was defined in a still-unpublished memorandum of understanding, so the exact way the DOD and AB will work together is still unclear.
The AB also published two requests for information for assistance in market research on educational tools. Both requests seek to inform the board on how to scale up the delivery of training and testing by partnering with outside groups.
The first RFI is for market research on working with third-parties on training development and implementation. With the large scale of needed training and assessment, the board knows it will need help in overseeing much of the process. The RFI seeks to betting inform the board on how to work with other organizations.
The second RFI, in a similar vein, is asking for information on delivering assessment exams. The challenge of delivering online exams is one many organizations, both in the cyber world and in academia, are finding themselves in.