CMMC board gets first permanent chair since September

Johnson will lead the Accreditation Body set up a year ago to implement the DOD's new Cybersecurity Maturity Model Certification program for all contractors.
DOD seal
(DoD photo by Lisa Ferdinando)

The accreditation body overseeing the rollout of the Department of Defense‘s new Cybersecurity Maturity Model Certification standards has a permanent chair for the first time in months.

Karlton Johnson, the former vice-chair who has been acting chair since September, was voted to lead the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) as it oversees the DOD’s contractor cybersecurity verification program. Since its incorporation a year ago, the board has faced ups and downs with ousters and tumult stymieing some of its progress.

The board plans to announce Johnson’s confirmation Tuesday night during a town hall meeting, giving some AB members optimism for its future. It is unclear what the vote margin was to confirm Johnson’s leadership.

Johnson, a former Air Force colonel with years of experience leading the operation of networks in hostile combat zones, was elevated to acting chair when former chairman Ty Schieber was ousted in September following the creation of a sponsorship program that some saw as a pay-to-play scheme.


During the months Johnson served as acting chair, several members publicly and privately expressed trust and confidence in his leadership of the AB. In public appearances, DOD officials have also expressed support for him and a solid relationship.

The AB exists as a separate entity from DOD program office that houses CMMC but works closely with the department through a no-cost contract. The board’s primary duty is to oversee the ecosystem of assessors, trainers, educators and consultants that will verify that contractors are meeting their cybersecurity requirements. The new CMMC requirements span five levels of cybersecurity maturity that all contracts in the future will be required to meet depending on the sensitivity of the information they deal with. The scale begins with level one for non-sensitive information and culminates with level five for the most sensitive controlled unclassified information a contractor might handle on its network.

The AB needs to accredit enough assessors to efficiently vet the 300,000 contractors that will eventually need CMMC certification. Without a sufficient supply of assessors, demand could push the cost of an assessment out of reach for small businesses, which also may need to spend more to improve their cybersecurity hygiene to meet new standards.

The AB plans to outline its recent success setting up that marketplace in the town hall Tuesday night. Representatives from the DOD will also detail what initial contracts will have CMMC requirements. All DOD contracts will have a CMMC requirement come 2025, with the rollout ramping up over time.

Latest Podcasts