Here’s what’s in the CMMC Accreditation Body’s memo of understanding

For months, there have been questions over what exactly is in the document defining the relationship between the Department of Defense and the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB).

The two groups — the latter being the organization that will implement new cybersecurity standards for all defense contractors — signed a memorandum of understanding in March but it did not make it public. FedScoop obtained the chartering document Tuesday through a Freedom of Information Act request. Prior to that, only those members of the DOD and the Accreditation Body knew what the memo covered.

The document does not reveal any major new information on CMMC, but it clarifies some of the standards that the body will require for the potential third-party assessors and for its own organization.

CMMC will require all contractors (with one exception) to meet one of five levels of security, from basic security practices to elaborate information controls. To ensure the levels are being met, the AB will train, test and certify the third-party assessors that will physically inspect the roughly 300,000 defense contractors’ networks before they can win contracts.

The memo confirms that these third-party assessors testing at levels three and above on the five-level system will need ISO 17020 certification. While that might seem like a laundry bag full of acronyms and numbers, it means a higher barrier to entry for the needed army of assessors. The process to get ISO 17020 — an international standard set by the International Organization for Standardization for the competence of inspection bodies — generally takes 6 months.

There is also current debate among the board whether to require even higher levels of security and standard prerequisites for assessors, according to sources close to the board’s internal discussions.

The first hints that ISO 17020 certification would be needed came when two sets of draft documents were accidentally published on the AB’s website in May. The pages, which included pricing and information about needing an ISO 17020 certification, were found by Brian Haugli, managing partner and cofounder SideChannel, while Googling around one weekend.

But when asked if the standard was going to be in final requirements for assessors, Mark Berman, head of the AB’s communications committee, said anything in the accidentally published drafts was potentially “misleading,” despite that information being in the MOU signed in March.

“Any content not available on our website now has a great likelihood to be inaccurate,” Berman told FedScoop in May.

For now, the Accreditation Body is just a volunteer board working to create the entire CMMC ecosystem of assessors. But one day it will be a full nonprofit organization, complete with staff and its own IT systems that will need to meet the same standards set by the MOU, including ISO 17020, CMMC level three and Federal Risk and Authorization Management (FedRAMP) moderate level.

All of those previously unknown requirements for the board show both a commitment to security and the hurdles to standing up the AB’s longer-term organization.

Despite the MOU not being made public, some of its requirements have surfaced in other ways. For instance, the need for the higher standards for the level-three-and-up assessors was noted in recent videos the CMMC Accreditation Body posted on training and credentialing information.

Since March when the MOU was signed, members of the DOD contracting community have raised questions about the document and what was in it. DOD officials said they were months delayed announcing it because of the coronavirus pandemic. The board said it did not have the authority to release it.