Will there be enough CMMC assessors to certify all DOD contractors?
How many assessors will it take to inspect the networks of the Department of Defense‘s entire industrial base? Hundreds? Thousands?
No one’s exactly sure, but some experts think it could take between 1,000 and 2,000 certified assessors to audit the hundreds of thousands of defense contractors now required to get third-party verification of their cybersecurity controls under the new Cybersecurity Maturity Model Certification (CMMC) program.
So far, only 50 assessors have been granted provisional status, allowing them to participate in assessments in so-called pathfinder contracts under CMMC, which is predicated on getting certified assessors out into the defense industrial base to assess contractors’ networks against the new five-tiered maturity model.
While there is consensus around the need for a vast army of assessors to meet the demand for certifications, it remains unclear exactly how many are needed and what the ramifications could be for not having enough.
“If you look at the numbers, it is probably the largest undertaking we have ever done,” Kevin Orr, vice president for federal at CyberArk, said Wednesday during an SNG Live panel on CMMC, referring to cybersecurity certifications.
The number of companies in the industrial base that will need assessments is thought to be roughly 300,000, although a recent rule change filed by the DOD pinned it closer to 250,000. No matter the exact number, a base that large means there needs to be a pool of assessors proportionally as big to conduct assessments in a timely manner. And complicating the calculation, some companies will require multiple assessments and what each assessment entails will depend on the company’s preparation.
“250,000 [companies] doesn’t mean there will be 250,000 assessments,” Jeff Dalton, a CMMC Accreditation Body board member who is helping to train the provisional assessors, said during the panel. Large companies that have multiple offices, multiple networks and multiple levels of management will likely need multiple assessments, he said.
DOD officials have said that the program will be phased in slowly, giving time for the industrial base to react to the changes. The entire program will be rolled out in contracts over the next five years, officials have said.
With back-of-the-envelope math, Orr suggested the need for at least 1,200 assessors, provided each assessment takes an average one week to complete. But that length of time is no guarantee, especially if companies opt to try and get a higher level of assessment with more controls so they can bid on more security-intense contracts.
DOD officials have estimated the vast majority of companies will only need a level one assessment, which could take only a few hours. But higher-level assessments will be more complex and require more people and time. Assessments against current standards that are similar to a level three CMMC certification done by the Defense Contract Management Agency could take around two weeks, officials previously told FedScoop.
Dalton offered 2,000 as the AB’s target number. But that comes with a realization there will be attrition and a need to constantly train more assessors to take the place of those that leave.
“We have to have a pipeline of people who are coming into the industry,” Dalton said.
But some experts are concerned there won’t be enough assessors, and that the result will be costly. One technology industry official, who declined to be named to speak candidly, expressed concern for a lack of assessors. If there is a shortage, the official worried, companies could leave the industrial base or be swallowed by larger companies that get their assessments first.
The official warned that the Department of Defense’s estimates don’t take into account the lack of cyber readiness in the industrial base, meaning assessments could take much longer than anticipated.