Defense

DOD clears path for first assessor to enter CMMC market

It might seem small, but getting the first company accredited and into the CMMC marketplace is a big step for the program.

By Jackson Barnett

May 13, 2021

(DOD / Lisa Ferdinando)

The Department of Defense‘s cyber inspectors approved the first company to become a certified assessor for the department’s new contractor cybersecurity standards, clearing a critical hurdle in the process.

The DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company, which was not named, to move forward in the Cybersecurity Maturity Model Certification (CMMC) process, a spokesperson told FedScoop. Now, it is up to the CMMC Accreditation Body (CMMC-AB) to grant the company Certified Third Party Assessment Organization (C3PAO) status, meaning that it can officially assess the maturity of defense contractors’ cybersecurity in compliance with new CMMC requirements.

“[W]e can say the first C3PAO has been certified by the agency. Keep in mind, the certification process is multi-tiered and [Defense Contract Management Agency’s] role is to verify and validate the ability of a C3PAO to protect the data that will be entrusted to them,” Matthew Montgomery, spokesperson for the DCMA, the agency that houses DIBCAC, told FedScoop.

The initial approval of the anonymous company is a critical milestone for the CMMC program as many have worried that there won’t be enough accredited C3PAOs to conduct CMMC assessments at a rate fast enough to meet DOD’s target of auditing all 300,000 companies in the defense industrial base over the next several years. Come fiscal 2026, the DOD will have CMMC requirements in all contracts.

The CMMC model is a tiered system with five levels of cybersecurity maturity that all defense contractors will be tested against once every three years. The DOD has said that most contractors will only need a level one assessment, but many expect level three, which is equivalent to the current standard for handling controlled unclassified information, to be more common than expected.

Under CMMC, companies can no long self-attest to meeting cyber requirements. Accredited assessors will need to evaluate and test their systems and policies against the new CMMC standards.

“If you do the math on that…how is that feasible?” Johann Dettweiler, director of operations for TalaTek, a prospective C3PAO, said in an interview in April. He added: “There is…a little bit of a log jam.”

At least for now, part of that log jam appears to be lifting, but many more assessment organizations are awaiting their initial assessment from the DIBCAC.

But many cybersecurity companies have found the rules on policy documentation during the initial assessments to be too strict. That could spell trouble in the future if cybersecurity experts have trouble meeting the standards; and, if it took the DIBCAC months to clear the first company, assessments for companies with less mature network defenses could take even longer.

“You have to be able to show that you have the policies and that you have been living the policies, and that last part is really tricky,” said Jim Goepel, a former CMMC Accreditation Body member and the CEO of Fathom Cyber.