A founding member of the accreditation body implementing the Department of Defense‘s new contractor cybersecurity standards resigned Tuesday.
Regan Edens had served on the board of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) since it was incorporated in January 2020 and led the Standards Working Group, the volunteer entity responsible for establishing CMMC programmatic definitions.
Edens declined to comment. The CMMC-AB confirmed Edens’ resignation in an email to FedScoop.
CMMC is the new program to increase the security of DOD’s supply chain against theft of controlled unclassified information (CUI). It mandates contractors get assessments to test their networks agains a five-tiered model, with the CMMC Accreditation Body being the group to manage the ecosystem of assessors, trainers and others who contractors will need to hire to get certified to continue working with DOD.
Edens’ work on the Standards Working Group focused on foundational issues to the program, including its definition of CUI, the type of sensitive information CMMC is designed to protect.
His resignation comes as the AB transition from being run by a group of volunteers like Edens to having full-time staff take care of the day-to-day operations of the group. The board recently hired a CEO and has on-boarded some full-time staff.
The accreditation program has faced a number of challenges since its rollout, including concerns from the defense industry that it may create an unduly onerous barrier for smaller contractors.
In testimony given to a House Committee on Small Business subcommittee last week, small enterprise leaders also raised concerns about how new requirements are being communicated to businesses.
The DOD has since said that it is addressing concerns over the cost of complying with the scheme for small businesses in an ongoing internal review, and that it will shortly launch a public media campaign to improve communication with industry about the scheme.