Cyber ​​AB launches voluntary CMMC assessment program for defense contractors

Written by Billy Mitchell

The independent organization that oversees accreditations under the Department of Defense‘s new Cybersecurity Maturity Model Certification Program has given defense contractors the go-ahead to undertake voluntary CMMC assessments pending a final rule of the DOD.

Cyber ​​AB — formerly known as the CMMC Accreditation Body — released a draft document on Tuesday detailing the assessment process that third-party organizations will need to follow to certify that DOD contractors can manage in secure the department’s sensitive information, as will soon be required by the CMMC Program.

But while this assessment process is in draft form and the Pentagon is finalizing its rules for CMMC, defense industrial base contractors can now submit to voluntary assessments conducted jointly by defense agencies. CMMC Accredited Third Party Assessment and DOD Defense Industrial Base Cybersecurity Assessment. Center (DIBCAC), Matt Travis, CEO of Cyber ​​AB, told FedScoop.

Travis announced the proposed CMMC Assessment Process and new voluntary assessments under what he called the “Joint Monitoring Voluntary Assessment Program” at a regular Cyber ​​Town Hall meeting. AB held on Tuesday.

“In November, when the department announced changes to CMMC, it acknowledged that…DIB companies have invested. [that] have already implemented [National Institutes of Standards and Technology Special Publication] 800-171. There is an ecosystem that was built and they wanted to support voluntary reviews,” Travis told FedScoop.

CMMC is the Pentagon’s ambitious framework to further assess and accredit all contractors that process its controlled unclassified information (CUI) on their systems, ensuring they meet certain cybersecurity requirements 800-171 and 800-172 from the National Institutes of Standards and Technology. After reforming the program late last year, the Pentagon is working to release a final rule that will require contractors who work with the department’s CUI to be CMMC certified or risk losing their business.

The new Joint Voluntary Assessments allow “if you are a DIB business that has implemented 800-171 and you want to go ahead and be assessed voluntarily – because obviously, without rule making, there is no no mandatory requirements yet – you could hire one of the 16 allowed [third-party assessment organizations] to conduct this assessment “along with DIBCAC’s existing partnership, oversight and authorities, until CMMC has a final rule, Travis said.

Travis said it is his understanding that the final rule will include reciprocity provisions so that all contractors who are voluntarily assessed and meet DIBCAC’s high requirements will transition to CMMC Level 2 certification.

The CMMC Assessment Process Project explains that once the CMMC Final Rule comes into effect, it will be the “doctrine providing the overall procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting CMMC assessments. of organizations seeking CMMC certification”.

The published draft of the assessment process only applies to level 2 of the CMMC framework. With the introduction of CMMC 2.0 late last year, DOD contractors who handle unclassified controlled information must meet one of three certification levels, and the majority will fall under Level 1s – which allows for self-assessment – and 2, which requires some contractors to pass an assessment conducted by a third party.

“The CAP, developed and maintained by the accreditation body CMMC…is a part of the official CMMC canon and adherence to its procedures is required by C3PAOs and their assessors,” the document reads. “Although it is designed for specific use by C3PAOs, Certified CMMC Assessors (CCAs), and Certified CMMC Professionals (CCPs), it is intended as a resource for the entire CMMC ecosystem.”

The process then explains the four phases of an assessment to ensure that it meets the objectives of accuracy, reliability and quality, maximized consistency between different assessors and, ultimately, improved “defensive posture in terms of cybersecurity and cyber-resilience of the DIB”.

Travis called it “a benchmark that will allow for consistent assessments.”

“That’s really what CAP is trying to achieve, is whether you’re in California or Rhode Island, as a DIB business, you’re going to be assessed by a C3PAO, the procedures are going to be consistent. Either way. Obviously, the environment and from company to company will change, but the way assessments under the CMMC are conducted will be repeatable and consistent.”

Cyber ​​AB is accepting comments on the draft for the next 30 days.

“Nothing will be final-final until the rulemaking is complete,” Travis said. “But we felt like we had a strong enough draft to go out and publish it in the ecosystem, take some feedback over the next month, and then see where we can improve it where we can add more fidelity, where we can clarify things better.

DOD officials said they expect an interim final rule for CMMC to be released by March 2023.

Comments are closed.