Wednesday, September 9, 2020

Cybersecurity Certification Keeps Chugging Along

WIPP Works in Washington | September 2020

By Elizabeth Sullivan

The last time I wrote about the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) was back in early March when the DoD released their final version to industry. The pandemic hit shortly after and turned things upside down…except for the rollout of CMMC, which has continued to move forward.


So, where does everything stand now?


A major step has been taken in moving this process along – training started at the end of August for certification assessors. These 73 assessors, however, are part of a “provisional program” and won’t actually be assigning the companies they evaluate a final CMMC level. Think of these initial assessments as more of a dry run, with the goal of providing feedback to the DoD and CMMC Accreditation Body (CMMC-AB)on any issues that need to be resolved before the real evaluations begin. As a reminder, the body providing the training – the CMMC-AB – is separate from the DoD. The AB is currently operating with a volunteer board and will eventually be a fully staffed organization. 


This step comes in the wake of a rift between the DoD and the CMMC-AB over a new contract that would supersede their existing Memoranda of Understanding (MOU). The tension between the two organizations over the new agreement is centered around responsibilities, which some AB board members felt was undermining their authority. The DoD has said this agreement is a new no-cost contract would provide a more binding relationship between the CMMC-AB and the Department. While this was slated to be resolved by the end of August, stay tuned for the final result.


In the meantime, CMMC requirements showed up in the General Services Administration’s (GSA) $50 billion 8(a) STARS III contract, where GSA indicated that it “reserves the right” to require certifications for small businesses awarded slots on the federal IT vehicle. Although CMMC is only a future requirement for the approximately 300,000 DoD contractors, it has been predicted that adoption of the certification could spill over into civilian acquisitions. The move by GSA is a prime example of this, but is also not very surprising – DoD was one of the biggest buyers on the predecessor contract, STARS II. 

So, where does this leave small business contractors? 
With a lot of remaining questions. Below are a few that come to mind: 

  • As companies try to prepare for this assessment, who is credible to help them identify gaps to reach a readiness level? There has been a myriad of bad actors popping up, claiming they can guarantee a certain CMMC level with their analysis (which they can’t). 
  • Once the CMMC-AB accredits assessors and their certified third-party assessment organizations (C3PAOs), companies can start to get assessed. What is the actual cost for companies get this assessment? Will all of the accreditors charge the same amount? 
  • Once assessors are ready, what is the order in which the 300,000+ businesses will be assessed? Is there a cue? Will it be based on existing contracts? Are small businesses going to pushed to the bottom of the list?  

According to DoD, all contractors will have to be certified by 2025. Advocacy remains crucial on this issue, and WIPP’s Virtual Symposium on Cyber Resiliency (September 31-October 1) is focusing on these important policy changes for WOSB contractors. Check out the agenda for the Symposium and register here

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.