An accreditation body facilitating implementation of the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) version 1.0 has opened up training for third-party auditors, according to an official.

The upcoming cyber requirements are a reflection of the Pentagon’s push to protect defense industrial base networks and controlled unclassified information from cyber attacks.  The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards.  As the initiative is phased in, contractors will have to meet different levels of security depending on the work they are performing, with level 1 being the lowest and level 5 the most stringent.

“We are busy doing pathfinders in the DoD. We are getting ready to launch our pilots,” Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said June 24 during a webinar hosted by cybersecurity company PreVeil.  “The Accreditation Body opened the door for training registration for [certified third-party assessor organizations] two days ago.”

The CMMC Accreditation Body was set up to train organizations conducting CMMC compliance assessments on behalf of the Pentagon.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/6/24/pentagon-to-begin-training-thirdparty-cmmc-auditors

The framework for the DoD’s Cybersecurity Maturity Model Certification (CMMC) process continues to move forward.

Here’s an update on what’s currently happening with the CMMC that includes a few more details the DoD and the independent CMMC Accreditation Body have recently released about the nuts and bolts of the certification process.

As explored in Koprince Law’s prior posts (such as this one), the CMMC standards were put in place to protect Controlled Unclassified Information held by defense contractors to reduce loss of data and “risk to national security.” The standards will require a third-party audit of all defense contractors and will be proportional to the magnitude of the contract and what data the contractor is handling for the DoD.

CMMC Accreditation Body and C3PAOs

DoD’s partners have been hard at work on fleshing out the details of the certification process.  The CMMC Accreditation Body (or CMMC-AB) is a non-profit, independent organization that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the assessors themselves.  This means the CMMC-AB is not part of the government, although it operates under an agreement with the DoD.  The C3PAOs are the organizations that will help “train the trainers”–meaning they will provide skills to and assist the assessors, but the CMMC-AB will actually license the assessors. A C3PAO must be certified by the CMMC AB and then the C3PAO will train and monitor the CMMC assessors who provide the certifications.

The CMMC AB is taking steps to carry out its goals. The training program for CMMC assessors has not started yet and there is no timeline on the AB’s website. As a consequence, no assessors have been licensed yet.

However, as part of its mission, the AB is conducting market research to develop “a scalable and extensive partner-centric training and educational model to effectively equip professionals, students, and other stakeholders within the CMMC ecosystem.” The organization will provide training content and providers for certification.  The AB is also doing market research for an entity to develop a CMMC certification exam.

Keep reading this article at: https://smallgovcon.com/statutes-and-regulations/cmmc-update-details-on-certification-infrastructure-and-cots-products