Skip to main content
Loading
Cart
Toggle search
Toggle navigation
Keyword Search
Sign In
Home
Join
About
Toggle
History
Board of Directors
PSC Staff
Annual Report
PSC in the News
News Releases
PSC Foundation
Membership
Toggle
Member Companies
Member Engagement Resource Center
Board Engagement Resource Center
Company Profile
Join
Renew Your PSC Membership
Update Your Member Profile
Year-Long Partners
Issue Areas
Toggle
Acquisition & Contracting
Appropriations & Budget
Congress & Legislative Affairs
Ethics & Compliance
Federal Health
Financial, Accounting & Auditing
Industrial Base & Competition
Information Technology & Cybersecurity
International Development & Foreign Assistance
Labor Policy
Small Business
Tax Policy
Workforce
Events
Toggle
Events Calendar
Annual Conference
Defense Conference
Development Conference
Federal Acquisition Conference
FedHealth Conference
Law Enforcement Conference
Leadership Summit
SCA Training
Vision Federal Market Forecast
Councils
Toggle
Acquisition & Business Policy Council
Civilian Agencies Council
Council of International Development Companies
Defense & Intelligence Council
Technology & Innovation Council
PSC Networks
Resources
Toggle
Bill Tracker
Government Resources
Greater Washington GovCon Awards
Market & Policy Briefing
On-Demand Webinars and Videos
Publications & e-Newsletters
Reports
Reverse Industry Days
Resource Centers
Service Contractor Blog
Vision Federal Market Forecast
Pentagon’s Contractor Cybersecurity Program Approaches Testing Phase
By Mariam Baksh
NextGov
August 28, 2020
The pending non-profit in charge of issuing certifications is moving forward with training for assessors as a key aspect of its arrangement with the Defense Department could be in flux.
If all goes according to plan, by the end of next week there will be 73 individuals ready to conduct initial assessments of Defense Department contractors for the Pentagon’s Cybersecurity Maturity Model Certification program.
The Defense Department currently takes contractors at their word on whether appropriate measures are in place to safeguard information in their possession that isn’t at the classified level, but is nonetheless sensitive and valuable. The CMMC aims to address what officials describe as an epidemic of intellectual property theft from within the defense industrial base by requiring that all contractors have their cybersecurity practices certified by a third party. A rule to implement the CMMC is expected in the fall.
In June, DOD officially entered into a memorandum of understanding with a group of professionals in relevant fields who volunteered to manage the certification process—the CMMC Accreditation Body, or CMMC AB. The group has established itself as a non-stock corporation in Maryland—awaiting a tax-exemption determination by the Internal Revenue Service under Section 501(c)(3), according to its website—with a board of directors chairing various committees to get the program off the ground.
“The instructor-led training is starting on Monday,” CMMC AB communications chairman Mark Berman told Nextgov. “Many of the provisional assessor candidates are deep into the online training already and providing us with exactly the type of detailed feedback that we have been seeking to make the system better for everyone who will follow.”
Much more than average trainees, this initial class of assessors will help to hone an assessment standard under development by the CMMC AB. Qualified assessors will use the standard to determine whether companies meet the requirements detailed in the CMMC model, which will be maintained by the DOD, according to the MOU.
The CMMC AB selected the group of 73 individuals from over 500 applicants mostly at random, according to a press release issued Tuesday. After four days of the in-person training starting Aug. 31—during which they will contribute more feedback to shape the assessment standard—the group will be provisionally qualified to conduct a set of dummy assessments, and further test the program for potential pitfalls.
During an Aug. 13 event with the Professional Services Council, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said acquisition tabletop exercises were part of mock assessments the department has already conducted on an existing contract. Another of these pathfinder projects is planned for September. The pathfinder assessments are non-punitive, Lord said, noting that the office of the chief information security officer for acquisition is also looking for other contracts on which to conduct CMMC pilots, which will not result in certifications, but serve to further de-risk the program.
The provisional assessors will play a crucial role in shaping the assessment standard on which the whole program rests.
“Right now, we’re coming out with the assessment standard, and that is the answers to the test,” Regan Edens, the CMMC AB’s chair for standards management said at the end of May. At the end of the day, the assessors will train on that standard in order to be able to understand what is the standard, how do you apply the standard, what is the criteria for conformity and what’s the guidance that they need to give the organizations when they haven’t met the standard and what the path forward is to meet the requirement.”
But control of the standard could be in question. A statement of work included in a no-cost contract Lord says the DOD is working to finalize with the CMMC AB could reportedly change who is responsible for maintaining the standard.
Berman declined to comment on what he said were ongoing discussions with the government.
{1}
##LOC[OK]##
{1}
##LOC[OK]##
##LOC[Cancel]##
{1}
##LOC[OK]##
##LOC[Cancel]##