The Cybersecurity Maturity Model Certification accreditation body (CMMC-AB) will implement the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
CMMC was published by the DoD in January 2020, while the CMMC-AB was formed in January 2020. CMMC-AB will provide certifications for certified third-party assessment organizations (C3PAOs) that hire CMMC-AB certified assessors. These assessors, in turn, are trained by CMMC-AB certified Instructors.
Responsibilities of CMMC-AB
CMMC-AB is an independent accreditation body. It is responsible for establishing, managing, controlling, and administering the CMMC assessment, certification, training, and accreditation processes for the Department of Defense (DoD) supply chain. These activities are conducted in accordance with a memorandum of understanding (MOU) signed with the DoD in March 2020. The DoD is working on a statement of work that will supersede the MOU that authorizes CMMC-AB to work on DoD’s behalf.
During the summer of 2020, CMMC-AB selected 101 qualified applicants to be provisional assessors. They will be authorized to conduct assessments during the provisional period.
CMMC Provisional Assessors
These provisional assessors were selected from two pools, using a combination of random selection (83%) and best qualified analysis (17%). Analysis of “best qualified” was based on prerequisites, domain expertise, AB contribution, and industry experience. Requirements also included 10-plus years of experience conducting evidence-based assessments in cybersecurity or other information technology fields. The other IT fields include, for example, ISO, FedRAMP, CMMI, RMM CERT, and DIBCAC. Alternatively, assessors can have proven experience as a consultant or leader in cybersecurity for at least 20 years and qualifying for DOD 8570 IAM Level III certification.
CMMC-AB board members conducted training for provisional assessors earlier this fall. These provisional assessors can now participate on C3PAO teams to conduct mock CMMC Pilots and Pathfinders. The provisional program will provide level 1 assessments initially. In the future, the program may expand up to level 3.
Requirements for C3PAOs
The requirements for certification for C3PAOs are defined on the CMMC-AB website. Currently, all C3PAOs must be 100% U.S. citizen-owned businesses. The website also lists ISO/IEC 17020 certification as a requirement, awaiting more details.
CMMC-AB is also developing the process for CMMC C3PAO ML-3 certification. These requirements are very fluid, so check the CMMC-AB website regularly for updates. In fact, as late as the first week in November, the website listed ISO/IEC 17021, and not ISO/IEC 17020, certification as a requirement awaiting more details.