The Cybersecurity Maturity Model Certification (CMMC) Advisory Board (CMMC AB) made a major announcement on September 16, 2020, announcing that it has trained an initial group of provisional assessors. As an earlier posting explains, the CMMC establishes cybersecurity controls for certification of government contractors from Level 1, the basic set of controls that all government contractors to DoD must meet, to the highest Level 5, controls that contractors with Controlled Unclassified Information (CUI) facing the need for security to address Advanced Persistent Threats (APTs) must meet.
The plan for the CMMC rollout includes the establishment of a neutral body to provide standards and training, certification of third party assessment organizations (C3PAOs), and provision of a marketplace for these assessors to be identified for assessment of a government contractor regarding its compliance with a designated CMMC Level. Contractors that are assessed and then certified by the DoD as meeting the security controls specified for a designated CMMC Level are then eligible to receive an award of a DoD contract that requires certification at that CMMC Level, or other lower CMMC levels. Thus, establishment of a set of assessors deemed qualified to conduct the assessment of contractors for CMMC is a major step.
That said, there is some other news.
First, while DoD initially planned for ten pilot programs to kickoff CMMC, there are only a few so far. The General Service Administration (GSA) has introduced cybersecurity principles into their acquisition programs as well, but the phased in approach to introducing CMMC appears to be slower than initially scheduled.
Second, there has been a significant change in the leadership and membership of the CMMC AB. In its announcement, the CMMC AB advised that Chairman Ty Schieber and Communications Chair Mark Berman are out and Karlton Johnson, previously Vice Chairman, will not assume the role of Chairman. Additionally, to fill some now vacant positions on the Board, Yong-Gon Chon, Sheryl Hanchar, and Charlie Williams have been added as Directors.
Stay tuned for further developments. In the meantime, keep working to comply with the existing in place requirements of FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and, if you contract with the DoD, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, including NIST SP 800-171, as applicable. And, start planning for compliance with CMMC certification level requirements!
If you have questions about this advisory and how it may apply to you, contact the author or your Stinson counsel.