CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)

CMMCAudit.org title card saying CAICO news and CMMC training Q&A

Hello all,

This interview and Q&A session with Ben Tchoubineh has revelations about the new CAICO organization and the status of CMMC training.

To my knowledge, a good deal of this information has never been said publicly before. Wow!

If you are thinking about becoming a CMMC professional: Registered Practitioner, Certified Professional, Certified Assessor, or Certified Instructor, this is worth watching!!!

What is the CAICO (Kay Coh)?

  • How is the CAICO affecting the CMMC-AB organization? Is the AB splitting up? Will a new group be formed from scratch with new people?
  • Who will oversee Certified Professionals, Registered Practitioners, and Certified Assessors now?
  • Where will the funding for the CAICO come from?

CMMC training questions for today

  • Is there any way to avoid taking a class and just challenge the exam?
  • The CMMC classes advertised so far are SOO EXPENSIVE!
  • Some people are scheduled to start class within a few weeks. Are these classes legit, based on the delays at the oversight levels?
  • How can we ensure that a class will meet requirements for Certified Professional or Certified Assessor?
  • Will there be pre-requisites to take a class or to get an instructor recommendation before being allowed to take the exam?
  • Will spots in classes be held for anyone, such as pre-registered Certified Professional applicants, or individuals associated with a C3PAO?

CMMC training questions for the long-term

  • How will certification renewals work? Will CMMC professionals have to re-take training, re-take the exam?
  • What about CPEs?
  • Will Provisional Assessors lose their ability to assess 6 months after the first training starts?

Introductions

Ben Tchoubineh is a member of the CMMC Accreditation Body Board of Directors and is the Chair of the Training Committee.

Amira Armond is the editor for CMMCAudit.org and the owner of Kieri Solutions, a C3PAO candidate.

Transcript of Q&A about CMMC CAICO and Training

Note: This section is paraphrased by Amira Armond. If anything was misquoted, it is Amira’s fault. Please let us know if you see any major problems. For the most accurate version, watch the video!

Introductions of Amira Armond and Ben Tchoubineh

Ben Tchoubineh is a member of the CMMC Accreditation Body Board of Directors and is the Chair of the Training Committee.

Amira Armond is the editor for CMMCAudit.org and the owner of Kieri Solutions, a C3PAO candidate.

What is the CMMC CAICO?

Amira: What is the CAICO?

Ben: That is a great question, we are trying to figure it out ourselves! The CAICO stands for the “CMMC Assessors and Instructors Certification Organization. It is the arm of the CMMC-AB that is responsible for training and certifying assessors, and making sure they are ready to go out there and do assessments. It is the part of the ecosystem that is responsible for training and certification of individuals.

Will the CMMC-AB split up?

Amira: What I’ve seen in press releases and news articles is that the CAICO is supposed to be another organization, or somehow discrete from the CMMC-AB. For the last year, you guys have been doing both. Especially you, you have probably been on the CAICO side. Is the intent that the board will split, or that the people on the AB will split into those two organizations, so that knowledge is retained and maintained? Or will it be started from scratch with new people standing it up?

Ben: Oh no, this is part and parcel of the CMMC-AB. It may at some point become a separate organization, but it would be spawned off of the CMMC-AB, not created from scratch. This [training] is part of the mission of the AB.

ISO requirements for CAICO and AB

Ben: The reason we would separate it is conflict of interest reasons, as well as standards reasons. We are going for ISO 17011 for the AB to become a real Accreditation Body, recognized globally. That may require us to divide into two organizations. One for the accreditation piece and one for the training piece. So we are preparing for that. It is part of the 17011 requirements that we are looking at.

Ben: The CAICO itself will need to get the ISO 17024. That is the one for a training and certification body. So the CAICO will need to get the training and certification piece while the AB will be the Accreditation Body that gets 17011.

Ben: Now will there be a firewall within the same corporate entity, or will the organizations be two entities that are divided from one? All of that is still being worked out right now.

Will people who signed up for Certified Assessor need to change to the CAICO?

Amira: For the people who are signed up to become a Certified Professional or a Certified Assessor, would they even have contact with the CMMC-AB as an accreditation body? Or would these people transition all their communications to the CAICO?

Ben: None of this should affect the stakeholders in any way. Once the formal programs [for Certified Professional, Certified Assessor] get underway, and people start to get certified, that certification will be valid. Now the organization may split off corporate-wise, but it won’t change anything for the [certified professionals].

Ben: The key is that the training and certification body, the CAICO, will handle that part of it – managing the objectives for each course, managing the exam, delivering the exam, while its training partners are delivering the actual education. And the AB will do the accreditation piece, which is credentialing and accrediting the C3PAOs so that they can go out there and do the assessment work. So it is the training piece versus the actual work piece, which we need to separate.

Amira: Yes. I’m very familiar with the C3PAO side, so I’m happy that half of the organization will be concentrating on it.

Will Registered Practitioners be managed by the CAICO?

Amira: What about the Registered Practitioners? Will they fall underneath the CAICO?

Ben: The CAICO’s mission will be to educate. And there are several paths that this can take. We need to look to the marketplace to help us decide that. We are going to start the Certified Professional program. The marketplace may decide they want to go for Certified Professional instead of Registered Practitioner, or maybe decide to do both. It depends on demand.

Ben: But right now, the RP program is all that we have. It adds assurance that if a DIB company wants to work with a consultant, with a practitioner, that they have been educated. But it is not a certification per-say. From my perspective, it is a basic understanding of CMMC and a working knowledge of it, but it does not connote expertise. So it may still remain that the RP has a place in the ecosystem after the Certified Professional program begins, in that it is an introductory piece of our offerings. It is also online.

Ben: Whether the AB or the CAICO offers it, we haven’t decided that yet. In my mind, it might be the CAICO, but that is because the mission of the CAICO is education. But it will still remain, and it will act as a basic introduction to the CMMC ecosystem.

The RP training program is being updated

Ben: We are redesigning the RP program from scratch, to improve it tremendously. It will cover a wider area of information, the information will be updated, because a lot of it is old – it was created in June 2020. We are making it more accessible, we are updating the quiz structure, a lot of people didn’t like the quiz structure. We are spending a lot more time on it now. So the RP will remain, but what its purpose will be, after we have the CP and CA programs, remains to be seen.

Amira: Yeah, I was laughing about the exams for RP. I went through it and they were pretty rough.

Ben: Yes, we had a lot of comments about it, which were really useful. Look, the RP course was created by a Board volunteer, Jim Goepel. He did an amazing job, on his own time, creating this thing that is adding so much value to our nation right now, as a volunteer on his own time. And even after he left the board, he continued to maintain it and add some errata that we found. It is a great thing when you consider it was developed with no resources, on volunteer time.

Philosophy – perfection doesn’t exist. Continual improvement.

Ben: Now we have resources and we have a team. And like any training program, we need to make sure it stays relevant and stays up to date. And we learn from the previous version and update and improve it [over time]. This is my philosophy: You can’t ever have anything perfect. If you are going to wait for perfect you will never get anything done. Perfection doesn’t exist. But we can get a lot done by “seeking a more perfect”, or a better or improved version all the time. For example, take Microsoft. If they wanted to build the 2020 version of Excel back in 1990 when they first started it, they would never have released it. So that is what we are doing now, we are going to the next version and improving, and we will continuously improve from now on.

Amira: I didn’t want to give you the impression that I was down on the RP training. Pretty much every person I’ve talked to … about 20 people? that took it, felt that it was very helpful to understand the ecosystem, the processes. There is information about scoping and documentation, and that is all very helpful for consulting work.

How will the CAICO be funded?

Amira: Anyways – last question about CAICO. Do you know where the funding will come from?

Ben: It will be self funded, just like the AB. It will own the exams for the certification, and it will have partners – the Licensed Partner Publishers, the Licensed Training Partners. The main source of income will be through the exam fees and maintenance fees of the certifications where we verify that people have continuing education credits, those sorts of things. As the CAICO grows, we will be a major player in informing the world about cybersecurity, helping educate people in cybersecurity. The CAICO, as an accreditation body, will own the certification of assessors and ensure they know what they are doing professionally. In the end, I’m hoping that the CAICO will play a big part in improving the state of cybersecurity worldwide.

CMMC being adopted by other departments, organizations, globally

Amira: I’ve heard rumors that other organizations are thinking about adopting the CMMC world-wide. The DoD is already a huge scope, but if it goes Federal, if it goes private sector, if it goes global… wow, that will be a huge opportunity.

Ben: I want to stress that the CAICO will be the single certification and training organization worldwide for the CMMC. That is the vision. So we have to work to be very sure that the certified assessors, no matter who adopts the CMMC (the DHS, or Department of State, or private sector, or Canada, or Japan)… they will have the right knowledge and will be professionals who ensure that the assessments are done right. That is a tall order. It is a big job. That is why we are spending so much time developing our exam objectives. We have several working groups looking at them. And those objectives will be turned into courses, developed by our Partner Publishers, which will be quality assured by us and by our partner ProCert, and then those will go into classrooms, taught by certified instructors. We have a lot riding on this. That is what I spend a lot of time thinking about, this program that the CAICO is putting together.

Ben: There are three pillars to the program: Quality, Consistency, and Scalability. We have to train people with high quality, make sure they are trained, they know what they are doing and they can be professional. We have to train in a consistent way, so that people who are taught in one school are taught the same thing as another school. And we have to train in a scalable way so that if [all these countries and departments adopt the CMMC and require CMMC contractors, they are available]. It is almost unfathomable. It is a huge job to ensure that it is done with quality, consistency, and scalability.

Switch to CMMC Training topics

With the switch to CAICO, can students challenge the exam instead of taking training?

Amira: Regarding training. I have to ask this question, because everyone asks the question. For the Certified Professionals, now that the CAICO exists, will training classes still be required? Can people challenge the exam, just go take it, and save money?

Ben: For now, we will require it. This may change, but for now, we have to be very careful. We are creating a brand new program from nothing, that will have the scope I just explained. That consistency piece is really really important. Let me explain how we plan to reach that consistency level.

Certified Instructor training strategy

Ben: We will teach every instructor. Every instructor will have to come in and be taught by our master instructors. We aren’t going to do something like teach Amira, then Amira teaches Joe, then Joe teaches Stephanie, then Stephanie teaches Armando. That is not how it will work, because we want to avoid that game of telephone.

Consistent instruction, content, before exam is allowed

Ben: When we give that consistent training to all of the trainers and they go out there, they will be teaching as Licensed Training Providers. So the message and experience needs to be consistent. Also, the Training Providers will be using content that we have approved. The content created by publishers will help create that consistency. But we have multiple publishers, so all of their content will go through our quality assurance process before they are approved. And then a certified instructor will be teaching the exam to ensure that consistency and knowledge before students take an exam.

Ben: If we open it up and let people read a book, there is a lot missing from the book. You could just go read the model or watch a video online, or use your own knowledge. If you do that, you are missing out on the consistent training. When we teach our instructors, we tell them to focus on x, y, and z. They need to make sure that students know these particular concepts.

CMMC assessments are high-stakes, so assessors need to be ready

Ben: Everything I do and think of is trying to make sure that when students come out of these programs, they are truly ready to do assessments. Think about what is at stake. Organizations could live and die by these assessments. They could lose their contracts. I don’t take that lightly at all. So when I say that we need this consistent experience before you are ready to take the exam, that is because I don’t want to put all my [faith] onto the exam. The exam alone cannot be the only factor, at least not from my perspective. Of course, I won’t be around forever, so there will be other people, and they might change the status of this. Or we may see that the [the exam is high enough assurance] that we can open it up and let people avoid the training.

Training courses require participation?

Amira: That makes sense. I would challenge you, that if you think it is so important to do training so that every person goes through the experience, I would like to see something where the instructor has to vouch that the student actually made it through the course. The student didn’t just fill a seat. Because at that point, again, you are relying on the exam.

Ben: The program is being developed now, and that is exactly it. I am meeting with the LTPs in a webinar in a few weeks so that we can talk about the requirements of the program. The reason why we want the classes to go through the LTPs is so that we can tell the LTPs what our requirements are for quality of the training experience. Not just an automated thing where students can just pass through without being involved, sit there, not do a thing, maybe not even show up for half the class, then get a certificate. We need to be very careful that the quality and consistency of the training builds into the exam which we have control over.

Cost of training courses

Amira: I have been looking at the Licensed Partner Publishers, Licensed Training Providers, that have websites up for CMMC training. So far everything I’ve seen has been a one week boot camp for $4,500. That is a lot. Then when you start looking at people who want to become Certified Assessors for Level 3, that is three times the cost. Three courses for $4,500 each. Then add exams, and we are close to $15,000 for CA3. That is my own calculations. This is really high. I can’t think of any other set of courses that are that expensive except for a college program. Is there any LTP that plans to offer cheaper classes? Is this an accurate cost?

Ben: We have to look at market forces. We cannot set the pricing. If we want to have a scaleable model, we need to have partners that can set their own prices. Look at the availability of training versus the demand. This is all supply and demand. I live by this because I am an entrepreneur myself. For example, we just discussed the crazy need for assessors globally if all these departments and countries require CMMC. That means that the math is extremely high. But there is no training, not till this summer. If you consider the crazy amount of interest – we have people in India, in South Africa, in Singapore, in Japan, in Dubai. These are people I’ve talked to personally. They all want to take classes. They see the future of CMMC. Honestly, I’m surprised that the training isn’t $45,000. This is darn cheap. You have to look at it in context of demand and the lack of training.

Summer 2021 = CMMC CP and CA training should be available

Ben: This summer, the training will start. And like all other training that came before it, at first, the training will be expensive. If you consider the CompTIA Security+, the standard pricing for the training is about $2700. And that is Security+. Think about how many people have Security+, the broad acceptance. There is much less demand, a lot of people have it, and you still need to get higher level certifications after it. And even then, the class is $2500 – 2700. So right now, with the cost of $4500, I’m surprised, pleasantly surprised, at how low it is.

Over time, training costs should go lower

Ben: A year from now, the price will be lower. There will be more classes available, it will be more broadly accepted, the supply will increase. In five years from now, I am sure these prices will be a lot less. But looking at the possible demand, and people who really want to get started immediately…

Ben: Think about the pressures on these LTPs and publishers. We are changing the standards and objectives constantly. The timeline is changing because the DoD’s requirements changing, and they need to do a final rule, and there may be changes to the model, who knows. The publishers are actually developing content in this environment. I’ve said it before, we are building the plane while we fly it. The costs of developing this content is astronomical to them because of the changes and flux that are occurring.

CPs and CAs should be able to recoup training costs quickly, due to demand

Ben: Thinking about it in terms of supply and demand: When someone goes through this program at say, $15,000 – they will be highly, highly in demand. They will probably make it back in a month. The demand on these assessors will be so high that they won’t have time to scratch their head. You have to think in terms of supply and demand and the uncertainty that these LPPs and LTPs are developing in, and the amount of demand they are getting.

Amira: This conversation is making me think I need to hang up right now and go sign up for a class while there are any available.

How can we tell if a course will be accepted for certification?

Amira: I’ve talked to a few people who say they’ve signed up for a Certified Professional class which is scheduled for March. You mentioned today that the courses shouldn’t be ready until summer. I’ve also heard from LPPs that they are still waiting for their content to be approved. So is this person, who is scheduled for March, are they getting ripped off? What is going on?

Ben: I wouldn’t say “ripped off”. These training providers have been incredibly patient with us. We originally told them that we would be ready in January. Then we changed it to March. Then we changed it to April. And now, as I meet with the DoD, we may have the final objectives by March, but we won’t have published content by March. So the LPPs and LTPs are being incredibly flexible and patient with us. They are excited to start providing classes. They may be delayed, but that is through no fault of their own. It is because we are building our plane while we fly it. We are trying to accomplish our objectives in record time, through delays like COVID, the model and objectives changing, and a million other delays. There is huge demand and we are trying to get the training up as soon as possible. The schools have classes on their schedules because they need to attract students, and that takes time.

Currently scheduled training classes will probably be delayed

Ben: There may be delays. Those students may see delays in their classes. My hope and prayer is that students will start to see classes offered in the spring while exams are offered in the summer. That is what we are all working toward. By the end of the year, I think all of this will be settled. We will have regular classes, we will have exams out, and people will be able to take classes.

Ben: No one is getting ripped off. If an LTP is on our marketplace, they are ready to provide classes, but the content is not there. So they have to wait on that. And if there is a delay in the content, then they will need to delay their classes. They will still be the first classes out there, but the classes may be delayed.

How can we verify that a class will be acceptable for CA or CP certification?

Amira: For the marketplace, for the people who are looking at signing up for a class. How can we tell using the Marketplace that that provider, that the class will be completely good for use for Certified Professional, for CA? Should we go down to the instructor level? Make sure that the instructor is a Licensed Instructor?

Ben: If you have a listed Licensed Training Provider performing the class, you can also ask the LTP just to be sure. We’ll enforce that, but this is just the beginning, so we want to be sure. The curriculum, the book they are using, needs to be from an LPP, and it needs to be approved curriculum. And then ask who is the instructor. The instructor would need to be listed in the Certified Instructor, or right now, the Provisional Instructors, in the marketplace.

Provisional Instructor training starts in March 2021

Ben: Right now we don’t have any Provisional Instructors. In fact, I’m going to start training them next month [March 2021]. That is the other thing. We have to have Provisional Instructors ready to go before classes can be provided. We were going to start training Provisional Instructors in December [2020]. So many delays occurred, we needed to redevelop the courses because of changes of the model. There is a lot going on and there have been delays, but it is all coming together.

Ben: If someone wants to take a class [as required to become a CMMC-AB Certified Professional or Assessor], they need to make sure that the Licensed Training Provider (the school) is on the LTP listing, their curriculum is from the Licensed Partner Publisher listing, and their instructor is on the Instructor listing [in the CMMC-AB Marketplace].

Amira: OK, cool. Thank you for the clear guidance on that.

Will training providers prioritize students based on qualifications or pre-registration?

Amira: Will there be any priority on students? For example, will Licensed Training Providers be told to give priority to qualified candidates that have experience or citizenship requirements, or that pre-registered for CA? Or will it be based on whoever signs up gets first dibs?

Ben: At this time, we have not planned on requiring schools to have a priority listing.

Regarding CMMC training over the long haul

Amira: I have another set of questions about training over time. This isn’t an immediate concern for us, but it is good to know what we are getting into over the next few years.

Ben: Right.

Continuing education and renewal requirements for CAs and CPs

Amira: Will assessors and certified professionals have to retake their exams over time to keep their certifications?

Ben: That is something that hasn’t been finalized. We don’t have a final set of rules on this. We will, in the next few months. We will have some maintenance requirements. Whether it is through continuing education credits, or by taking the exam again when there is a new version of the model, or on a regular basis such as every three years, I don’t know that. But we really want to study that carefully. That is my next objective after we finish the exam.

Provisional Assessors transition to mainstream Certified Assessor program

Amira: OK. You answered my next two questions.

Amira: So my last question is: When I went through Registered Practitioner training, I vaguely remember something about Provisional Assessors will be allowed to do assessments for (I think) about 6 months after the first certified professional training is available. Is that still the plan?

Ben: Right. There will be a timeframe that these provisional assessors will have, once these exams are available, for them to take the certified exam.

Provisional assessors are temporary solution for chicken or egg problem

Ben: For those who don’t know what Provisional is, we have a chicken or egg problem. To be certified, you have to go through a class taught by certified instructors. Except how does that certified instructor get certified? Also we need assessments now, but it takes a long time to develop solid certification exams. So we have trained provisional assessors, I am one of them, who went through our training and took an exam that we developed so they are ready to do these assessments. It was really based on their experience. That was a big piece. The experience that these assessors had made them qualified to go through our basic training. We ensured that they knew the [CMMC] model and take our simple exam, and then they were able to move on. It was a difficult exam, but simple exam in terms of the development process.

Provisional assessors will need to go through normal CA process

Ben: Now we have a core of highly experienced professionals who can do assessments before our formal certification program gets underway. It is being developed now. The exams are being developed by ScanTron and their professionals and a bunch of subject matter experts. So that means that those provisional assessors who are out there doing assessment work, yes, at some point between six months to a year, once we have a formal certification program, those Provisionals will need to come back and take the formal exams and become certified.

Wrap up

Amira: That is all I’ve got, I really appreciate your time! Is there anything else you would like to address?

Ben: You covered it all. You asked detailed and pointed questions that I think people will be interested in. I’m glad you’ve given us a platform to be able to communicate to our stakeholders.

Amira: Very glad to assist in any way I can. And I’m excited because several things we’ve discussed, I’ve never heard anywhere else. So thank you so much Ben!

Ben: You’re welcome, anytime.

Other recommended interviews and articles for CMMC professionals

CMMC Auditor Training Resources

CMMC-AB Regan Edens interview on DFARS, FedRAMP, and AB authority

Review of CMMC Registered Practitioner Training

Policy templates and tools for CMMC and 800-171


Please sign up for our newsletter if you want to be notified when we have new content and news like this available. It is super easy to unsubscribe and we don’t sell your information.

Ben Tchoubineh is a member of the CMMC Accreditation Body Board of Directors and is the Chair of the Training Committee.

Amira Armond is the editor for CMMCAudit.org and the owner of Kieri Solutions, a C3PAO candidate.

One thought on “CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)

  1. Mark Soule says:

    Amira,

    Thank you for hosting this session with Ben. As you, I am excited to take the mandated training, disappointed with the pace of training being available, but understanding especially in light of DoD’s latest requirement to spin off training as a separate entity.

    Mark Soule

Leave a Reply

Your email address will not be published. Required fields are marked *