CMMC News – April 24, 2021

DCMA flowchart to describe whether a C3PAO is ready for assessment

Hello all,

Here is the noteworthy CMMC news for mid April 2021:


Certified Assessors and Training

While there is still no licensed training for Certified Professionals or Assessors, we do have:

New names for Professionals and Assessors. They are now named “Certified CMMC PROFESSIONALS (CCP)” and “Certified CMMC ASSESSORS (CCA)” according to the cmmcab.org website. This may have been done in order to copyright the titles so that rogue organizations can’t offer fake training / exams for them. Fun fact: CCP is also used as the acronym for another well known entity.

Licensed Publishing Partners (LPPs) have draft curriculum for CCP which should be pretty close to the final version. It sounds like they are waiting for the final version of the training objectives or model from DoD before they can release. An instructor with Edwards Performance Solutions posted this video on LinkedIn showing an unboxing of their draft curriculum for CCP. Looks cool! Thick book!

Note: after people apply for Certified Professional, they are notified that their application “will be valid up to 120 days after LTPs (Licensed Training Providers) begin offering training.” I’m concerned about this because it seems like there may be a bottleneck for training and for exams. Maybe this is why the LTPs haven’t been authorized to start training yet, so that there is enough training bandwidth to put a few thousand CPs through training and exams and approval within a four month period. Good news: It is only $200 at stake. I hope it is only $200. I personally pre-paid my exams through CA3 ($1000), and would hate to lose that entire deposit if I can’t get into training.


DFARS Final Rule coming out in May?

Per this FedScoop article, the DFARS Final Rule should be coming out in about a month.

This is a finalization to the Q4 2020 DFARS Interim Rule which introduced:

DFARS 252.204-7019 – Contractors submit their self-assessment compliance score to DoD

DFARS 252.204-7020 – Self-assessment required for awards starting November 30, 2020

DFARS 252.204-7020 – Contractor gives access to DCMA auditors to validate their self-assessment

DFARS 252.204-7021 – Implementation of the CMMC requirement over 5 years

Why is this important? Once the Final Rule comes out, the wording for these clauses are unlikely to change again in the future.

At least for DFARS 252.204-7021 (the CMMC clause), this is kind of scary because CMMC hasn’t been used at all yet in its interim form. Fingers crossed that the wording will work in the real world.

Jacob Horne from DefCERT wrote this informative LinkedIn article on the topic “Be careful what you wish for”.


Next CMMC-AB Town Hall meeting – April 27, 2021


The registration link for the April Town Hall is: https://zoom.us/webinar/register/WN_r3MR5nBBTDSCkGDQ1hhlqA

Per the invite email:

“Tuesday Apr 27th from 6:00-7:00PM ET.  The event registration will be on a first come, first served basis and will have a capacity of 3000 attendees. The event will be recorded and posted here after the event, https://www.cmmcab.org/#townhall. Questions may be submitted in advance of the event by sending them to cmmcsupport@cmmcab.org and use the subject line “Town Hall Question”.”


The CMMC-AB appoints their first CEO

“The CMMC Accreditation Body (CMMC-AB) Board of Directors today announced the appointment of Matthew Travis as the CMMC-AB’s first CEO effective April 1, 2021. In this role, Mr. Travis will oversee the day-to-day development and management of the CMMC-AB to support the goals and objectives of its ultimate customer, the Department of Defense (DoD). Mr. Travis’ appointment is the result of an intensive nationwide search by the AB Board of Directors.”

Full press release on the CMMC-AB website here.


C3PAOs moved to “Candidate” status

The CMMC-AB Marketplace changed how it describes C3PAOs. It now shows them as “C3PAO Candidate- Pending CMMC ML3 Assessment”.

The AB has notified C3PAOs that completed organizational screening and paid their activation fees that they should refer to themselves as “candidates” until they have passed their CMMC Maturity Level 3 assessment by DIBCAC. After successful assessment, C3PAOs may call themselves “Authorized”, and once ISO 17011 / 17020 certifications have occurred for both the AB and C3PAO, they may call themselves “certified”.

So if you are a C3PAO, check your promotional materials. If you are a potential client, consider this naming scheme in your integrity checking process.


Most CMMC pilots delayed to FY2022

According to this news article by Sara Friedman / Inside Cybersecurity, the first CMMC pilots ( F/A–18E/F , Shut Off Valve , and Integrated Common Processor ) had their award dates moved into FY22.

It also says that Acquisitions & Sustainment has authorized the first contracts to have the DFARS 252.204-7021 clause included in RFPs releasing this summer.

https://insidecybersecurity.com/share/12296


Evidence of practice inheritance needs to be demonstrated for CMMC assessment

DCMA flowchart to describe whether a C3PAO is ready for assessment

The DCMA performed a “brown bag lunch” meeting with a few C3PAOs where they discussed lessons learned from the first readiness reviews and screening of C3PAO information systems. The PowerPoint slides from the meeting have made their way into the public and have been posted on LinkedIn, among other discussion forums.

One of the major lessons learned is that the DCMA expects evidence to show that the external provider is actually performing the requirement practices..

Listed under “Concerns” was “No Cloud Service Provider “Customer Responsibility Matrix” provided. Inheritance matrix not clearly related to SSP, policy, and procedures

Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. For each practice or process objective that is inherited, the Candidate C3PAO includes statements that indicate how they were evaluated and from whom they are inherited. If the Candidate C3PAO cannot demonstrate adequate evidence for all assessment objectives, through either Candidate C3PAO evidence or evidence of inheritance, the Candidate C3PAO will receive a NOT MET for the practice or process.” – Candidate C3PAO Brown Bag, DIBCAC CMMC Assessment Team, April 15 2021.

This requirement to show exactly which cybersecurity controls are inherited is well understood in the government cybersecurity community (RMF, 800-53), but has not been a concern on the private sector. If you are a cybersecurity practitioner preparing for the CMMC, you should definitely consider how you will prove this topic to an assessor. Amira Armond (the chief editor for CMMCAudit.org) has been working to get this word out for a few months now. For more information, check this LinkedIn post about inheritance.


CMMC-AB <> CMMC-COE?

I have it from a reputable source that this memo is for real. I’ll just leave this here.

I’m not sure if it is related, but a few days prior to this memo, CMMC-COE announced an engagement agreement with Cicer One Technologies. Cicer One was listed on the CMMC-COE marketplace as a Partner Provider. At that time, there were some waves in the cybersecurity community about Cicer One having a Chinese national co-founder while specifically selling ITAR and CMMC compliance solutions to the DIB. It appears that Cicer One has been removed from the CMMC-COE Marketplace since that time.

One thought on “CMMC News – April 24, 2021

  1. Randy A Renk says:

    A little more support to your “Be careful with what you wish for”…
    The idea that the interim rule just needs to be “tweaked” is just not supported by the public comments to the interim rule. There were 169 public comments. Many of them very factually based that demonstrated a unrealistic cost estimate, a rollout plan that would provide for less than half of the DIB to certified by the Oct 2025 deadline, and in particularly CMMC changed over 20 NIST requirements that they “think” are the same. But they are very different. Like those described by one reviewer in public comments DARS-2020-0034-0059 and 60. And that does include removing the media sanitization requirement of 3.8.4 to only FCI…not CUI.
    Indeed…let’s hope the new ASD(A&I)’s request for a CMMC review takes hold before the interim rule is merely “tweaked”.

Leave a Reply

Your email address will not be published. Required fields are marked *