These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training.
Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details.
Ben Tchoubineh, the Chair for the Training Committee, presented.
CMMC Training will be rolled out in two phases:
Phase 1: Provisional program – short term, 3-6 months long. It is intended to get training and assessors stood up as soon as possible, to meet the DoD’s timelines. Lessons learned will be incorporated into the second phase.
Phase 2: Formal training program – long term. Meant to promote innovation, quality, flexibility, and multiple formats. Will be scalable via partnerships. CMMC AB will offer certification testing based on this program. Intended to be ready for first students by the end of the 2020, or early 2021.
CMMC Provisional training program
The provisional training program is intended to create a seasoned cohort of 60 assessors / auditors. There may be more invited to the training, but they plan to have 60 candidates pass the training and exam.
Amira’s thoughts: It looks like the CMMC AB intends to initially certify only 60 auditors (one per C3PAO and a pool of independent auditors). This probably means that the initial CMMC roll-out to contracts will be a small number of contracts, no more than 60 auditors can review. I’m guessing this might mean 3 audits per auditor in the first six months? That math comes out to 180 contracts by mid 2021, assuming that every company passes.
The auditors will be trained up to CMMC Maturity Level 3.
Amira’s thoughts: So the first phase of CMMC roll-out on contracts should not require higher certification than level 3.
The initial assessors will have to give feedback to the training program and return to complete formal training once that is ready.
CMMC Formal training program and certifications
Intended to be ready by the end of the 2020, or early 2021.
Will leverage an extensive partner network to scale up training capabilities. The CMMC AB will still be the only source of credentialing auditors.
The CMMC AB is building a Body Of Knowledge (BOK)
The CMMC-AB expects that audit professionals will progress through the following certification levels (screenshot below):
CMMC-AB Certified Professional (CP)
This is the baseline course that all CMMC professionals will take. Pre-requisite for other CMMC-AB certifications. CPs cannot certify an contractor’s network for CMMC, but they can advise and help remediate prior to an audit.
CMMC-AB Certified Assessor Maturity Level 1 (CA1)
This level requires a test. This would allow assessment of systems up to level 1.
CMMC-AB Certified Assessor Maturity Level 3 (CA3)
This level requires more experience and will be more difficult to obtain. A professional who is certified at CA3 can certify organizations for CMMC Level 1 , 2, or 3.
CMMC-AB Certified Assessor Maturity Level 5 (CA5)
Again, in order to reach this level, the professional must have achieved all lower levels. The intent is to have many professionals at lower levels and fewer at higher levels. The training/certification cost will increase as the levels increase. Certified professionals can certify organizations for CMMC level 1 , 2, 3, 4, or 5.
This person is trained by CMMC AB in order to provide training on the CMMC topics. In addition to being certified as an instructor, they would need to have the relevant assessor certifications in order to train up others to that level. So to train students to CA3, the instructor would need to have CMMC-AB Instructor, CP, CA1, and CA3.
Experience requirements were discussed: College, equivalent work experience, prior military experience.
Part of the intent of bringing in partner training organizations is that colleges and universities would provide courses on these topics as part of cybersecurity programs.
Will a certification expire or require renewal? The DoD is expected to release new versions of the CMMC model. When there is a major version change (such as 1.0 to 2.0), the certification would need to be renewed for that version. Minor version changes (1.0 to 1.1) will not require re-certification. Only your highest-level exam would need to be re-taken (so if you are certified at CA3, you would take the new CA3 exam).
Where an audit takes multiple people, an audit team must have at least one certified assessor of the required level. Other members of the audit team must be at least CP.
CMMC Training Organizations
Ben discussed the organization-level ecosystem for training and certification.
The CMMC-AB maintains the CMMC-BOK (standards, practices, scenarios, learning objectives, etc). Also develops and delivers the certification exams.
CMMC-AB Licensed Partner Publisher (LPP)
The CMMC-AB LPP will develop curriculum based on CMMC-BOK learning objectives.
CMMC-AB Licensed Training Provider (LTP)
The CMMC-AB LTP uses curriculum from LPPs. They will have CMMC-AB Certified Instructors on staff to perform training.
Amira Armond is the founder of Kieri Solutions, a cybersecurity compliance company in Maryland, USA.
The next CMMC AB webinar will be on the topic of “The CMMC Assessment Progress”. It will be available on cmmcab.org on May 26, 2020 at 1pm EST.