This week’s CMMC news roundup has several items on the CMMC-AB and DoD’s statement of work, a fun (and potty-mouthed) take on what is wrong with the CMMC, and an update on reciprocity plans.
Reciprocity for FedRAMP and DIBCAC assessments soon
Official: Reciprocity Memos on DOD’s Cybersecurity Certification Program Are Ready – Nextgov
This news article caused a stir because of a quote from Ms. Katie Arrington (DoD): “I’m going to take any ISO 27001 and provide reciprocity,”. This is a problematic quote because the ISO 27001 program has very little resemblance to the requirements in CMMC Maturity Level 3. A popular phrase about these two is that they are “apples and chainsaws”. Speaking as a cybersecurity practitioner, I would expect a massive transition to ISO 27001 by defense contractors because it is much more doable than CMMC Level 3. But Katie did not say what CMMC level she was speaking about. Maybe this is for CMMC Level 1?
Ms. Arrington also confirmed that FedRAMP and DIBCAC reciprocity memos have been sent up to be signed.
Warnings about CMMC fraud
Stacy Bostjanick (DoD) warns that she had been contacted by a company that paid $10,000 for “CMMC certification” to a fraudulent provider. Her advice was to be careful about who you bring in. She recommends that consultants should have gone through some of the CMMC-AB training. To be very certain that consulting advice is accurate, they should have gone through CMMC-AB training and have a certification through them. She says this will help reduce the risk of fraudulent practitioners taking advantage of defense companies.
The article also has updates on:
- the CMMC pathfinders (mock assessments)
- CMMC Pilot programs. It has a list of the programs that have been selected so far.
- Final DFARS rule for CMMC should be released in mid to late summer
- C3PAOs (CMMC assessment organizations) rollout status
- DIBCAC scheduling first assessments of C3PAO information systems (major bottleneck).
Naval memo describing implementation of DFARS Interim Rule
This Navy memo from 2020 tells procurement officers how to put the new DFARS clauses into contracts.
- DFARS 252.204-7019
- DFARS 252.204-7020
- DFARS 252.204-7021
The Unf**k CMMC story book
Warning: Foul language. This is a fun read with several good points about the overall CMMC program. It is sure to offend everyone, at least a little.
I personally disagree with telling professionals not to get CMMC-AB badges, specifically rejecting the program for Registered Practitioner. I feel there is decent value to the RP program as described in this article. And any Certified Professional, Assessor, or Provisional badge should be highly regarded since there are significant requirements and quality check involved. But it is worth hearing the the author’s take on this, to balance out our viewpoints.
CMMC-AB and DoD Town Hall – January 2021
The recording is available if you missed the town hall.
CMMC-AB Statement of Work
This article from InsideCybersecurity discusses the Statement of Work and what it means for the CMMC-AB over time.
The Statement of Work itself (hosted by InsideSecurity)
Noteworthy items under “DoD Responsibilities”
- Establish and maintain the CMMC eMASS infrastructure and provide access to the CMMCAB as GFI. Both parties agree to identify specific responsibilities, tasks, and Service Level Agreements requirements upon contract award.
- Grant access to CMMC eMASS to select members of C3PAOs as GFI conditioned upon users meeting DoD requirements and procuring appropriate certificates.
- Develop the data fields requirements and templates associated with the Assessment Reports for all C3PAOs and assessors.
- Populate and keep current a list of DIB entities and their CMMC certification level in the CMMC eMASS and Supplier Performance Risk System.
- Sponsor and fund Tier 3 suitability determinations for the CMMC-AB staff.
- Sponsor and fund Tier 3 suitability determinations that result in no security clearance for C3PAO assessors conducting CMMC Level 2 -5 assessments.
- Sponsor and fund Tier 3 suitability determinations that result in no security clearance for outsourced support IT, MSP, and MSSP staff for CMMC-AB and C3PAOs conducting Level 2-5 assessments.
CMMC CAICO and Training update
CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)
This interview (transcript available) gives new information about the CAICO. The CMMC-AB is starting to split into an Accreditation Body (AB) and a CMMC Assessor and Instructors Certification Organization (CAICO).
The AB portion will focus on certifying C3PAOs (assessment organizations) and management of assessment quality.
The CAICO portion will focus on training and certifying individuals, and management of training organizations.
Training costs are discussed, as well as how to determine if a training course meets requirements for Certified Professional or Certified Assessor. And several other training topics of interest to Certified Assessors, Provisional Assessors, and Licensed Training Providers, and Licensed Instructors.