CMMC News – January 23, 2021

This is the CMMC News for the week of January 23rd, 2021

The CMMC-AB Standards Podcast Episode 1

The CMMC Accreditation Body has released their first of a series of podcasts called “The CMMC-AB Standards Podcast”

Regan Edens, Chris Golden, and Jeff Dalton review several non-technical topics of the CMMC.

At time stamp 36:10, Chris says that the DoD has not authorized FedRAMP reciprocity for CMMC. This means that in the short term, cloud service providers may need to “be in the room” during an assessment. This will last until either the cloud service provider gets CMMC certified themselves, or until FedRAMP (or another compliance framework) is granted reciprocity.

Note from Amira: If you are a defense contractor, don’t panic. There are a line of CMMC C3PAOs that need to be assessed before you will be assessed. There are also “pathfinder” contracts that come first. Hopefully by the time these two groups are CMMC assessed, there will be a path forward for the cloud providers.

If you are a C3PAO or pathfinder, or a cloud provider, start panicking. <grin>

Source: https://vimeo.com/503662080

CMMC Town Hall on January 26th

The next CMMC Town Hall is scheduled for January 26th. Unlike previous meetings, this one should have a lot of DoD representation and the DoD is expected to answer submitted questions about the CMMC.

Registration is full, but they will probably post the recording, so look for it later this week if you missed the sign-up.

Next version of the CMMC model?

I’m hearing rumors that there is a second version of the CMMC model coming out soon. Have you heard anything? Maybe they will take out the requirement for FIPS validated cryptography? (please comment)

No official CMMC Certified Assessor training yet

I’m hearing that CMMC Certified Professional and Certified Assessor training hasn’t been approved yet, and most likely it will become available in April or May 2021. What have you heard? (please comment)

Assessment Providers (C3PAOs) must complete a CMMC Maturity Level 3 assessment before they start work

Several C3PAOs have been accepted by the Accreditation Body (background check complete, published to the Marketplace page). But none have been assessed for CMMC Maturity Level 3 of their information system yet.

So what can C3PAOs do now?

They can perform Gap Analysis or consulting for clients that are getting ready for CMMC. Or do their regular (non-CMMC) business. Those poor provisional assessors are bored. I encourage you to reach out to your favorite C3PAO to get a gap analysis while they are available.

CISA offers free help with security

This offering from CISA.gov is really interesting for defense contractors.
I have a hard time believing that they have the resources to meet potential demand. It looks like these will be prioritized based on whether your organization is critical for the nation’s safety and security. #utilityindustry

• Free phishing test against your organization
• Free IT or Operational System architectural review
• Free public-side vulnerability scan
• Risk assessment, even including onsite visit.

https://us-cert.cisa.gov/resources/ncats

CMMC Assessments give 90 days for remediation

Jeff Dalton and Amira Armond discuss CMMC assessments in a video Q&A session. Jeff gave a great clarification to a question about what happens if the company fails their assessment. He said that the current assessment procedures being tested allow for a 90 day remediation window where problems can be fixed. The same group of assessors will review just the “delta” (the changes), rather than require a new assessment from scratch.

This, and lots more about CMMC assessments, on the linked page.

CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 1

Hope that helps. Cheers!

– Amira