CMMC News Rollup November 19 2020

Hello all,

Lots of different topics in this news article. I hope they help you! – Amira Armond

Registered Practitioners and RPOs are official!

The CMMC-AB started releasing badges to Registered Practitioners on November 17th.

If you are a Registered Practitioner candidate that has 1) finished the background check. 2) finished the training. 3) signed the code of conduct… then go check your training profile. You might find a badge in it.

One weird thing – the badges are imperfect. Someone added a random dot at the last minute. I wouldn’t be surprised if we get a different version via email.

RPs were also sent an email to update their profile for the Marketplace listing. Don’t forget to do this.

Provisional Assessors are official

The CMMC-AB started releasing badges to Provisional Assessors as well. This release seems to be via email.

Note: None of the badges appear to be linked to an acclaim profile or other central verification system. They are just image files. Update from Ben Tchoubineh (CMMC-AB Director): The badges will link to a central verification system in the near future.

CMMC-AB Marketplace is (kind of) up!

The website still links to a “Coming soon” page for the Marketplace.

However, there is a separate website which is up, which has entries for RPs, RPOs, provisional assessors.

Background Checks for RPs

This thread on LinkedIn about the background check requirements seems to have made a change to policy.

Jeff Dalton from the CMMC-AB board of directors clarified on the thread that the CMMC-AB website’s list of 15 background check inclusions is too much and the “Basic” background check that they used for Registered Practitioners is appropriate.

ISO Certifications for the AB and C3PAOs

For C3PAO candidates, one of the most concerning requirements listed on the CMMC-AB website is the ISO certification. Update from Ben Tchoubineh (CMMC-AB director): the CMMC-AB page was updated to show ISO 17020 vs 17021. Per articles below, the requirement can be met after starting performance as a C3PAO (assuming the second article is referring to the same C3PAO certification).

June 2020 FedScoop: Clarifies the ISO requirement for C3PAOs to be “ISO 17020”

“The memo confirms that these third-party assessors testing at levels three and above on the five-level system will need ISO 17020 certification. While that might seem like a laundry bag full of acronyms and numbers, it means a higher barrier to entry for the needed army of assessors. The process to get ISO 17020 — an international standard set by the International Organization for Standardization for the competence of inspection bodies — generally takes 6 months.”

October 29, 2020 Government CIO – ISO certifications can be obtained while performing

“Arrington and her team decided, after receiving feedback from others across DOD as well as academia and industry, to establish three International Organization for Standardization (ISO) certifications in the CMMC AB statement of work. Three of them need to be within two years, which is the standard onboarding process to ensure continuity and meet ethics requirements, she added.”

Technical: Can commercial clouds be used to store CUI?

This LinkedIn poll shows a deep divide between cybersecurity practitioners on the topic of encryption and clouds.

  • About 50% seem to trust FIPS encryption to keep your data safe, no matter what quality cloud you use (such as a commercial cloud hosted overseas).
  • The other 50% seem to feel that the security measures in the cloud (access restriction, data sovereignty, logging) are very important and FIPS encryption cannot be the only protective measure.
  • A few people argue that real security is different than assessed security… for example, an assessment may look for FedRAMP as a check-box but real confidentiality is adequate via the encryption.

Hopefully we all get on the same page before assessments start. Please make sure to read the comments from Wayne Boline and Jeff Dalton who are CMMC-AB members and seem to have a good grasp on where the DoD stands on this sort of technical question.

DoD Acquisition Cyber FAQs

This document, which appears to be published by the DoD Acquisitions Office, provides more than 100 Q&A topics regarding DFARS and cybersecurity. In the past, it held Q&A about DFARS 252.204-7012 and previous regulations. It has been updated with Q&A about the interim rule topics 252.204-7019 , 252.204-7020, 252.204-7021.

Below are excerpts which should be very interesting to the community, especially as we are submitting NIST SP 800-171 DoD Self Assessments.

Q127:  How will Software as a Service solutions be scored with the NIST SP 800-171 DoD Assessment?  For example: Integration with Office 365, which holds a FedRAMP moderate certificate, may create an issue as the vendor will not share specific details with clients. 

A127: For cloud-based solutions (e.g., SaaS, Office 365), if authorized at FedRAMP moderate or equivalent, the solutions are assumed to meet NIST SP 800-171 requirements.  However, typically certain configuration settings remain the responsibility of the subscriber/client, and when they are related to specific NIST SP 800-171 requirements, they are subject to assessment and scoring. 

Q129:  Who can post NIST SP 800-171 DoD Assessment results to the Supplier Performance Risk System (SPRS)? What will be posted?

A129:  A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with Section 5 and Annex B of NIST SP 800-171 DoD Assessment Methodology, available at, to for posting to SPRS.

DoD will post the following Medium and/or High NIST SP 800-171 DoD Assessment results to SPRS for each system security plan assessed:

The standard assessed (e.g., NIST SP 800-171 Rev 1).

Organization conducting the assessment, e.g., DCMA, or a specific organization (identified by Department of Defense Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code).

Each system security plan assessed, mapped to the specific industry CAGE code(s) associated with the information system(s) addressed by the system security plan.   All corporate CAGE codes must be mapped to all appropriate system security plan(s) if the contractor has more than one system security plan and CAGE code. Additionally, a brief description of the system security plan architecture may be required if more than one plan exists. 

Date and level of the assessment, i.e., basic, medium, or high.

Summary level score (e.g., 105 out of 110), but not the individual value assigned for each requirement.

Date a score of 110 is expected to be achieved (i.e., all requirements implemented) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.

Q136:  Is a scheduled change management action sufficient for inclusion in a POAM?
For example: Implementation issue identified, the solution is known and the remediation date set.

A136:  Yes.

NIST SP 800-171 DoD Self Assessments

The DFARS Interim Rule makes having a self-assessment in SPRS a requirement to win a new (or re-competing) contract after November 30th.

Since you are subscribed to this newsletter, you got notified away back in early October about this, and hopefully are well on your way to submitting these assessments.

This very popular article from has step by step advice for submitting your assessment.

Where is the Easy Button for CMMC? Why MSPs may be the solution

This new article on addresses the cost issue for small businesses who are handling CUI.

This applies today to DFARS 252.204-7012 / NIST SP 800-171 compliance, and will apply to CMMC Level 3 compliance.

The article gives ideas for how to keep the budget down, as well as a challenge to DoD to authorize MSPs to host multiple client companies on a centrally-managed infrastructure.

Where is the Easy Button for CMMC? Why MSPs may be the solution.

There’s the latest CMMC news. I think the main takeaway from this week’s newsletter is the CMMC-AB needs to update their website desperately.

Thanks for the read! Please share this newsletter if you found it valuable. Please comment or message me if you want to share anything with the community.

Please connect with me on LinkedIn: V. Amira Armond

Author: V. Amira Armond (CMMC RP, CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.

Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioner and Certified Assessor candidates on staff. Amira is also the chief editor for, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification. 

Leave a Reply

Your email address will not be published. Required fields are marked *