Here are the CMMC news topics this week:
Registrations open for CMMC auditors, C3PAOs, and “registered” practitioners / organizations
Registration has been open for a month and a week. Links and information about registration can be found at this CMMCaudit blog “CMMC AB opens registration for C3PAOs and Assessors“.
I submitted applications for C3PAO and auditor on the day it opened. So far I haven’t heard anything back. What has your experience been? Please comment!
Update: Jeff Dalton (CMMC AB Director) provided the following information on LinkedIn on 7/30/2020:
“We’ve had over 600 applicants for assessors, and several hundred for C3PAOs. Each one has to be reviewed – not just resume and application, but with external orgs to look at business history. We’re picking the first class of assessors (about 70) early next week (random selection) and they will be notified. C3PAOs will then be notified. The following week. We’re getting close!”
LinkedIn conversations about CMMC topics
Jeff Dalton (CMMC AB Director) has been leading conversations on LinkedIn.
His recent topics have been:
- CMMC and the connection with CMMI (a maturity model organized by ISACA). He linked to this podcast by Two Harbors which is a discussion about CMMC, where it connects with CMMI, and where it looks to be going in the future.
- Describing the terms ““certified,” “registered, credentialed,” and “accredited”
- Licensed Partner Publishers
- Licensed Partner Trainers
- CMMC Third Party Assessment Organizations (C3PAOs)
If you haven’t, I recommend connecting or following Jeff Dalton on LinkedIn as he is one of the main people providing CMMC AB information and thoughts.
CMMI and CMMC?
This article from SEI discusses the influence that CMMI (Capability Maturity Model Integration, a maturity model organized by ISACA) is having on the CMMC.
If you are trying to get ahead of the curve, it might be a good idea to learn about the CMMI. It gives applicable guidance on how to write good policy, processes, and show that your organization is using them.
IT-AAC new formal relationship with the CMMC AB
The IT Acquisition Advisory Council is a private/public partnership created by the Pentagon to “improve DOD’s embrace of commercial standards, best practice and lessons learned.”
Both organizations signed a memorandum of understanding this week. It appears the intent is for IT-AAC to leverage their large membership and resources to help the CMMC AB build out education and training.
For more information, check this article by InsideCyberSecurity “CMMC accreditation body formalizes relationship with IT acquisition council“.
CMMC AB drama?
According to FedScoop, there has been some drama between the CMMC Accreditation Body and their DoD sponsors recently.
The DoD wants to pursue a formal contractual relationship with the CMMC AB rather than the memorandum of understanding that was previously agreed upon. There are concerns that this is reducing the authority and increasing liability for the Accreditation Body.
For more information, check this FedScoop article “CMMC board faces ‘passionate’ internal turmoil over new contract with DOD“.
CMMC impact on cost, conflicts, and competition for DoD contractors
Akin Gump lawfirm issued a 20-page paper on CMMC Cost, Conflicts, and Competition.
The introduction of the paper cites concerns about the following topics:
Cost – specifically, cybersecurity being an “allowable cost” when there are myriad types of fees involved with CMMC compliance, and the contractor still needing to compete in price.
Conflicts – there are conflicts of interest for most if not all participants in the program, which could form the basis for bid protests.
Competition – The “go/no go” nature of the CMMC will likely limit the ability of some firms, particularly small businesses, to compete.
The paper (PDF) can be downloaded from the Akin Gump website.
What about non-US suppliers?
There is an open concern about what the plan is for non-US suppliers.
I’ve run into four different people now, all living in non-US countries and not US citizens, who are either 1) trying to become a CMMC practitioner to serve local companies, or 2) get their multinational company CMMC certified.
At first I thought it was really strange that overseas companies cared about CMMC. But when I look at even highly sensitive data regulations, such as EAR and ITAR, they include ways for production to be performed by non-US organizations. My non-lawyer interpretation is that the United States might want to purchase cool military equipment from other countries.
So far, I haven’t seen any formal statement about how the CMMC handles these companies. Jeff Dalton did respond to the question and said that the CMMC AB is focused on US contractors and assessors currently, but starting to discuss international.
If you know more on this topic, please comment!
Finishing up…
Alright folks, that is all I’ve got for today.
Good luck! Please send me a connection on LinkedIn (Amira Armond) and comment with your thoughts and tips.
I have heard that as of today (30 July), the CMMC-AB does not even have a SOW. A *lot* needs to happen if they expect to meet ‘any’ of their deadlines.