Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020.
DFARS Interim Rule Added – enforces assessments
Don’t skip this link.. IMO it is the most important news in the last year for the CMMC.
Super quick non-lawyer review of the DFARS interim rule:
Assessments results will be stored in a DISA system (SPRS) https://www.sprs.csd.disa.mil. DoD components are expected to check this system for assessment scores and validate the bidder’s assessment is less than 3 years old. Note: Per Vince Scott (Defense Cybersecurity Group, Inc.), the SPRS is available to contractors through the Procurement Integrated Enterprise Environment (PIEE). See his comment below for full details.
It talks about the CMMC levels and phased rollout through 2025. This statement should help give companies time to get certified: “In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment”
It says that the rule amends DFARS subpart 204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting”. The new coverage “directs contracting officers to verify in SPRS that an offeror has a current NIST SP 800-171 DoD Assesesment on record, prior to contract award” if the contract has DFARS 252.204-7012 in it. *** To me, this reads like it amends the current requirement, and is not part of the ‘phased rollout’. That makes this an immediate action item for basically all DIB. How do you read it? ***
CMMC certification would be required at time of award, not at time of proposal submission. This is a change.
Contract officers are also instructed to include a few new clauses about allowing government assessors access, requiring subcontractors to meet the assessment requirements too, and submitting company assessments to the SPRS system.
I recommend following Robert Metzger (he is an attorney specializing in CMMC and DFARS) on LinkedIn for updates and shares on this topic.
Certified Assessor Training in development
The CMMC-AB authorized 11 organizations as “Licensed Partner Publishers”. These organizations are starting to develop courses on the Certified Professional / Certified Assessor track.
For more information and exclusive update from Infosec Institute, check our Auditor Training Resources page
Each LPP is also listed on the CMMC-AB marketplace.
Provisional Assessor update
Several Provisional Assessors have posted on LinkedIn that they completed their exams and are official. No word on whether any assessments have been started.
Per Matt Gilbert (a provisional assessor candidate), in mid September: “The class is completed and yes we have an exam to take this week. Assuming we pass we will be official provisional assessors next week. Then it is up to the DoD to authorize us to proceed and start taking on provisional assessments. Exact format (i.e. are we open to any OSC requesting vs. matched or allocated by AB) and details (i.e. for credit or not and level 1 only or more) are TBD.”
Registered Practitioners path started
RPs were recently given access to web-based training created and hosted by the CMMC-AB as part of their $500 initial fee. If you signed up for RP, you should have gotten an email last week. Contact CMMC-AB support if not.
More information here: Review of CMMC Registered Practitioner Training
Certified Assessors – no news
I’ve had a bunch of contacts from folks who registered on the Certified Assessor track, asking if they missed a message or notification. No, you haven’t. At least if you have, you are in good company with the rest of us.
The CMMC-AB seems to feel that since they don’t have the CA track ready, there is nothing to announce or message about. It is logical, but still frustrating. If you applied and have questions, feedback, or concerns, I recommend submitting a support request to them (check the cmmcab.org website for link). Turnaround is about 3 days in my experience.
Oxbridge paper about accreditation body lessons-learned
Oxbridge published a paper about organizational lessons-learned from other certification bodies (such as CMMI) and identified problems with how the CMMC-AB has been put together. While generally negative, it has valuable insights. Page 8 provides an action plan:
- AB certifies C3PAOs
- A different organization certifies assessors
- A different organization certifies training providers
- No certification or restrictions for publishers(I agree, passing the exam and background requirements should be the only roadblock. Otherwise, caveat emptor for the rest of the marketplace.
- No certification or restrictions on training providers, let the training provider perform their own quality assurance.
- No registered practitioners, since this is definitely a pay-for-marketing situation
Hope this all helps! Good luck to everyone in their assessment and compliance journeys.
President, Kieri Solutions LLC