On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor).
To opt-in, you must attest that you meet experience requirements
- 10+ years experience conducting evidence-based assessments in cyber or other information technology field.
- 20+ years experience as a “consultant or proven leader” in Cybersecurity and qualify for DOD 8570 IAM Level III.
There is no additional application fee (other than what you already paid when signing up to become an assessor), but a $1000 training fee would apply when registering for training.
Here is the link to the CMMC AB page for the program: https://www.cmmcab.org/provisional-assessor-lp
The website states “The Provisional Program will provide Level 1 assessments initially, and may expand up to Level 3 over time”
If you click the apply link, you are only asked for your name and contact information (I assume this means that they will look at your assessor application for the rest). There is no opportunity to provide more information, such as an updated resume.
The small print in the opt-in page says Those that are selected will be notified by email on or before 17 August 2020. So if you want to apply, you’ve got only a few days to do it.
Here are my thoughts
20+ years as a proven leader or consultant in cybersecurity?
I didn’t gain the skills to be a consultant or leader until I was in my mid 30’s, and I was pretty fast. This puts the age of that cohort at 55+. And very non-diverse… (there were even less minorities and women in cybersecurity in the 90’s). Hopefully they are able to represent the rest of us as they provide feedback.
Not to mention those who have 20+ years in cybersecurity or 10+ years in audits (which is itself a senior IT position), are probably senior managers who haven’t been hands-on with current technology. Zero Trust… what???
I’m really surprised there is no degree requirement or ability to use degrees to count toward experience. For example, the Certified Information Systems Auditor (CISA) certification gives 2 year experience waivers for bachelors degrees, or 3-year waivers for a master’s degree in IS.
In cybersecurity audits, reading and writing skills have to be top notch. It is a disaster if you can’t communicate on paper. One of the major benefits of degree programs is they force the graduate to get better at writing. I didn’t see any criteria for this skill.
No ability to update our applications or even add a note?
Last month I submitted for certified assessor first, then put in my company’s C3PAO application. Since I did it in that order, my assessor application does not have a “C3PAO affiliation”. There hasn’t been any portal to fix this, nor anyone from the AB reaching out to discuss. I’m betting that other applicants also would really like to update their information or add a note with their C3PAO affiliation.
First audits = CMMC level 1???
The statement that provisional assessors will only perform Level 1 assessments initially is huge.
I’ve been figuring the first group of contracts would be CMMC Level 3 to check the high-risk companies that should already be DFARS 252.204-7012 compliant. Very surprised that assessments are starting at level 1.
By auditing Level 1, it is likely that the first companies will pass their audits, so regulators and the business community should be reassured. This is a cautious strategy but wise.
This also sets the scope for initial audits to be Federal Contract Information (FCI), which is “non-public” information provided by the government. So if the initial audits are against DFARS 252.204-7012 companies, those companies will need to consider their FCI scope, not just their CUI scope.
That’s all I’ve got folks. Good luck to those who are opting in!
Good luck! Please send me a connection on LinkedIn (Amira Armond) and comment with your thoughts. I expect this news is frustrating for many, but let’s try to remember that we weren’t expecting to get in anyways.
Venus Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.