The CMMC Accreditation Body (CMMC AB) has started to publish their progress via webinars on the cmmcab.org website.
Here are my notes from the webinar I watched on 5/21/2020, published at https://www.cmmcab.org and archived on YouTube here.
Ty Schieber is the Chair of the CMMC Accreditation Body. He presented the current status of the AB.
The Accreditation Body has:
- Incorporated the non-profit organization, 501c3 application pending
- Staffed an all-volunteer, corporation agnostic, board of directors
- Created committees and stakeholder working groups
- Signed a memorandum of understanding with the DoD
- Created policies for internal structure and activities
The CMMC AB is almost done creating definitions, functional role definitions, and application processes for C3PAOs, licensed training partners, licensed publishers.
The CMMC AB is currently working on procedural and functional baselines which will guide how those individual organizations and roles work within the CMMC ecosystem in order to implement the CMMC standard to the Defense Industrial Base. Estimated for 4th Quarter, 2020.
Katie Arrington presented the next section. She made the point that only the CMMC AB can train or authorize CMMC auditors. Since this training and authorization process is not completed, NO CMMC AUDITORS EXIST YET. No companies can certify you for CMMC.
Amira’s note: If you see an advertisement from anyone saying that they are a CMMC C3PAO or an authorized CMMC Auditor, run away – that company cannot be trusted! You can and should be working with a cybersecurity specialist to prepare for CMMC, but it is not possible to get CMMC certification yet.
Katie Arrington recommended that defense contractors start reviewing the CMMC model which is published and start work to implement security practices as described in the documentation. She especially called out the level 1 requirements which shouldn’t cost anything to implement and apply to all defense contractors.
Amira’s note: Check out this blog on how a very small company could implement the CMMC Level 1 controls here.
Katie Arrington mentioned that her office has proposed a change to DFARS 252.204-7012 (which currently refers to NIST SP 800-171 for contractors that deal with Controlled Unclassified Information). The DoD cannot add CMMC requirements to any existing DoD contract – they will need to add the requirement to new contracts slowly, as part of a gradual roll-out.
Ty Schieber requests input from the community to their working groups via the email link: firstname.lastname@example.org . He said that within the next two weeks, each of the working groups will provide an update on their efforts.
Amira’s note: The CMMC AB has advertised that their next National Conversation will be on the topic of Training for the CMMC Standard. It is due to be released on the cmmcab.org website May 21 at 1pm EST.
Amira Armond is the owner of Kieri Solutions, a cyber-security compliance company in Maryland, USA.