This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.
How to become an accredited CMMC certifier or auditor?
Unfortunately, at this time, there is no way to become an auditor or certifier for CMMC. The following things need to happen first.
RFI for CMMC Accreditation Body (complete)
The DoD released Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.
The solicitation was released October 3, 2019. There was a Kick Off Meeting on November 19, 2019. The RFI is now inactive.
The focus of this RFI was to get advice from stakeholders about the role, duties, and form of a CMMC Accreditation Body. In other words, should it be for-profit, non-profit, a partnership of multiple organizations, a single existing organization, a single new organization, who should be on the board of directors, etc.
As part of the RFI process, new information about the CMMC was published in these documents:
CMMC Accreditation Body RFI document
Here is my summary of the RFI document…
The definitions page gives some great information. The following definitions are copied from the RFI (page 2).
- CMMC Model – A capability-based maturity model that defines a progression of cybersecurity maturity. The model leverages multiple sources, including current law, regulations, commercial best practices, and threat profiles.
- CMMC Accreditation Body – The organization responsible for managing, operating and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs.
- CMMC Assessments – Evidence-based, on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model and conducted by independent third-party assessment organizations. Not all CMMC assessments will require the same amount of effort, as lower levels defined in the CMMC model assess a smaller number of less challenging cybersecurity capabilities. Higher level assessments will be more involved.
- CMMC Certification – The result of a CMMC assessment. The CMMC certification represents a company’s demonstration of cybersecurity capabilities and organization maturity as defined for a specific level of the CMMC model. CMMC certification will be used to qualify companies for DoD contracts.
- CMMC Third PartyAssessment Organizations (C3PAOs) – Third party organizations accredited by the CMMC Accreditation Body and authorized to conduct CMMC assessments and grant CMMC certifications.
The CMMC Accreditation Body will conduct these activities (copied from the RFI page 4)
- Accredit C3PAOs
- Conduct CMMC Training for C3PAOs and Assessors
- Implement individual assessor and C3PAO Quality Control Programs
- Coordinate and report metrics with the CMMC PMO
- Maintain the Reference Implementation Assessment Tool
- Manage and maintain CMMC assessor training, and associated assessment guidance
- Manage and maintain CMMC supporting systems and databases (records management, knowledge sharing and marketplace, artifact store)
- Manage the dispute resolution process to adjudicate C3PAO technical appeals and complaints.
CMMC Assessment Body RFI Questions and Draft Responses document
Here is my summary of the questions and answers:
Many questions are about the auditors (called C3PAOs) and how they will be picked. The responses reiterate that the current focus is on creating an Accreditation Body (an organization), which would be responsible for figuring out how the auditors get trained, tested, and certified.
Question 31 has a good tidbit: “Will instructors and/or assessors require clearances for top secret facilities?” Answer: “The certified C3PAOs will only assess non-federal unclassified networks. It is anticipated that the Accreditation Body and/or certified C3PAOs will work with DIB contractors with respect to access requirements for credentialed CMMC assessors.”
Selection of CMMC Accreditation Body (in progress)
The accreditation body is not fully functional yet. It is in the working group stage, where interested parties are collaborating to define and form it. Officers have been selected, but the base of full time employees has not been hired yet.
They are still hashing out questions like where the money to operate the organization should come from, whether the body should play a heavy role in evaluating risk to companies or expect the DoD to set standards, etc.
The accreditation body DOES have a website: https://cmmcab.org (Thanks to Chris Golden in the comments).
The AB website CMMCab.org is being updated daily and has a newsletter sign up. Go check it out!
I will update this article as new information becomes available. Also please sign up to our newsletter on the right for email notification when we release a new blog or things change.
Requirements for C3PAOs need to be created (future)
The CMMC Accreditation Body needs to develop a process for selecting C3PAOs
I expect there will be some combination of requirements for auditors. For example, auditors may need to:
- show specific credentials such as an (ISC)² or ISACA certification.
- show cybersecurity and compliance experience.
- pass a test specific to the CMMC best practices.
- pass a background check.
- be sponsored by others in the industry.
- complete training provided by the accreditation body.
This is also not done yet.
The CMMC requirements need to stabilize (complete)
(Update 2/4/2020) The CMMC Model version 1.0 document and appendices have been released. This is the first final version of the CMMC.
More information and links to version 1.0 can be found here: CMMC Version 1.0 Released – Analysis for DoD contractors
This document gives the requirements for levels 1-5, as well as clarifying descriptions and examples for each control. It also describes the expected maturity of processes for each level.
Auditors will use this document for guidance when reviewing each company’s cybersecurity program.
Expectations for a successful audit need to be set (future)
The Accrediting Body and/or DoD need to set expectations for what a successful audit looks like. This is a huge unknown, at least to me. The precedent set by NIST SP 800-171 is to have a system security plan, to meet minimum security requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21, and to have a plan of action for the rest.
The intent of the CMMC is to get contractor networks to be fully secured, without exceptions, to the security level specified.
In practice, there will be problems with requiring full cybersecurity best practices.
A simple example is multi-factor authentication (MFA). Sure, you can set up MFA to trigger when you log on and when you open email, but what about the non-compliant manufacturing program that is required to perform the contract?
A more worrisome (because it happens to all of us) example is patching. If you can’t patch system X because it crashes, does that mean you can’t be certified? What about timeliness? How up-to-date do your systems need to be? Can your patch process include time for testing?
There will need to be an exception process. This could take the form of a temporary exception for X months or years, or an interim approval with new audits required every 6 months. To be determined.
There you go. That is how to become a CMMC auditor. At least for now!
Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for our newsletter so that I can send you news and employment opportunities. Please connect with me on LinkedIn too!