Pentagon’s Contractor Cybersecurity Program Approaches Testing Phase

If all goes according to plan, by the end of next week there will be 73 individuals ready to conduct initial assessments of Defense Department contractors for the Pentagon’s Cybersecurity Maturity Model Certification program.

The Defense Department currently takes contractors at their word on whether appropriate measures are in place to safeguard information in their possession that isn’t at the classified level, but is nonetheless sensitive and valuable. The CMMC aims to address what officials describe as an epidemic of intellectual property theft from within the defense industrial base by requiring that all contractors have their cybersecurity practices certified by a third party. A rule to implement the CMMC is expected in the fall.   

In June, DOD officially entered into a memorandum of understanding with a group of professionals in relevant fields who volunteered to manage the certification process—the CMMC Accreditation Body, or CMMC AB. The group has established itself as a non-stock corporation in Maryland—awaiting a tax-exemption determination by the Internal Revenue Service under Section 501(c)(3), according to its website—with a board of directors chairing various committees to get the program off the ground. 

“The instructor-led training is starting on Monday,” CMMC AB communications chairman Mark Berman told Nextgov. “Many of the provisional assessor candidates are deep into the online training already and providing us with exactly the type of detailed feedback that we have been seeking to make the system better for everyone who will follow.”

Much more than average trainees, this initial class of assessors will help to hone an assessment standard under development by the CMMC AB. Qualified assessors will use the standard to determine whether companies meet the requirements detailed in the CMMC model, which will be maintained by the DOD, according to the MOU.

The CMMC AB selected the group of 73 individuals from over 500 applicants mostly at random, according to a press release[1] issued Tuesday. After four days of the in-person training starting Aug. 31—during which they will contribute more feedback to shape the assessment standard—the group will be provisionally qualified to conduct a set of dummy assessments, and further test the program for potential pitfalls.

During an Aug. 13 event[2] with the Professional Services Council, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said acquisition tabletop exercises were part of mock assessments the department has already conducted on an existing contract. Another of these pathfinder projects is planned for September. The pathfinder assessments are non-punitive, Lord said, noting that the office of the chief information security officer for acquisition is also looking for other contracts on which to conduct CMMC pilots, which will not result in certifications, but serve to further de-risk the program.

The provisional assessors will play a crucial role in shaping the assessment standard on which the whole program rests.

“Right now, we’re coming out with the assessment standard, and that is the answers to the test,” Regan Edens, the CMMC AB’s chair for standards management said at the end of May[3]. At the end of the day, the assessors will train on that standard in order to be able to understand what is the standard, how do you apply the standard, what is the criteria for conformity and what’s the guidance that they need to give the organizations when they haven’t met the standard and what the path forward is to meet the requirement.”

But control of the standard could be in question. A statement of work included in a no-cost contract Lord says the DOD is working to finalize with the CMMC AB could reportedly change[4] who is responsible for maintaining the standard. 

1 2