As we move closer to the January 2021 launch, the accreditation board responsible for overseeing the rollout of the Cybersecurity Maturity Model Certification (CMMC) recently released a video webinar series outlining their road map for the CMMC Auditor Training program, which the board announced will take place in phases.
The 45-minute video — part of CMMC’s National Conversation Series — is led by training committee chairman Ben Tchoubineh, who shared the framework for training third-party assessors in preparation for upcoming CMMC audits.
Part 1 Is Rolling Out a Provisional Program
The initial rollout for CMMC is designed to be a provisional program. It will be limited to 60 participants who will be hand-selected by the CMMC-Accreditation Board (CMMC-AB). The trainees will be certified to conduct audits at CMMC Level 3. All of the training during this provisional training will be done remotely.
The AB plans to use this phase to understand and learn from the process. Based on the lessons from Phase 1, a more refined approach will be released in Phase 2, which will then be the CMMC formal program.
It’s anticipated that it will take between three and six months to roll out Phase 1, with the training expected to begin sometime this summer. This means the first CMMC audits will likely not begin until near the end of 2020.
Potential Downsides to Launch
The CMMC-AB will also be selecting the organizations that are at the top of the list for being audited based on guidance from the Department of Defense (DoD). Combined with the AB selecting its first 60 candidates for training, this could set up an unlevel playing field initially.
Since organizations must be certified through a CMMC audit to place bids for DoD contracts, the chosen organizations for auditing are likely to have an advantage over others. The playing field should level out once the training program and testing for assessors go into full force, and more audits will be occurring once the market opens more.
Different Certification Levels for CMMC
The requirement to bring in third-party auditors to certify that cybersecurity requirements have been adopted is a key differentiator between CMMC and past standards, such as NIST, which allowed for self-assessment. As part of its announcement, the board revealed that there will be four different certification levels for CMMC assessors:
Certified Professional – An entry-level certification that has no required pre-requisite training or experience. It is suggested that the individual has some cybersecurity experience, but it is not required. Preference is given to former military personnel who will be automatically accepted to take the certification course.
After successfully passing the Cybersecurity Maturity Model Certification exam to become a certified professional, trainees may enroll in further training to test for one of the following:
Level 1 Certified Assessor – This examination level certifies the assessor to audit certifications for Level 1 organizations.
Level 3 Certified Assessor – This examination level certifies the assessor to audit certifications for Levels 1-3 organizations.
Level 5 Certified Assessor – This examination level certifies the assessor to audit certifications for Levels 1-5 organizations.
Right away, you might notice there is no mention of a Level 2 or Level 4 certified assessor. That’s because, as it currently stands, Level 2 is considered a road map for organizations to move from Level 1 to Level 3, and Level 4 is basically a road map for Level 3 organizations to advance to a Level 5 certification.
There is also training for assessors to become CMMC-AB instructors to teach courses. Candidates for this program will need to complete training and the exam for the assessor level they want to teach (e.g., complete training and pass the exam for Level 3 assessor before beginning training to become a Level 3 instructor).
Prepare Now for the Future
What’s the takeaway for DoD contractors seeking to obtain CMMC compliance?
With the first assessor training slated for this summer, and audits scheduled soon after, the key message is that the CMMC program is marching forward. DoD companies should begin developing and implementing their strategy to prepare for CMMC now to avoid the risk of losing a defense contract next year.
While we have yet to learn what to expect when a CMMC assessor conducts a certification audit, the process of preparing for a CMMC audit should be underway as soon as possible.
At Peerless, we’ve shifted our company to focus exclusively on DoD contracting companies, all of which will need to be Cybersecurity Maturity Model Certification-compliant to continue working with the DoD. We will not conduct CMMC audits. Instead, we provide CMMC-compliant solutions and help organizations prepare for an audit.