Implementation of the cybersecurity standard for the Department of Defense (DoD) supply chain poses a Herculean task, with roughly 300,000 companies in the defense industrial base seeking certification. The vice chair of the board of directors overseeing the implementation process said that 25 assessors have been provisionally trained, and estimated that certified assessors for the open market will be released in the first quarter of calendar year 2021.
“We’re continuing forward to develop the ecosystem,” said Karlton Johnson, vice chair of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (CMMC-AB). He said the first provisional training of 25 assessors was “just completed.”
The CMMC standard will be included in 10 Requests for Information (RFI) and 10 Requests for Proposal (RFP) by the DoD this year, according to the website of Amazon Web Services (AWS) on a page dedicated to the CMMC. “AWS is collaborating with the DoD and the CMMC-AB on the requirements and certification process,” the AWS website says. The company has also indicated it plans to provide solutions for the CMMC.
The provisional assessors will serve as a “pathfinder testbed,” said William “Tony” Bai, Federal practice lead at A-LIGN, a cybersecurity and compliance firm, speaking alongside CMMC-AB’s Johnson at the Billington CyberSecurity Summit on Sept. 9. The provisional assessors will “shake out the program and what needs to be done before the training and certified assessors for the open market are released,” Bai said.
“Those provisional assessors will only be able to assess those companies participating or competing on the RFPs that are being released that have the CMMC requirement,” Bai said. He estimated that the market would open for companies to hire assessors in the first quarter of calendar year 2021, a statement the CMMC-AB’s vice chair confirmed.
With the DoD scheduled to complete the process for a rule change for the CMMC in November, the work for the CMMC-AB continues.
“What we are focusing on in the next few months is continuing to flesh out the initial provisional assessors,” said Johnson, and “working with DoD to step up the next stages of that as we go from provisional and the mock assessments that we’ve talked about, testing the ecosystem, and eventually get them to the point where we can go by for score.”
“As we go down the road, once the rule change comes about and we’re assessing for score, that of course opens up the market even more,” he said.