CMMC countdown is on but are there enough assessors to do the job?

Not having enough assessors to do in-person audits for defense contractors is a chief worry as the Defense Department prepares for the rollout of its upcoming Cybersecurity Maturity Model Certification program, according to a defense official.

"My biggest concern on the rollout...is making sure that I have enough assessors in the geographical area for the assessments as we roll these pilot programs out," said Katie Arrington, the Defense Department's chief information security officer for acquisition, said during a keynote presentation at the virtual CyberSheath's virtual CMMC conference Nov. 18.

Arrington said a portion of the audits required for some companies have to be done onsite, which requires travel and in-person contact with proper health and social distancing protocols.

As of Dec. 1, companies looking to do business on new contracts with the Defense Department will have to submit proof of a self-assessment on compliance with the National Institute of Standards and Technology's SP 800-171 controls. There's an exception for vendors who sell commercial-off-the-shelf products.

A self-assessment for basic cyber hygiene practices, or level 1, will be the minimum requirement. But companies seeking work that requires processing, storing, or transmitting, but unclassified, information will also have to seek higher certification levels and submit to audits by assessors certified by the CMMC Accreditation Body, an independent not-for-profit entity charged by DOD with developing training and handling audits.

The CMMC AB began training assessors this summer, but their numbers are far from the estimated 2,000 needed to audit hundreds of thousands of defense contractors. Arrington noted in October at a separate event that only 50 assessors have been provisionally trained so far.

Jeff Dalton, who heads the accreditation and credentialing committee as a CMMC Accreditation Body board director, estimated about 2,000 total assessors for the approximately 300,000 defense companies that would need to get certified.

But that number could change over time, especially because single entities could need more than one assessment.

"We can't just put out an ad on LinkedIn and say all cybersecurity professionals report for duty, which would be great [but] we'd run out of cybersecurity professionals pretty quickly," Dalton said during an Oct. 21 FedScoop event.

Dalton also said CMMC has created a new industry that will take time to develop assessors and certified professionals to service the defense industrial base.

"We're all doing our best to get this out as quickly as we can. Probably won't be as fast as people want, probably won't be exactly what people are expecting always, but we're learning as we go."