CMMC countdown is on but are there enough assessors to do the job?

eye behind data (Titima Ongkantong/ 

Not having enough assessors to do in-person audits for defense contractors is a chief worry as the Defense Department prepares for the rollout of its upcoming Cybersecurity Maturity Model Certification program, according to a defense official.

"My biggest concern on the making sure that I have enough assessors in the geographical area for the assessments as we roll these pilot programs out," said Katie Arrington, the Defense Department's chief information security officer for acquisition, said during a keynote presentation at the virtual CyberSheath's virtual CMMC conference Nov. 18.

Arrington said a portion of the audits required for some companies have to be done onsite, which requires travel and in-person contact with proper health and social distancing protocols.

As of Dec. 1, companies looking to do business on new contracts with the Defense Department will have to submit proof of a self-assessment on compliance with the National Institute of Standards and Technology's SP 800-171 controls. There's an exception for vendors who sell commercial-off-the-shelf products.

A self-assessment for basic cyber hygiene practices, or level 1, will be the minimum requirement. But companies seeking work that requires processing, storing, or transmitting, but unclassified, information will also have to seek higher certification levels and submit to audits by assessors certified by the CMMC Accreditation Body, an independent not-for-profit entity charged by DOD with developing training and handling audits.

The CMMC AB began training assessors this summer, but their numbers are far from the estimated 2,000 needed to audit hundreds of thousands of defense contractors. Arrington noted in October at a separate event that only 50 assessors have been provisionally trained so far.

Jeff Dalton, who heads the accreditation and credentialing committee as a CMMC Accreditation Body board director, estimated about 2,000 total assessors for the approximately 300,000 defense companies that would need to get certified.

But that number could change over time, especially because single entities could need more than one assessment.

"We can't just put out an ad on LinkedIn and say all cybersecurity professionals report for duty, which would be great [but] we'd run out of cybersecurity professionals pretty quickly," Dalton said during an Oct. 21 FedScoop event.

Dalton also said CMMC has created a new industry that will take time to develop assessors and certified professionals to service the defense industrial base.

"We're all doing our best to get this out as quickly as we can. Probably won't be as fast as people want, probably won't be exactly what people are expecting always, but we're learning as we go."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected