CMMC training underway for auditors

Training of the third-party accreditors for the DOD's upcoming unified cybersecurity standard will take place from now until June, according to the Defense Department's acquisition head.

Ellen Lord, the defense undersecretary for acquisition and sustainment, told reporters the final version of the Cybersecurity Maturity Model Certification is set to publish by the end of January, and an independent accrediting body will begin training the auditors.

"The release is the end of this month for the CMMC model version one," Lord told reporters during a Jan. 14 Defense Writers Group event in Washington, D.C. "The initial training is taking place of the assessors between now and June," which is when the first requests for information including the standard are expected to roll out.

The CMMC accreditation body, a not-for-profit and independent group of stakeholders, has been stood up and recently selected its chair. The consortium, as Lord referred to it, will take the cyber standards set to be released this month and use them to develop training and certification requirements for the third-party assessment organizations and individual assessors that will evaluate companies.

FCW has reached out to the accrediting body for more information on training.

Ty Schieber, the CMMC accrediting body's chairman, previously told FCW the organization has several working groups that will help define and strategize around the accrediting body's functions, including governance, standards, adjudication, organizational structure, change management and budget.

Lord said the accrediting body "will incorporate semi-automated processes" and "include a tool that certified third-party assessors will employ for audits and collecting metrics to inform risk."

The impending cybersecurity certification has drawn concern among small business advocates, particularly around cost and the required expertise for implementing the standards.

When asked about whether DOD has done an impact study on how CMMC will affect small businesses, Lord didn't have a clear answer, simply saying that trade organizations such as the Professional Services Council, were looking into it.

"One of my biggest concerns was really about small and medium businesses because that's where a large part of innovation comes from and we need that. We want to retain them," Lord told reporters.

DOD has said it is working with the accrediting body, prime contractors, and industry associations to brainstorm ideas on how to make implementing the cybersecurity standard more cost effective. However, Lord said, there won't be a way around CMMC, and waivers were not being considered at this time.

"I do not anticipate waivers at this point in time," Lord said. "We have not discussed that because cybersecurity is so critical, it becomes a differentiator."

Instead of waivers, Lord reiterated that CMMC has multiple levels, the lowest of which adheres to basic cyber hygiene practices and can be tailored to any system.

Ultimately, Lord said it's an "ecosystem" when it comes to supply chain security.

"We do understand this is an ecosystem, and frankly we often forget that," she said. "When you look at integrated supply chain, you have six, seven, eight, nine levels down and it's that six, seven, eight, nine levels that we are really, really concerned about."

DOD is anticipating to complete the federal rulemaking process for CMMC by the end of 2020.