CMMC training registration opens, but implementation worries persist

The first cadre of DOD cybersecurity assessors is expected to graduate by early August, but concerns loom over Cybersecurity Maturity Model Certification.

Katie Arrington, DOD's chief information security officer for acquisitions, said the CMMC Accrediting Body began accepting training registrations this week for third-party certifiers, or certified third-party assessor organization (C3PAO). The Cybersecurity Maturity Model Certification program effort has had to pivot some since its initial roll out earlier this year, partly due to the pandemic and social distancing measures.

Arrington, who spoke at a PreVeil webinar on contractor perspectives on CMMC June 24, said the board had to reconfigure training from onsite to virtual. The process was also hit snags in the rulemaking process to revise the defense acquisition regulations, which Arrington said is now underway.

However, the process is still moving with requests for information expected to be released as the first graduates finish at the end of July and early August. Final requests for proposals for certification services are expected to hit the street this fall, but awards in calendar 2020 are unlikely she said. Companies won't need certification until time of award.

Some defense experts are still concerned about the program's commercial focus.

"You're handing over to a third party whether people will be able to bid on contracts or not. That made me a little nervous because that tends to be an inherently governmental function, determining whether somebody is a responsible contractor," Frank Kendall, the former Undersecretary of Defense for Acquisition, Technology, and Logistics said during a June 24 meeting of the Information Security and Privacy Advisory Board of the National Institute of Standards and Technology.

Kendall, currently a board member at Leidos and senior fellow and adviser for the Center for American Progress and the Center for Strategic and International Studies, said that while he supported well-defined standards, he worried that CMMC allows the government to outsource its cybersecurity oversight responsibilities with respect to contracts.

"If the government has a problem enforcing its contracts, maybe the government should do a better job enforcing its contracts," Kendall said. "The much more straightforward approach would be to build up the government's capacity to inspect firms and take corrective action if they're not meeting the standards."

In April, Kendall wrote in Forbes that litigation risks could increase if an independent assessor tells a company it doesn't meet the certification level needed for a contract.

"When an assessor effectively tells a business that it is not allowed to bid on a government contract it may have been preparing to bid on for months if not years, people are going to get upset, very upset. The list of possible disputes is long – where and how will they be resolved? Who will absorb the litigation risk for the Authorization Board, the Accredited Organizations, or the licensed Assessors?"

Those certification and potential bid denials could affect government performance, he said, with less competition and delays, as companies that haven't been certified or failed certification can't bid on or win contracts.

But for now, companies should do what they can to meet the requirements and wait to see what changes arise as questions about implementation come up and are addressed.

"What I'm afraid we'll end up with is an illusion that we have more cybersecurity than we actually have because people will have certifications," said Kendall.