In the United States, the Cybersecurity Maturity Model Certification (CMMC) is the cyber benchmark for businesses in the Defense Industrial Base (DIB). In January 2020, the Cybersecurity Maturity Model Certification Accreditation Body, Inc. (CMMC-AB), Inc, a Maryland-based not-for-profit corporation, was formed as an independent accreditation entity for the CMMC programmatic mission. Then, a Memorandum of Understanding (MOU) was established in March 2020 that defines the interconnected roles and responsibilities of the CMMC-AB and the DoD. DoD has since reestablished and designated the CMMC-AB as its sole, authorized accreditation and certification partner for the CMMC.
What is the CMMC Accreditation Body?
As an independent organization, the CMMC-AB authorizes and accredits CMMC Third Party Assessor Organizations (C3PAOs), Certified CMMC Assessors (CCA), Certified CMMC Professionals, Registered Provider Organizations (RPO), and many other key roles within the greater CMMC ecosystems. The CMMC-AB also established the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with Department of Defense (DoD) requirements.
Notably, the CMMC-AB is required to achieve compliance with the ISO/IEC 17011, Conformity Assessment – Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies by the end 2022. A condition of ISO/IEC 17011 prevents accrediting bodies from also controlling the training program for accreditation. Therefore, the CAICO will split from the CMMC-AB sometime in 2021 to develop and provide training content for CMMC ecosystem through Licensed Training Providers (LTP).
A discussed briefly above, only CMMC-AB authorized and accredited C3PAOs can conduct a CMMC assessment of DIB companies unclassified networks and issue the corresponding CMMC certificates based on the results of the assessments. Moreover, the CMMC-AB has the authority to authorize C3PAOs (#10) to perform CMMC assessment before the C3PAO achieves accreditation.
How does the CMMC-AB authorize C3PAOs? What is the CMMC-AB Marketplace?
The first C3PAO was announced in June 2021 by the CMMC-AB and designated in the CMMC Marketplace. As mentioned previously, C3PAOs are the only entities eligible to execute CMMC assessments for Organizations Seeking Certification (OSC), OSCs can find authorized and accredited C3PAOs on the CMMC-AB Marketplace website - along with all other RPOs, RPs, PAs, LTPs and more.
DIB companies and C3PAOs will coordinate assessments and conduct all contractual negotiations outside of the direct input from the CMMC-AB. After the assessment, the C3PAO will publish an assessment report, and the CMMC-AB will issue the appropriate CMMC certificate if the OSC meets the requirements pertaining to the targeted level. Additionally, the C3PAO will remit the assessment report and the CMMC certificate to the DoD.
The CMMC Assessment Guides are available to conduct a self-assessment before coordination with a C3PAO. The DIB company can use their own self-assessment to remediate prior to their C3PAO certification assessment. CMMC-AB does not determine the costs of the assessment certification. These details will be contracted directly with their chosen C3PAO for the assessment project.
For firms that seek to become a C3PAO, the CMMC-AB has published the requirements and timelines to the CMMC-AB website (www.cmmcab.org).
Why CMMC-AB Now?
The scope, scale and sophistication of cyber threats and attacks against US-based institutions and infrastructure are on the rise. News reports of data breaches and ransomware attacks from foreign nation-states and criminal actors are now commonplace in our weekly headlines. In the recent, SolarWinds cyber-attack, President and CEO, Sudhakar Ramakrishna shared that the cyber criminals had been hiding in plain sight for nearly two years in their network. Roughly 37 Department of Defense (DoD) suppliers were compromised in the collateral damage of the SolarWinds incident.
SolarWinds was one of several significant cyberattacks in 2020 that highlighted how a breach in one organization threatens an entire supply chain. The cybercrime momentum continues in 2021. As a result, organizations are accelerating investments to modernize and certify their cybersecurity infrastructure and practices to reduce exposure and defend against cyber threats.
The emergence of the CMMC-AB couldn’t have come at a better time to reduce the risks created by cybercriminals. However, the implementation of CMMC will not happen overnight. The DoD is taking a phased approached to implement CMMC in all new contract acquisitions through September 30, 2025. The Office of the Under Secretary of Defense for Acquisition and Sustainment currently must approve the inclusion of the CMMC requirement in any solicitation.
In Fiscal Year 2021, the DoD is targeting 15 new Prime acquisitions to meet CMMC requirements during the CMMC pilot phase. However, by FY2025, all DoD acquisitions will require CMMC with many contracts incorporating CMMC Levels 4 and 5. This schedule could change dramatically as the cyber landscape continues to evolve.
What’s Next for the CMMC-AB?
The CMMC-AB is comprised of 11 highly qualified cybersecurity and policy professionals, though the total number has fluctuated since inception:
Karlton D. Johnson, Chairman
Jeff Dalton, Vice Chairman
Sheryl Hanchar, Secretary
Yong-Gon Chon, Treasurer
- Regan Edens
Charlie Williams, Jr.
- Matt Travis, Chief Executive Officer
- Raymond Karrenbauer, Chief Financial Officer and Executive Vice-President
- Melanie Kyle Gingrich, Vice-President, Training and Development
CAICO Members have yet to be publicly announced as of this writing. Executive leadership team updated August 5, 2021.
The CMMC-AB's not-for-profit status is currently pending. While the CMMC-AB was formed in January 2020, it didn't apply for 501(c)(3) non-profit status until February 2021. In the interim, the CMMC-AB operates, conducts, and audits its finances like a not-for-profit corporation. To that end, The board of directors are not compensated and have never received dividends or profits from the CMMC-AB. The CMMC-AB expects the IRS to approve their 501(c)(3) non-profit status in the next twelve months.
In March 2021, the CMMC-AB Board named Matt Travis, former CISA deputy director, as the first chief executive officer for the organization. Moreover, the CMMC-AB has kicked off a series of Town Hall Meetings to foster awareness, conversations, and supportive relationships with the DIB community.
In the April 2021, CMMC Town Hall, Matt Travis shared his top priorities for the organization:
- Start delivering results for the CMMC ecosystem. That means that individuals and OSCs need the facility to achieve their certifications quickly. The cybercriminals and nation-state bad actors are not waiting for the DIB community to get certified before the next attack.
- Fully professionalize the staff of the CMMC-AB. Since its formation, the CMMC-AB’s volunteer board members have been performing all of the operations of the organization. Now, the CMMC-AB is hiring professional staff to relieve the Board of Directors from operational roles and transitioning to oversight and governance duties. In May 2021, CMMC-AB announced that Melanie Kyle Gingrich would be coming onboard as Vice President for Training and Development to establish the training and development for C3PAOs and Assessors. In August 2021, Raymond Karrenbauer joined the CMMC-AB as the official chief financial officer and executive vice-president overseeing the technology portfolio and marketplace experience for the organization..
- Ensure that CMMC-AB is the role model for CMMC. This is a two-fold effort for CMMC-AB. Firstly, the CMMC-AB has to ensure that it is CMMC compliant and certified. Secondly, the organization has additional ISO 17011 accreditation status that must be achieved by the end of Fiscal Year 2022.
- Focus on being a transparent and ethical community partner. Travis is keen on the sensitivities of the DIB community and the investments it’s making to secure to our nation’s supply chain and digital infrastructure. To that end, Travis has committed to being available and openly communicative with the DIB ecosystem on everything it’s doing to foster and deliver results for CMMC.
How do I prepare for CMMC Assessment?
DIB companies should start ensuring readiness and self-assessment planning based on the CMMC Assessment Guide for Controlled Unclassified Information, and for most will require CMMC Level 3. As more firms are designated as Authorized and Accredited C3PAOs, DIB companies can begin to coordinate and schedule their CMMC Assessments.
For DIB companies seeking to become a C3PAO, the CMMC-AB will provide the requirements and manage the candidate registration process on the CMMC-AB website, www.cmmcab.org
Today, Summit 7 is a Registered Provider Organization (RPO) in the CMMC-AB Marketplace and has served hundreds of government contractors in helping them protect sensitive data in their IT environments. You can read more about Summit 7’s security and compliance solutions here.