The Creation of the CMMC Accreditation Body
When the Department of Defense announced its Cybersecurity Maturity Model Certification (CMMC) framework in mid-2019, they quickly realized that an external private organization was required to manage the program and serve as a bridge between government and private sector. After issuing a Request for Information and collecting feedback from industry stakeholders,the CMMC Accreditation Body was established to fill that role. The CMMC AB was formally incorporated as a Maryland 501(c)(3) nonprofit in January 2020. That same month, the DoD formally unveiled the CMMC version 1.0 framework.
Fifteen members were appointed to the CMMC Accreditation Body board, tasked with developing an entirely new organization from the ground up. They quickly developed formal bylaws, a code of ethics, and a tentative organizational hierarchy, maintaining their momentum even as the COVID-19 pandemic unfurled. — Update — In March 2020, the CMMC Accreditation Body signed a Memorandum of Understanding with the DoD, codifying their relationship and the CMMC AB’s authority.
Who's in the CMMC Accreditation Body?
The DoD has gone to great lengths to include industry stakeholders in the CMMC development process, and these efforts are reflected in the diverse backgrounds of the CMMC Accreditation Body board. Mr. Ty Schieber, Board Chairman, comes from the world of academia and has extensive background in defense and technology. Mr. Karlton Johnson, Vice-Chairman, has strong cybersecurity experience with the USAF and currently leads a strategy consulting firm. In fact, the majority of the CMMC AB board members come from small firms and businesses, with only a minority employed by industry giants like Raytheon and Accenture. This is an encouraging sign that the concerns of small and medium-sized businesses will be heard and considered throughout the process.
The CMMC initiative is being spearheaded by Katie Arrington, CISO for the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S). Katie has participated in over 120 speaking engagements on CMMC and is described by Ty Schieber as its ‘voice and force of personality.’ Although the MOU which details the CMMC Accreditation Body’s relationship with the DoD has not been released to the public, it is clear that the board will coordinate closely with the DoD, and with the OUSD A&S in particular.
Given the enormity of the task facing the CMMC Accreditation Body, community input and support is essential. The board has created several working groups, dedicated to an array of topics including Standards Management, Credentialing, Assessment Quality Assurance, Assessment Methodology, Training, and Assessor Examination objectives. These working groups are a great opportunity for companies like your own to shape the implementation of the CMMC program.
These working groups feed input into internal CMMC Accreditation Body committees, which consolidate the information and provide guidance to the executive committee. This provides a direct pipeline from industry to the board of directors, informing their decisions as they build the CMMC ecosystem. Currently, there are committees for finance, nominating, infrastructure, accreditations & credentialing, communications, and training/assessments.
Finally, there will be professional staff conducting the everyday business of operating the CMMC Accreditation Body. We can safely assume this will include Human Resources, Information Technology, Accounting, and other departments common to major organizations. The CMMC AB expects to maintain offices in close proximity to California, Washington DC, Texas, Connecticut, Florida, Washington, Pennsylvania, Massachusetts, and Arizona, which in aggregate account for over 61% of DoD contract spending.
What are the CMMC Accreditation Body's Responsibilities?
The CMMC Accreditation Body will be the sole entity authorized to accredit defense contractor cybersecurity. The CMMC AB describes its role as being “responsible for the implementation and maintenance of the CMMC ecosystem,” which requires multiple lines of effort:
- Developing requirements and awarding accreditations to C3PAOs (Certified 3rd Party Assessment Organizations) and individual assessors. The CMMC Accreditation Body will enter a contractual relationship with each C3PAO, which in turn will contract individual assessors to conduct the actual audits.
- Developing a CMMC Body of Knowledge (CMMCBOK), which will serve as a reference for assessors, C3PAOs, instructors, and trainers and ensure the CMMC standards are uniformly applied. All learning objectives for CMMC training will be derived from the CMMCBOK.
- Designing the training and certification ecosystem for CMMC assessors. In addition to developing and delivering the certification exams, the CMMC Accreditation Body will certify instructors, award certifications, conduct assessor background checks, and administer the continuous learning credits required for assessors to maintain accreditation.
- Administering a Continuous Monitoring tool that will scan DoD contractor networks from the outside, alerting them to major changes in their security posture. With CMMC audits valid for three years, this tool will ensure security standards are maintained in the interim.
- Reporting metrics to the DoD and providing Quality Assurance for the CMMC ecosystem. This includes determining where conflicts of interest lie between C3PAOs and consulting firms, and adjudicating disputes between C3PAos and organizations seeking certification (‘OSCs’).
- Launching and operating a CMMC Marketplace where OSCs can browse through C3PAOs and assessors, then request an assessment at their desired CMMC level. Each assessor will have a license number, linked to the license number of their respective C3PAO, allowing the CMMC Accreditation Body to track and administer the ecosystem.
Because the CMMC Accreditation Body is developing these functionalities as we speak, new information will continue to trickle out over the weeks and months ahead. Sign up for Totem blog updates (very bottom right of this page) and we’ll keep you posted!
What's Next for the CMMC Accreditation Body?
There are still many questions that have yet to be answered. For example, the exact requirements for C3PAO and assessors have not been disclosed yet, nor the costs for training, examinations, and accreditation.
Naturally, this makes it difficult for contractors to predict how much their CMMC audits might cost. One encouraging bit of news is that the CMMC Accreditation Body has emphasized that as a non-profit, any costs they impose will be designed only to recoup their operating expenses.
We also don’t have a clear picture of what the CMMC marketplace will look like. In one recent interview, Katie Arrington explained that “…the third-party assessors will not be able to offer products to the company’s they vet… The assessors will only be allowed to charge contractors for the service of testing their networks. Any solutions to the problems they find will have to be bought separately on the CMMC board’s marketplace.” This suggests that in addition to requesting audits and selecting assessors, contractors may also be able to purchase cybersecurity solutions through the CMMC marketplace.
Questions about the staffing the CMMC Accreditation Body remain unanswered as well. Leadership positions are unfilled, and the salaries, benefits and start dates for individual positions are entirely unknown. In fact, the board has not even decided where their headquarters will be located. although the DC-Maryland-Virginia area is a safe bet. The CMMC AB also expects that remote positions may be available for certain roles.
How will the CMMC Accreditation Body Affect Defense Contractors?
Ultimately, the CMMC Accreditation Body will shape every aspect of the security framework and its implementation. When problems arise, the CMMC AB will serve as arbiter between your company and the C3PAOs or assessor, and when a vulnerability appears on your network after a CMMC level has been awarded, the CMMC AB will provide early notification. At Totem, we’re keeping our ear to the ground as the CMMC Accreditation Body takes shape. Stay tuned for more developments over the months ahead!