While 2020 was a volatile year, it made it clear that the CMMC program was needed in national security. CMMC had many successes in its first year, and it is moving forward, despite all of the challenges in getting off the ground.
CMMC Announced
In 2020, CMMC kicked off with the Office of the Under Secretary of Defense for Acquisition & Sustainment announced and introduced the Cybersecurity Maturity Model Certification (CMMC) program. “CMMC is a certification framework that sets out to secure the US defense industry and their associated Controlled Unclassified Information (CUI).”
CMMC is a five-tiered cybersecurity assessment system that all DoD prime contractors (and subcontractors) must attain at a level appropriate for their business if they want to be awarded contracts with the DoD in the future.
MOU for CMMC Accreditation Board Established
Almost halfway through 2020, in June, the details about the accreditation board were publicized. Although a Memorandum of Understanding (MOU) was signed in March, information on what was in the memo was not made available until now. In a nutshell, it says that the “CMMC-AB is responsible for and authorized to manage, control and administer CMMC assessments, certification, training and accreditation processes with respect to the DSC. DoD intends to utilize the results of the CMMC-AB’s accreditation efforts to satisfy future DoD solicitation requirements regarding an entity’s CMMC certification status.”
It goes on to state that third-party assessors at Level 3 and above on the DoD’s five-level scale will need to be ISO 17020 certified. The intent of this requirement is to increase the level of professionalism at these higher levels. Attaining ISO certification generally takes up to six months of training and credentialing.
It goes on to state that at all levels, the DoD will only accept assessments from assessors that have been certified to perform said assessments by the CMMC-AB or by the CMMC Third-Party Assessment Organization (C3PAO).
Pay to Play Cybersecurity Partnership
In September 2020, the CMMC-AB announced a “Partner Program” on their website. Basically, the accreditation body would charge companies up to $500,000 to promote and market them as recognized leaders in cybersecurity. There were five partner levels of participation:
- Diamond – $500,000 – three participants at this level
- Platinum – $250,000 – five participants at this level
- Gold – $100,000 – five participants at this level
- Silver – $25,000 – 15 participants at this level
- Bronze – $5,000 – 50 participants at this level
For companies that subscribed to the “pay to play” scheme, they would be recognized as leaders in cybersecurity, receive recognition on the CMMC-AB website, and promoted in newsletters, interviews and the marketplace on a sliding scale based on their participation level. And at all levels except the last, a scholarship would be created in their name.
This created a conflict of interest between the AB, assessors, and companies within the CMMC system, as it would give assessors at higher levels of participation advantage over those at the lower levels. And neither was the DoD nor full AB board consulted before posting the program online. Almost immediately, it was taken down and is “Pending Revision”. Days later the AB Chairman Ty Schieber and Communications Chair, Mark Berman were forced out of the AB.
With over 300,000 DoD contractors that must be certified through assessment (and recertified every three years), whole new businesses will be created that do nothing but cybersecurity assessments.
CMMC-AB Signs SOW with the DoD
In November, The CMMC-AB signed a no-cost Statement of Work (SOW) contract with the DOD that would make the AB the sole accreditor and oversight board as far as implementing the new DoD’s cybersecurity standards, putting to rest a rumor that other companies might be involved in that implementation.
While much of the language in the new SOW is the same as the previous MOU, the SOW carries more legal weight and now allows the AB to hire more staff and finalize its search for a CEO.
CMMC Rule Goes into Effect
The DoD’s certification rule finally took effect on December 1st and now the Pentagon can put CMMC requirements into contracts starting on January 1, 2021. It was originally scheduled to take effect in May 2020 but was delayed until now due to issues caused by the pandemic.
This puts the previous DoD rule where companies were required to certify their own cybersecurity (but many were not) to rest and beings in a new era of outside assessments for companies wanting to contract with the DoD. By 2026, all DoD contractors and subcontractors will need to have passed a cybersecurity assessment at a level appropriate to their DoD mission-essential status.
Status of CMMC for 2021
On January 26 at its town hall meeting, the CMMC-AB announced its new permanent chair – Karlton Johnson who served as the vice-chair before the ousting of Schieber; since September, he has been the acting chair before becoming the permanent chair. Johnson, a former Air Force Colonel has extensive experience in the operation of networks in combat zones. Also at the same meeting, DoD representatives announced the initial contracts that would include the CMMC assessment language.