JUST IN: Accreditation Body to Begin Training CMMC Auditors (UPDATED)

By Connie Lee

iStock illustration

An accreditation body facilitating implementation of the Pentagon's Cybersecurity Maturity Model Certification version 1.0 has opened up training for third-party auditors, according to an official.

The upcoming cyber requirements are a reflection of the Pentagon's push to protect defense industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. As the initiative is phased in, contractors will have to meet different levels of security depending on the work they are performing, with level 1 being the lowest and level 5 the most stringent.

“We are busy doing pathfinders in the DoD. We are getting ready to launch our pilots,” Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said June 24 during a webinar hosted by cybersecurity company PreVeil. “The Accreditation Body opened the door for training registration for [certified third-party assessor organizations] two days ago.” 

The CMMC Accreditation Body was set up to train organizations conducting CMMC compliance assessments on behalf of the Pentagon.

Requests for proposals that include CMMC requirements are still slated to be released in the fall. In May, Arrington said the RFPs will not be released until the department updates the Defense Federal Acquisition Regulation Supplement 252.204-7012, which are the current rules for storing, transmitting and processing defense information.

Corbin Evans, director of regulatory policy at the National Defense Industrial Organization, said in May the Pentagon is changing the DFARS in accordance with the new cybersecurity model. The department has developed a draft rule requiring that new regulations be attached to future contracts, he noted.

Because of COVID-19 safety concerns, the Defense Department has had to change its training plans for assessors. The first class of auditors are now slated to graduate in late July or early August, Arrington said.

“We had a minute that we needed to take and refigure how we did training and assessments,” she said. “The original training was supposed to be on-site. …  A portion was web-based, but for the most part it was in-person and we needed to change that trajectory.”

The new cybersecurity model will apply to elements of academia working with the Defense Department as well, she noted. However, the rules will only be imposed on specific academic programs partnering with the Pentagon, not necessarily entire institutions, she said.

“The CMMC will apply to universities and research institutions. We’ll roll it out the same way we’re rolling out the CMMC with the DoD,” she said. “Teaching [students] cyber hygiene has been a passion of mine."

Update: This story has been updated to clarify that the CMMC Accreditation Body is conducting the training of third-party auditors for the Defense Department's CMMC initiative.

Topics: Defense Department

Comments (2)

Re: Pentagon to Begin Training ThirdParty CMMC Auditors

No, the DoD did not open registration and no the Pentagon will not be doing any CMMC training. The CMMC AB opened registration and they will be responsible for the training.

Wayne Boline at 4:17 PM
Re: Pentagon to Begin Training ThirdParty CMMC Auditors

Comment - Erik Lenderman | Today, technology continues to grow and develop as computer processing chips and integrated circuits accelerate data sharing among professional services providers and consumers. More recently, computer hardware has grown in capability, and software providers have expanded their platforms. However, security remains one of the sector's continued challenges. Therefore, FedRAMP, NIST, and CMMC requirements have adopted revised standards, but ensuring effective hardware and software security remains a challenge. This has been evidenced by continued system vulnerabilities in the private and public sector. To provide one example, many have raised concerns related to Federal, State, and Municipal election system software platforms. These systems may not be effectively monitored and may lack sufficient security to ensure there is no foreign interference within the U.S.'s election systems. There must be, according to many, a more effective means by which to ensure robust security. Although the Federal Government provides extensive capabilities within their Agencies, State and Local governments require additional cybersecurity infrastructure. The substantial funding provided to Defense and Security Agencies should ensure that citizens situated within or near critical infrastructure networks are able to reach Cybersecurity directorates to request assistance with verifying the security status of their perimeter. However, there remains a continued gap between Federal Agencies, State, and private sector requirements. Private sector, public sector, and congressional leaders require a means by which to verify the nation's systems and their personal systems are secured. This could be accomplished through promoting collaboration between the Federal Government, Internet Service Providers (ISPs), and the consumers of ISP services. This trend may grow with time and could certainly assist with promoting a more effective security policy throughout the United States. - Erik Lenderman

Erik Lenderman at 4:40 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.