JUST IN: Accreditation Body to Begin Training CMMC Auditors (UPDATED)
An accreditation body facilitating implementation of the Pentagon's Cybersecurity Maturity Model Certification version 1.0 has opened up training for third-party auditors, according to an official.
The upcoming cyber requirements are a reflection of the Pentagon's push to protect defense industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. As the initiative is phased in, contractors will have to meet different levels of security depending on the work they are performing, with level 1 being the lowest and level 5 the most stringent.
“We are busy doing pathfinders in the DoD. We are getting ready to launch our pilots,” Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said June 24 during a webinar hosted by cybersecurity company PreVeil. “The Accreditation Body opened the door for training registration for [certified third-party assessor organizations] two days ago.”
The CMMC Accreditation Body was set up to train organizations conducting CMMC compliance assessments on behalf of the Pentagon.
Requests for proposals that include CMMC requirements are still slated to be released in the fall. In May, Arrington said the RFPs will not be released until the department updates the Defense Federal Acquisition Regulation Supplement 252.204-7012, which are the current rules for storing, transmitting and processing defense information.
Corbin Evans, director of regulatory policy at the National Defense Industrial Organization, said in May the Pentagon is changing the DFARS in accordance with the new cybersecurity model. The department has developed a draft rule requiring that new regulations be attached to future contracts, he noted.
Because of COVID-19 safety concerns, the Defense Department has had to change its training plans for assessors. The first class of auditors are now slated to graduate in late July or early August, Arrington said.
“We had a minute that we needed to take and refigure how we did training and assessments,” she said. “The original training was supposed to be on-site. … A portion was web-based, but for the most part it was in-person and we needed to change that trajectory.”
The new cybersecurity model will apply to elements of academia working with the Defense Department as well, she noted. However, the rules will only be imposed on specific academic programs partnering with the Pentagon, not necessarily entire institutions, she said.
“The CMMC will apply to universities and research institutions. We’ll roll it out the same way we’re rolling out the CMMC with the DoD,” she said. “Teaching [students] cyber hygiene has been a passion of mine."
Update: This story has been updated to clarify that the CMMC Accreditation Body is conducting the training of third-party auditors for the Defense Department's CMMC initiative.
Topics: Defense Department