Two researchers from Carnegie Mellon University who worked with Pentagon officials to develop the Cybersecurity Maturity Model Certification program will be teaching a five-hour course on the landmark effort at a National Defense Industrial Association training event on May 6.
CMU's Software Engineering Institute and Johns Hopkins University Applied Physics Laboratory have worked with the Pentagon to create the foundational framework for DOD's CMMC program.
The NDIA workshop, "CMMC 101: A Primer to the Program," features Andrew Hoover and Katie Stewart, who the association says are "both senior engineers of the institute's technical staff."
"Together, they will lead attendees through the reasons for CMMC, its levels and what is needed to comply by the 2025 deadline," NDIA said in an announcement this week.
The course is not an authorized training for assessors who want to be able to certify contractors for CMMC compliance. Instead, it is focused on providing information to the defense industrial base on the CMMC standard, said Corbin Evans, principal director of strategic programs at NDIA.
"The training will focus on how the standard was formed, why the standard was formed and what companies need to do to learn more about how to implement CMMC," Evans told Inside Cybersecurity. The course will also explore "the timeline for implementation and some of the policy requirements" as well as "touching partially" on "the practices and controls [that] are contained in the CMMC."
Evans said NDIA partnered with Carnegie Mellon's Software Engineering Institute due to its work with DOD developing the CMMC standard.
"We could not have gotten a better source of information in terms of how the CMMC model was formed, how exactly the intentions are around the CMMC model [than] the model architects themselves," Evans said.
The CMMC-focused training is the first in a series of NDIA courses through the association's new Business Institute. NDIA is planning to "have additional course offerings based on issues of high importance to our defense industrial base members," Evans said. The CMMC course is open to the general public.
Over the past few months, NDIA has conducted tabletop exercises on different aspects of the CMMC program for its members. The first tabletop explored what a company needs to do to become compliant with CMMC and implement standards outlined in National Institute of Standards and Technology Special Publication 800-171.
The second tabletop explored the "impact of the CMMC program on operational technology versus IT," Evans said. The third exercise focused on controlled unclassified information and "the flow of CUI through prime contractor down to subcomponent, subcontractors and thru the supply chain."
NDIA conducted its fourth and final exercise in March, which Evans said looked at "issues that contractors run into in performing a contract with CMMC language included."
"There were some good issues raised related to the timing and brought up some interesting questions on how that would work in terms of having your subcontractors CMMC certification or if they have previously submitted their basic assessment under the DFARS clause," Evans said. The basic assessment is based on compliance with NIST 800-171.