The Defense Department has convened a series of industry working groups to develop recommendations for creating an accreditation body that will be central to a cybersecurity certification program for Pentagon contractors expected to be up and running next year.
The working groups -- addressing a wide range of issues such as adjudication, governance, standards, and scope of the accreditation body's functions -- laid out preliminary recommendations last week at a meeting called by DOD and hosted by the Professional Services Council. The Dec. 4 meeting was the second on establishing an accreditation body for the Cybersecurity Maturity Model Certification program, with DOD officials expected to meet with working group leaders Dec. 17 to hash out further work on recommendations, according to sources.
"The essential functions of the CMMC [accreditation body] can be handled by six functional groups within the overarching CMMC AB, not including the CMMC Advisory Council, which is considered a coordinating body, external to the CMMC AB," according to the recommendations of the "Scope" working group. "The six functional groups within the CMMC AB are: AB Management, Training, Accreditation, Certification, and Assessment Operations" as well as adjudication.
DOD officials had intended to sign a memorandum of understanding with a CMMC accreditation body this month, but that schedule appears to have slipped as the working groups' recommendations indicate a significant amount of work remains before kicking off the certification process. Industry sources say they have yet to see any MOU language.
DOD did not respond to a request for comment. The CMMC effort is being led by Katie Arrington, special assistant on cybersecurity within the office of the under secretary of defense for acquisition and sustainment.
"That the AB will need to contain most of the functions internally to succeed" is among the "assertions/assumptions" presented by the working group. "We may outsource the training, continuous monitoring or other such activities but the core three above will need to occur within the AB."
"Metrics must be understandable [and] Cyber Risk should be quantifiable," the group said.
The accreditation body will be expected to train and certify the individuals and CMMC third-party assessment organizations (C3PAOs) as well as oversee quality control for those assessments.
"Receive and process accreditation requests, verify/report accreditation status, [and] verify/monitor re-accreditation status" will be functions of the AB in accrediting individual assessors and C3PAOs, according to the working group.
"Accreditation of C3PAOs and Individual Assessors (hereafter the term C3PAOs is intended to include 3rd Party individual assessors) is an AB activity," according to the working group recommendations. "There are different classes of accreditations considering a number of factors" such as the scope of third-party assessments, the capabilities of the C3PAO and the completion of a CMMC self-assessment by an organization as a "trial assessment" to being certified.
The AB also will be responsible for receiving complaints as part of a dispute-resolution process.
"Disputes regarding contract CMMC level requirements will be addressed between the government and a contracted entity, subject to appeal as defined by the contract," according to the working group.
The working group is planning to "nail down" a training curriculum by January and to publish training materials by February.
The working group on a "Coordinating Council for Commercial Standards" has been tasked with identifying existing federal policy and standards on managing cybersecurity risks that can be "leveraged" to reduce compliance costs and "enable DOD acquisition decisions," according to its recommendations presented at the CMMC meeting.
The group also assumes the establishment of a permanent CMMC Standards Coordinating Council that "shall operate as a '[Federal Advisory Committee Act]-like' advisory group made up of leading non-profit industry groups whom have established Cyber operations and extensive communities of practice."
The "Adjudication" working group has identified the establishment of a budget as among key "next steps" for the CMMC process.
"We need to get a sense of the budget that will be available," the groups says in its recommendations. "Setting up the website and putting in place the organizational architecture will take time, and we should be prepared in advance because appeals are likely."
The groups says, "We need to more fully define who the judges will be and whether/how they will be compensated," adding: "We need to create formal rules now, but the functional rules will need to be created after the training and certification program are complete or at least farther along."
Other CMMC working groups include: "Organization Structure" and "Change management for CMMC structure."
The latest CMMC draft, version 0.6, was issued on Nov. 7, focusing on the security controls expected of DOD contractors seen as posing the lowest risks, levels one through three of the proposed five-tiered certification program. According to sources, DOD is expected to issue another draft, CMMC version 0.7, this month that will address security controls for levels four and five contractors, which are seen as most crucial to Pentagon weapon systems and networks.
The CMMC plan is based on cybersecurity standards developed by the National Institute of Standards and Technology for protecting controlled unclassified information on non-federal networks.
Certification at levels one through three under the CMMC plan are based largely on standards in NIST Special Publication 800-171, which was updated in 2018. Levels four and five reference revisions to NIST 800-171, as well as SP 800-171B for dealing with "advanced persistent threats," which were proposed in June and are still pending final approval.
NIST's completion of revisions to 800-171 and 800-171B has been held up by a White House review of the NIST SP 800-53 document, which sets foundational standards for the government's handling of information. It has been stalled at the Office of Information and Regulatory Affairs since last January.