Small business group launches cyber certification classes based on Pentagon's proposed model

By Rick Weber  / December 13, 2019

The America's Small Business Development Centers this week is hosting the first of what is expected to be dozens of classes throughout the country over the next couple of months that are intended to prepare companies for the Pentagon's Cybersecurity Maturity Model Certification plan expected to be finalized early next year.

"We cannot wait for the CMMC certification body or DOD mandate to move forward," said ASBDC's Charlie Tupitza, who leads the group's cyber and data breach efforts. "There is too much value in the current state of the CMMC to hold back," he said in a statement to Inside Cybersecurity, while stressing the classes will focus on the lowest levels -- one through three -- of DOD's five-tier certification program.

The ASBDC effort is being run separately from the Pentagon's ongoing work to develop the certification program, which is expected to eventually certify the cybersecurity compliance of several hundred thousand contractors.

The group's decision to run with the draft DOD CMMC program is significant because the group's goal is to get small businesses ready for cybersecurity certification -- "80 percent there" -- even before DOD finalizes the CMMC program, Tupitza said. That advance preparation should make it easier, and speed the process, for contractors to comply with the DOD program.

DOD announced the CMMC program this summer and issued its latest draft plan, version 0.6, in November, with the expectation that the certification requirements would begin to appear in contracts next fall. Later this month, DOD is expected to issue another draft, version 0.7, on addressing the most risky operations related to contractor levels four and five. DOD is also in the process of developing an accreditation body that will oversee the third-party assessments conducted under the certification program.

The ASBDC effort is focused on the standards laid out in the latest CMMC draft, which are not likely to change in the final document expected in January.

This week's class is being hosted by the University of Texas at San Antonio and will include several companies and ASBDC "advisers” who are paid staff at the local centers that assist small businesses with the various services offered by the group, which include financial as well as cybersecurity guidance.

ASBDC is expecting to host as many as 40 classes by the end of February, with the curriculum based on an existing assessment "tool" under the Federal Risk and Authorization Management Program, or FedRAMP, which provides a standardized approach to assessing, authorizing and monitoring the security of cloud computing products and services for the government.

"We are launching our first CMMC 1-3 level classes this Friday, 13 December 2019, utilizing a FedRAMP high platform to protect artifacts associated with the participant's preparation for certification," said Tupitza.

The ASBDC effort will include contractors from the defense industrial base but will be focused on assisting all types of small businesses.

"Our initial participants are from both inside and outside of the DIB," said Tupitza. "Our top 20 state networks have agreed to move forward and will kick this in gear in January. The focus of the ASBDC effort is the business value of the CMMC. We help small businesses incorporate cyber and data protection in their business and marketing plans."

The ASBDC has about 1,000 local centers hosted mostly by universities and colleges across the country. The group gets half of its funding from the Small Business Administration and the rest from its host organizations, according to Tupitza.

DOD's CMMC plan is based on cybersecurity standards developed by the National Institute of Standards and Technology for protecting controlled unclassified information on non-federal networks.

Certification at levels one through three under the CMMC plan are based largely on standards in NIST Special Publication 800-171, which was updated in 2018. Levels four and five reference revisions to NIST 800-171, as well as SP 800-171B for dealing with "advanced persistent threats," which were proposed in June and are still pending final approval.

NIST's completion of revisions to 800-171 and 800-171B has been held up by a White House review of the NIST SP 800-53 document, which sets foundational standards for the government's handling of information. It has been stalled at the Office of Information and Regulatory Affairs since last January.