Recent developments at the independent authority overseeing accreditation of assessors for the Pentagon's cyber certification program are raising concerns at one of the nation's largest defense associations, which represents a wide variety of contractors who make up the defense industrial base.
Cybersecurity Maturity Model Certification Accreditation Body leaders Ty Schieber and Mark Berman are leaving the board of directors, marking a significant change in leadership as the accreditation body enters a new stage of training and assessments.
Schieber's last day at the CMMC-AB was Sept. 11 while Berman is resigning but still working with the organization "for a couple of weeks." Berman, who served as the CMMC-AB's communications chair, is working on transferring his responsibilities to other board members before his official departure.
Board vice chair Karlton Johnson has been promoted to chairman of the board.
"We are interested to see the next steps here," Corbin Evans, the National Defense Industrial Association's principal director of strategic programs, told Inside Cybersecurity Wednesday. "We've worked with Karlton Johnson throughout his tenure as the vice chair of the AB and we look forward to continue working with him."
Evans expressed concern over a CMMC-AB plan for sponsorships, which was ultimately rescinded by the accreditation body after stakeholders questioned the details.
"It was right to pull . . . the sponsorships down and reconsider how to move forward with the program," Evans said.
"We found it a little troubling across industry and we are glad to see that the board will be reconsidering their sponsorships and partnership models moving forward."
A page on the Cybersecurity Maturity Model Certification Accreditation Body's website listed details for "partner levels" ranging from $5,000 to $500,000, with benefits starting at the lowest level for a higher listing on the CMMC-AB's marketplace for assessors, consultants and publishers of CMMC training content.
NDIA members have also questioned the pace of the CMMC-AB to get assessors trained and certified and the future of the accreditation body.
"We are a little behind with [the] timeline for the goals of the AB and what DOD set out for them to get the assessors trained," Evans said. "It is understandable with the COVID-19 situation, but our group is eager to get the ball moving on this."
On Wednesday, the Defense Department thanked Schieber and Berman for their "thoughtful leadership" and the entire CMMC-AB for "the dedication of many volunteers, who have graciously devoted so much of their time for this monumental cause." DOD described their departure as a "transition" and welcomed three new board members who have joined over the past few weeks.
Berman confirmed his resignation to Inside Cybersecurity, saying: "I believe that the CMMC effort is tremendously important for the country and the security of the defense supply chain. Whether I am on or off the board, I'm willing and able to do all in my power to support their CMMC efforts. It has certainly been an honor to serve on the board."
Professional Services Council president and CEO David Berteau said in a statement, "PSC supports a fully functioning CMMC process. We would not comment on any personnel matters."