A new industry advisory council for the Pentagon’s Cybersecurity Maturity Model Certification program is determining “rules of the road” for its work and “scope” of operations, according to council chair Yong-Gon Chon, who says early efforts have focused on evaluating “practice effectiveness” for controls in the CMMC model and examining small business issues.
The CMMC Accreditation Body announced the creation of the Industry Advisory Council in April. The IAC includes representatives from the technology sector, large prime contractors and small businesses, and is led by Chon, a CMMC-AB board member and managing partner at consulting firm GroCyber.
One of the major focuses of the IAC is “measuring things like costs,” Chon told Inside Cybersecurity ahead of tonight’s CMMC-AB Town Hall Meeting.
“The IAC is really about being able to have a good cross section of folks that have to comply with CMMC in the industry,” Chon said, “so we can collect data that the market has been asking for [and] that Congress has been asking for” as well as help “inform what DOD needs to do in terms of constantly improving the model, the cost to comply” and CMMC issues in the “real world.”
The IAC has formed subcommittees for communications, practice effectiveness, small- and medium-size businesses, and costs. The practice effectiveness subcommittee is chaired by Michael Baker, chief information security officer of General Dynamics Information Technology.
“Practice effectiveness is really about [being] able to say ‘These are the controls that make up whether it is maturity level one, three or five, et cetera’ and it is diving into the details about how people are implementing controls,” Chon said.
Chon pointed to multifactor authentication, FIPS validated cryptology, security awareness training and background screenings as examples of practices that are part of the CMMC model.
Through capturing “real world data,” Chon said one can determine if a control “actually works,” its effectiveness and “the costs associated with it.” The process also allows a pathway for determining if there is a “reference model or reference implementation” that could be used to show “how people should be implementing controls,” he said.
Jake Williams, IT security manager at Doncasters, chairs the IAC’s small business subcommittee, which Chon said is focused on “specifically capturing concerns and validating what are the priorities for small and medium size businesses.” The IAC will also work to “capture what the specific concerns are” for small businesses, Chon said, adding “a lot of issues [relate] to having the labor resources and having the expertise to implement” CMMC.
One avenue to help small businesses is “being able to help define reference models for how to implement, being able to determine efficient ways for smaller businesses to comply,” Chon said, explaining the reason for companies like Microsoft and Amazon Web Services are part of the IAC.
Chon said Microsoft, ServiceNow, Salesforce and AWS “have specific programs around CMMC for their supply chain so being able to come up with more cost-effective ways of complying with CMMC is definitely a priority” for the IAC.
Changes are expected to the CMMC model based on the internal review of the program at DOD. Making it easier for small businesses to comply with CMMC is a major focus of the DOD effort.
“The challenge is right now it is sort of like trying to stick a fork in some warm jello because the model continues to move,” Chon said. “Until we actually have a finalized ruling and leadership inside DOD [for CMMC], being able to react to and define what the formative processes need to be for being able to help small and medium size businesses” is tricky.
The IAC is still in its “formative stage,” according to Chon, and intends to recruit additional IAC members as well as “put calls out for volunteers to support the subcommittees themselves.” The IAC is funded by the CMMC-AB and is working to figure out how much it will cost to run the council, capture stakeholder feedback, and produce an annual report, he said.
The CMMC-AB is working on redesigning its website and plans to have a specific section on the IAC with a list of council members, the organization’s charter and a form to submit nominations. Chon said the IAC plans to put out a report around their one-year anniversary in April summarizing their activities.
The CMMC-AB will hold its September “Town Hall” meeting tonight. CMMC-AB CEO Matthew Travis will provide an ecosystem update while other presentations are focused on an “Ethics and COI report” regarding conflicts of interest, details on the CMMC-AB’s “Certified CMMC Professional (CCP) Training and Exam,” and lessons learned from an authorized certified third-party assessment organization.