Cyber certification audits for certified third-party assessment organizations are currently on hold at the Pentagon while the Defense Department works through changes to its Cybersecurity Maturity Model Certification program, according to a DOD official.
The Defense Contract Management Agency started conducting level three assessments for C3PAOs in early 2021, and five C3PAOs are currently listed as “authorized” on the CMMC Accreditation Body’s marketplace. The C3PAO audits are conducted by the Defense Industrial Base Cybersecurity Assessment Center.
DIBCAC “assessments under CMMC 2.0 will not begin until DoD completes updates to the pertinent model documentation,” DOD spokeswoman Jessica Maxwell told Inside Cybersecurity.
The Defense Department announced major changes to the CMMC program on Nov. 4 and is in the process of updating its maturity model and assessment guides.
The Pentagon is consolidating the program, now known as “CMMC 2.0,” to three maturity levels, removing 20 practices and three processes from the new level two, and allowing contractors to submit a plan to address certain unmet controls.
C3PAOs will be evaluated under the new CMMC level two moving forward, which Maxwell said “means that DIBCAC will assess against the NIST 800-171 requirements.”
“The C3PAOs that have already been authorized by CMMC-AB to perform assessments can begin assessments under the CMMC 2.0 structure as soon as the program documentation is updated to fully reflect the changes in CMMC 2.0," Maxwell said. "The DCMA DIBCAC will continue evaluating C3PAOs once the documentation is updated and will assess the new C3PAOs against the CMMC 2.0 standards.”
Allowing contractors to submit a plan of action and milestones (POA&M) is a significant shift from the first iteration of CMMC, which required organizations seeking certification to meet all the requirements at their desired maturity level. CMMC-AB CEO Matthew Travis told Inside Cybersecurity that POA&Ms are one area that needs to be worked out before C3PAO assessments can resume.
Early analysis of the first DIBCAC assessments played a role in DOD’s decision to allow POA&Ms. CMMC program leader Buddy Dees said last week the DIBCAC found 75% of the C3PAOs evaluated needed to have a POA&M and only 25 did not, calling the statistic “eye opening.”
There are 197 candidate C3PAOs in the CMMC-AB’s pipeline to get a DIBCAC assessment in the accreditation body’s marketplace.
Despite the delay and uncertainty over certain requirements, large prime contractors still want their suppliers to prepare for assessment and agree that the barrier to entry for small business to obtain a certification is lower under CMMC 2.0.
“CMMC has morphed into a pretty good space right now,” a senior industry official said, praising the new self-attestation requirement for level one and a bifurcated process for assessment at level two. By allowing POA&Ms, the source said it establishes a “crawl, walk, run” approach for suppliers to accomplish CMMC 2.0 requirements.
“CMMC 2.0 evolves the framework in a positive direction, providing a more targeted tiering of controls and a systematic approach to manage risk,” Booz Allen Hamilton Chief Information Security Officer Ashley Devoto said in a statement to Inside Cybersecurity.
Devoto said, “The recent changes to the CMMC program reflect the DOD’s willingness to listen to industry feedback and partner on an accessible, risk-informed path forward. The DOD will need to continue to work with other government agencies, like CISA, to expand cost-effective risk management capabilities by supporting shared services and pooled resources tailored to small business and scalable for large enterprises.”
Under the CMMC 2.0, DOD will be responsible for conducting level three assessments, a change that has support from large prime contractors.
“Hopefully, level three will be more of a partnership that raises all boats,” the senior industry official said, and not a “carrot and stick relationship.”
“Industry working groups played an integral role in the development of the higher levels in CMMC 1.0, and this partnership ensured that the requirements had practicability and applicability,” Devoto said.