The number of certified assessors for the Pentagon's Cybersecurity Maturity Model Certification program experienced triple-digit growth in 2023 from the prior year, as the formal launch of the Defense Department initiative comes closer to fruition.
There are currently 171 Certified CMMC Assessors (CCAs) who will be able to conduct third-party assessments compared to 54 in 2022, according to the latest statistics shared by the Cyber Accreditation Body on Tuesday at a "town hall” meeting.
The Cyber AB also added 19 authorized certified third-party assessment organizations in 2023, bringing the total number to 48, and has 459 candidate C3PAOs who have applied for certification. Candidate C3PAOs must pass an assessment of their compliance with CMMC level two conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center.
Cyber AB CEO Matthew Travis said the “tempo” of C3PAOs becoming certified in the first half of this year “really picked up and we were cruising along.”
The number of certified C3PAOs falls short of the expectation from Travis that 55 would be approved in 2023. But Travis struck a confident tone at the Tuesday meeting that there will be enough capacity when the CMMC program launches.
However, Jon Hanny, Cyber AB director of operations and chief information security officer, said the reason more C3PAOs have not gone through a level two assessment from the DIBCAC is a “lack of readiness” on the preparation side from the C3PAOs.
Travis said the number of CCAs is more important than the C3PAO count and he struck an optimistic tone that more assessors will go through the assessor training and exam when there is more clarity on the CMMC rollout.
Certified CMMC Professionals (CCPs) will support the work of assessors and C3PAOs during the assessment process. The number of CCPs increased significantly in 2023 to a high of 641 individuals, a jump up from 245 in the prior year.
DOD announced major changes to CMMC in November 2021 and a process to go through rulemaking to implement them. A rulemaking to implement those changes was approved on Nov. 21 by the White House Office of Management and Budget's Office of Information and Regulatory Affairs.
OIRA also finished its review on Nov. 17 of eight CMMC documents that are each categorized as a “Notice.” They include an update to the CMMC model and assessment and scoping guides for the three levels. There is also a “CMMC Hashing Guide.”
The CMMC rule is expected to be a proposed rule with a 60-day public comment period. DOD will adjudicate the comments and the expectation is the final rule will be published in the first quarter of 2025. The formal launch of the program will begin when the rulemaking is finalized.
At the town hall, Travis announced the election of Paul Michaels to lead the Cyber AB’s board of directors as chairman and Mathew Newfield for vice chair.
Michaels is currently vice chair of the board and chief security Officer at Fortinet Federal. Newfield is president of media Solutions at Diversified and currently chair of the board’s audit and risk committee.
The board also elected Debbie Taylor Moore to serve as secretary. Moore is senior partner and vice president for global cybersecurity at IBM Consulting.
Current board chair Jeff Dalton will remain on the board when he steps down at the end of December.
Dalton said in a statement, “I set a goal of professionalizing the board when I assumed the chairmanship and I feel like we have made tremendous progress in that direction, both through the addition of extremely talented and dedicated new directors and the advent of formal certification training with the National Association of Corporate Directors (NACD).”
“And while I am disappointed that CMMC has not yet commenced as a formal program, I know the AB has played a valuable role in growing the CMMC Ecosystem while we wait for the completion of federal rulemaking,” Dalton added.
Travis said the Cyber AB will hold “special ‘rule review’” town hall a few days after the CMMC proposed rule is released.