The accreditation body behind the Pentagon's Cybersecurity Maturity Model Certification program plans to release a new draft of its assessment process guide, known as "the CAP," for public comment before the Defense Department completes its rulemaking efforts to finalize the program, according to CEO Matthew Travis.
“The CMMC assessment process is a procedural guide to ensure CMMC assessments whether they are on the East Coast or West Coast or wherever are done consistently and following like procedures,” Travis said Tuesday at a Cyber Accreditation Body “town hall” meeting.
The CAP is targeted at CMMC assessors who are approved by the Cyber AB. The Cyber AB released a public version of the CAP for comment in July 2022. The document was marked as “pre-decisional” and was quickly criticized by stakeholders including the Coalition for Government Procurement, which asked the accreditation body to rescind the publication.
The CAP breaks the assessment down into four phases: preparation, conducting the assessment, reporting results and closing out the assessment. The Cyber AB published a detailed spreadsheet in January 2023 breaking down each of the comments submitted.
Travis said the CAP will be finalized once the rulemaking process is complete. DOD announced major changes to the CMMC program in November 2021 and issued a long-awaited proposed rule to implement them on Dec. 26.
The rule amends Title 32 of the Code of Federal Regulations. DOD is working on a second proposed rulemaking that will make changes to the department’s acquisition rules. Both rules must be finalized before the CMMC phased rollout will begin.
Travis said the next version of the CAP “will look at lot different based some working groups that we’ve held as well as the proposed rule.”
The Cyber AB doesn’t have a firm timeline for when the updated CAP will be released. Travis highlighted the “accreditation scheme” and certified third party assessor organization agreements as more pressing priorities, while emphasizing that the Cyber AB is “working on” the CAP update and will have “more to follow with details.”
The Cyber AB is also working an update to its code of professional conduct that is under review at DOD, according to Travis. The 32 CFR rule requires the accreditation body to develop policies for conflict of interest, code of professional conduct and ethics that are compliant with ISO standard 17011.
Travis said the Cyber AB will put out a new version of the code of professional conduct as a draft before the rulemaking is finalized. He noted that the code will need to be updated when the CMMC rulemaking becomes final.
The comment period for the 32 CFR rule closes on Feb. 26.
The Cyber AB meeting featured a presentation from Stuart Itkin of the Managed Service Provider Collective. The MSP Collective was launched in August 2023 and is dedicated to raising awareness of the role managed service providers can play in defending critical infrastructure and to advocate for targeted standards.
Travis reflected during the meeting on the DOD’s FedRAMP Moderate equivalency memorandum which will require cloud service providers to be 100% compliant with the latest FedRAMP Moderate security control baseline.
Travis also provided an update on the Cyber AB’s efforts to provide information to the DOD inspector general, which is conducting an audit of the Pentagon’s process to accredit third-party assessment organizations who are performing CMMC 2.0 assessments.