The Cybersecurity Maturity Model Certification (CMMC) v1.0 was released on the last day of January 2020. Many organizations are familiarizing themselves with the requirements of CMMC in anticipation that draft RFPs requiring some level of CMMC compliance will begin appearing in June 2020. What is still being developed by the CMMC Advisory Board is how assessments themselves will occur. We highly recommend reviewing the CMMC Advisory Board’s website for additional information.
When Will CMMC v1.0 Information Be Released?
As noted on CMMC-AB’s website, several key aspects of the CMMC are still under development:
- What are the standards and processes around “training trainers” and “accrediting assessors?”
- How will assessments actually be performed?
The CMMC-AB is planning a late Quarter 1 or early Q2 initial release of this information. This means two things:
- The organizations that will be accredited to provide training or conduct assessments will have a short time to qualify as training or assessment providers. With draft RFPs requiring CMMC compliance appearing as early as June 2020 and full RFPs released in August, fulfilling the requirements to provide training or assessments will be a challenge. This means that there will be an initial shortage of service providers.
- As noted on the CMMC Advisory Board website, any organization who advertises that they know what an assessment will be like is incorrect since the assessment itself has not been defined. Although some organizations are already advertising service delivery, their ability to deliver these services and their authority to do so are both dubious.
Based on BTI’s 15 years of experience working with full life cycle systems using similar assessment standards (CMMI and ISO 9001:20XX) in the US Department of Defense environment, this is how we see the rollout of CMMC:
- Training and assessment organizations will need to be experienced with the full systems engineering life cycle. Published CMMC requirements are about software, hardware, operating systems, operating environments, and beyond. Experience in just one aspect (for example, software) will not be adequate.
- Knowledge of development/delivery/production/maintenance processes, like DevOps, will be important. CMMC covers all of this.
- Lack of assessment and training personnel cleared by the US government will be an obstacle, since the first organizations to which CMMC will be applied will be those performing classified work, requiring cleared personnel to support them. Given the published requirements, an assessor without a clearance will not be able to deliver.
- Based on our experience with appraising CMMI and auditing ISO 9001:20XX, both of which are structurally similar to CMMC, there are many nuances to assessments and requirements for evidence. For example, (1) an organization cannot just tell the assessor that something is done, there must be tangible evidence that an objective is satisfied (sometimes called a direct artifact), (2) implied requirements regarding how long an activity needs to be in place (that is, the concept of institutionalization) will need to be addressed, and (3) requirements need to be addressed around how data and measurements are use at higher maturity levels.
- Implementing assessment standards and processes correctly is hard, based on our long-term experience with the CMMI Institute and (ISO 9001) Registration Accreditation Board (RAB). The CMMC Advisory Board is trying to stand up assessment processes in a few months and accredit large numbers of trainers and assessors. Both the CMMI Institute and RAB took years to get the processes to function efficiently and correctly with much smaller numbers of trainers and assessors. While we hope the CMMC Advisory Board will succeed—because the mission is important!—our experience shows there will be hiccups.
So, BTI’s advice, for now, is to familiarize your organization with and begin to implement the practices in the CMMC. The standard is official and there’s no time like now to get started. For everything else, we will have to wait and see. BTI will publish an update to this article once the CMMC Advisory Board makes further items official.