Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) Chair Ty Schieber and Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment Katie Arrington shared new insights on what CMMC-AB looks like and how companies can expect to interact with it.
“We basically are responsible for establishing, maintaining, and implementing the CMMC standard,” Schieber clarified at the April 23 AFCEA Virtual CMMC Symposium. “In partnership with DoD, we add clarifying detail, every control, practice in each scope level in CMMC to make sure it’s clear, consumable, and consistent.”
Schieber explained that the board was established in January and, since then, CMMC-AB has “done a lot of work in terms of implementing that framework, the definitions, the workflows, procedures.” With stakeholder help, he added, CMMC-AB is now ready to start testing, even as the board works through the COVID-19 coronavirus pandemic.
“Collaboration and the fatigue, if you will, of perpetual teleconferences and trying to do this virtually is a challenge, but it hasn’t stopped us,” he said. “Importantly, we’re still on a path to intercept and hit the aggressive targets that Katie [Arrington] and her team have established, because this is an urgent issue.”
Schieber also confirmed that small businesses will play a significant role on the accreditation board.
“We’ve got 15 board members and we have probably a third to half of them are small business members, probably even more than that,” he said while acknowledging the unique challenges faced by small businesses amid the pandemic.
Arrington added that CMMC-AB will rely heavily on in-person interactions. While she said that some tech may become available to make it easier for companies to start the process, “there is no such thing as self-assessment, that is the whole point of CMMC.” Every company or individual that applies for CMMC will go through a physical audit, Arrington said, to reduce foreign interference and prevent shell companies from gaining certification.
“The physical audits will make sure that we’re doing our due diligence to buy down that risk. No matter what product is there, we actually have to have a human being … to make that final decision,” she said.
With certifications scheduled to last three years, the CMMC-AB is looking to “fill in the gaps” between inspections. The CMMC-AB issued a Request for Proposals (RFP) yesterday to help “identify appropriate partners in our continuous monitoring solution.” The body is seeking a non-intrusive, continuous monitoring solution for traffic on the public domain.
The RFP said that with partners across the world, including in Germany and Japan, a solution deployable on a global scale is advantageous.
The body is looking for responses by Friday, May 1, and with anticipated selection coming a week later on May 8.