One of the Licensed Partner Publishers (LLP) selected last week to provide training materials for the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) told MeriTalk this week he expects that some of the training materials will be publicly released beginning next month.
The CMMC-AB is in charge of providing assessors to evaluate the cybersecurity of private companies in the Defense Department’s (DoD) supply chain under the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.
Tommy McDowell, general manager with Celerium – one of 11 companies selected to serve as LLPs – said a lot of work has already to done on the training materials.
“As an LPP, we are given access to a lot of provisional assessment guide material and we have clearly defined exam objectives, and access to the training material that was provided to the provisional assessors,” he said in an interview. “Part of our agreement is that, as an LPP, we deliver at least one formal training that they [the CMMC-AB] will approve.”
Much of the training material is based on a National Institute of Standards and Technology (NIST) Special Publication, McDowell said.
The role of the LPPs is to create curricula that will be used to help assessors and others meet the exam objectives.
“The first priority of training material is for the registered practitioner training and certification exam, and then the same thing for the Level 1 and Level 3 assessors,” McDowell said.
McDowell said a quality assurance team will review the material produced by the LPPs, and said he believes that the CMMC-AB will have those teams in place by Oct. 1.
“Shortly thereafter,” said McDowell, “we’ll go to market with a lot of our training material.”
Education as a service is not new for McDowell’s company. Celerium is behind the CMMC Academy, which focuses on reaching small and medium-sized supply chain companies.
“We’ve created a very large sharing community,” said McDowell of the CMMC Academy, which held a July 22 event featuring Katie Arrington, who is DoD’s CISO for Acquisition and Sustainment, and the public face of the CMMC effort.
“We’re able to interview and get concerns for a lot of these downstream suppliers, Level 1, 2, 3 type companies,” McDowell said. “We’re able to learn a lot of what their struggles are, what their staffing issues are, and maybe some of the challenges they have in implementing the practices.”
Documenting security controls and dealing with a security auditor can be “a little bit of a lift” for small and medium-size companies, McDowell said. “We’re very interested in trying to inform that community,” he said.
Of the overall status of the CMMC, McDowell said it’s “progressing” with the training of provisional assessors and the LPP designations.
With the Defense Federal Acquisition Regulation (DFAR) Supplement to the Federal Acquisition Regulation (FAR) set to be finalized by November, McDowell said that’s the legal component that “pulls this all together.”
“Whenever the DFAR standard is officially announced as complete, I think things will escalate quite a bit,” he said.