Concerns grow about a lack of assessors for the CMMC

NOTE: This article first appeared on

Not having enough assessors to do in-person audits for defense contractors is a chief worry as the Defense Department prepares for the rollout of its upcoming Cybersecurity Maturity Model Certification program, according to a defense official.

"My biggest concern on the making sure that I have enough assessors in the geographical area for the assessments as we roll these pilot programs out," said Katie Arrington, the Defense Department's chief information security officer for acquisition, said during a keynote presentation at the virtual CyberSheath's virtual CMMC conference Nov. 18.

Arrington said a portion of the audits required for some companies have to be done onsite, which requires travel and in-person contact with proper health and social distancing protocols.

As of Dec. 1, companies looking to do business on new contracts with the Defense Department will have to submit proof of a self-assessment on compliance with the National Institute of Standards and Technology's SP 800-171 controls. There's an exception for vendors who sell commercial-off-the-shelf products.

A self-assessment for basic cyber hygiene practices, or level 1, will be the minimum requirement. But companies seeking work that requires processing, storing, or transmitting, but unclassified, information will also have to seek higher certification levels and submit to audits by assessors certified by the CMMC Accreditation Body, an independent not-for-profit entity charged by DOD with developing training and handling audits.

The CMMC AB began training assessors this summer, but their numbers are far from the estimated 2,000 needed to audit hundreds of thousands of defense contractors. Arrington noted in October at a separate event that only 50 assessors have been provisionally trained so far.

Jeff Dalton, who heads the accreditation and credentialing committee as a CMMC Accreditation Body board director, estimated about 2,000 total assessors for the approximately 300,000 defense companies that would need to get certified.

But that number could change over time, especially because single entities could need more than one assessment.

"We can't just put out an ad on LinkedIn and say all cybersecurity professionals report for duty, which would be great [but] we'd run out of cybersecurity professionals pretty quickly," Dalton said during an Oct. 21 FedScoop event.

Dalton also said CMMC has created a new industry that will take time to develop assessors and certified professionals to service the defense industrial base.

"We're all doing our best to get this out as quickly as we can. Probably won't be as fast as people want, probably won't be exactly what people are expecting always, but we're learning as we go."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.