CMMC's final rule, training orgs expected this summer

NOTE: This article first appeared on FCW.com.

A final rule on the Defense Department's unified cybersecurity standard could debut as soon as this summer, defense officials said. But implementation hinges on standing up a formal training system.

Diane Knight, who is DOD's lead for the Cybersecurity Maturity Model Certification program's pathfinders and pilots, said a final rule could roll out as soon as April but wouldn't confirm a concrete timeline.

"There will be a final rule and we have that identified on schedule coming up here too," Knight said Jan. 26 during a virtual town hall hosted by the CMMC Accreditation Body (AB).

Knight also previewed a "notional" timeline for the pilots where requests for proposals would be released in April and awards coming in August. By April contractors seeking to participate in the pilots would be expected to have prepared for a CMMC assessment, reviewed requirements with subcontractors and to request an authorized third-party assessors (C3PAOs) assessment. Proposals would be due by July, according to the documents, and a certification would be needed when the contract is awarded.

But the proposed timeline is contingent on other moving parts, namely the training -- from developing materials to approving organizations to provide the classes -- and certification of assessors that are approved and processed by the CMMC-AB.

Licensed partner publishers (16 of which have been approved with two pending) create formal training content, which should be available by the late spring or early summer, said Ben Tchoubineh, a CMMC board member and chair of the training committee. Classes should be available at the same time, he said, with 12 schools already approved as licensed training providers out of 22 applications.

Jeff Dalton, a board member who heads accreditation the credentialing committee, asked for understanding as a new ecosystem is created.

"The AB is running an operation that includes lots of partners," Dalton said, "and we're not going to continue to do training and assessments like that, others are. And so we're ramping up that infrastructure."

The AB is swamped with applications for various partners in the CMMC universe. But there are 100 approved provisional assessors, who can work with the C3PAOs to conduct the cybersecurity assessments. However, there are 408 applications for C3PAOs, only 53 of which have been approved, according to presentation documents. (Third-party assessors also have to go through the assessments from the Defense Industrial Base Cybersecurity Assessment Center before they can perform assessments on other companies, Dalton stressed.)

But the bulk of applications (1,439) and approvals (1,060) are for registered providers in the CMMC AB marketplace, which can help companies prepare for assessments but do not conduct them.

DOD has been working its CMMC pathfinders with the Missile Defense Agency, which started in April 2020 , and the Defense Logistics Agency, in September. DLA pathfinder effort will be the first to use authorized C3PAOs, Knight said.

Moreover, up to 15 pilots, which will use actual DOD acquisitions, will begin to roll out this year, Knight said.

Several candidates have been identified across the military departments, Missile Defense Agency, and Defense Logistics Agency, Knight said. But DOD is still looking for CMMC pilot nominations and is also exploring opportunities with the Department of Homeland Security, General Services Administration, and Department of Interior.