A somewhat ironic (but not altogether unanticipated) snag is threatening to hold up the full implementation of a Department of Defense (DOD) program to hire cybersecurity assessors: the companies applying to fulfill the assessor role are complaining of frustration in the process required to themselves get assessed.
The program, Cybersecurity Maturity Model Certification (CMMC), aims to guarantee security among contractors in the lucrative defense industrial base by requiring them to hire a licensed assessor to check and verify their networks. However, a bottleneck has developed which could result in a shortage of licensed assessors.
With 300,000 contractors playing some part in the industry, a lack of assessors means a huge struggle to assess the cyber fitness of each contractor.
The Need for CMMC Assessors
It is understood that concerns have been raised over the difficulty in fulfilling all of the required elements of the assessment needed to become a Certified Third Party Assessor Organization (C3PAO).
Prospective assessors are finding the process to be slow both at the stage of initial audits and again at level three, where important maturity documentation is taking longer than expected to be completed. Candidates point to the requirements at this stage of the C3PAO assessments process—which call for companies to show not only that they have cybersecurity policies, but also how they are adhered to within the business—as being extremely stringent.
For its part, the CMMC Accreditation Body (CMMC-AB) has declared its satisfaction both with the process and the speed of its process. A representative stated that contrary to the fears of some concerned contractors, the necessary targets would be hit; the key target in this case is that by 2026, CMMC shall be a legal requirement for all DOD contractors.
As would-be contractors look towards CMMC consultants to help with the seemingly thorny process, there would appear to be scant possibility of any tweaks to the AB’s requirements.
Hurdles in CMMC Certification
One problem raised by candidates in the CMMC process, which takes the form of an assessment of existing infrastructures and institutional knowledge, is that a substantial outlay is required to simply apply for accreditation.
Without the guarantee that it will be received, or issued in a timely fashion, smaller assessors—who already face hurdles in the process—are perturbed by the need to pay for the privilege of applying for something they may never get. Clarification on the requirements is essential, according to some potential assessors who are now mid-process and wondering how to advance.
CMMC Moving Forward
For the moment, the two sides of the argument appear to be some distance apart. With the Accreditation Body expressing full confidence, while a growing number of infosec experts question whether even one certification will be issued in the rest of 2021, it’s clear that this is a story that will continue to run.
Whether communication will bring the sides closer together, or the current retrenchment will continue and deepen, remains to be seen.
With so many potential assessors yet to be assessed themselves, the pace of certification will need to pick up at some point; when that point will come remains an open question.