Humans get drawn to to thinking in threes. Holy Trinity, Three Little Pigs, Zelda Triforce, A kid, his Dad, and a Ghost (Star Wars…already mentioned Christianity).
Examples exist in our culture, thinking, and governance.
In writing we call it the Rule of Three. Think your five paragraph essay with three supporting details. Three baby ducks buttressed by their parents at the intro and conclusion.
In statistics we use the three sigma rule as shorthand to remember the intervals in normal distributions. In Government we use Three Branches.. Music grows through melody, harmony, and rhythm.
The Cybersecurity Maturity Model Certification Accredidation Board makes the CMMC ecosystem sing using a similar framework of three: authorities, organizations, and individuals.
Authorities
When it comes to securing sensitive data you hane to know where the buck stops. Who owns the risk? Who authorizes the systems? In the CMMC ecosystem we have to authorities: Office of the Undersecretary of Defense and the CMMC-AB.
Office of the Undersecretary of Defense
In the end CMMC provides the Department of Defense an avenue for to meet the Federal Information Security Modernization Act (2002/2014). All federal agencies must account for how they secure Controlled Unclassified Information. Out of all federal agencies DoD has reached closest to a goal line.
Currently Greogry Krausner is performing the duties of the Under Secretary of Defense for Acquisition & Sustainment while awaiting Senate Confirmation. CMMC falls under the auspices of the offices of the Deputy Assistant Secretary of Industrial Policy who laid out, you guessed it three goals for CMMC:
1. To incorporate a unified set of cybersecurity requirements into acquisition processes and contracting language. Recognizing that cybersecurity should not be “one-size-fits-all ,” the program includes several levels of cyber requirements, that allow flexibility to apply requirements appropriate to the defined sensitivity level of information at issue.
2. To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements. The certification framework also facilitates the Department’s ability to hold prime contractors accountable for ensuring that their suppliers are, in fact, implementing appropriate cybersecurity requirements.
3. To develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.
In the past the CMMC program has sat under the OUSD CISO and the Director of Cybersecurity Maturity Model Certification (CMMC) Policy. Recently John J. Garstka was appointed Director for Cyber within the Office of the Chief Information Security Officer.
Office of the Undersecretary of Defense Responsibilities
The Department of Defense maintains the CMMC standard, approves all curriculum, and controls all timeline for information such as scoping guidance. They also have approval over the assessment process,
The CMMC-AB can change very little about the CMMC requirements, most of those fall to the DoD who have a requriement to meet federal regulations beyond their control.
Cybersecurity Maturity Model Certification Accreditation Board
The CMMC-AB has a no-cost contract with the Department of Defense. The Board has gone through a maturation process transitioning to having full time staff and acting as Directors rather than having to stand up a program. Some found Early decisions during this statup period questionable.
The CMMC-AB now has a new CEO on board, Matt Travis. Travis served as former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and thus brings years of experience to the AB.
Cybersecurity Maturity Model Certification Accreditation Board Responsibilities
As a contract holder the Department of Defense determines the CMMC-AB responsibilities. Currently the AB authorizes C3PAOs to conduct CMMC assessments; accredit C3PAO’s in accordance with ISO/IEC 17020 and DoD requirements; authorize the CAICO to certify CMMC Assessors and Instructors; accredit the CAICO in accordance with ISO/IEC 17024; establish, maintain, and manage CMMC marketplace, and oversee the CMMC Code of Professional Conduct.
Organizations
These two authorities then oversee the organizations that make up the ecosystem
Organization Seeking Certification (OSC)
OSCs make up the defense contractors and the the thiird party providers who fall in scope of holding, transmitting, or securing FCI and CUI.
Only the OSC would need a certification every three years but I find it hard to imagine a world where OSCS use cloud service providers (CSPs) and managed service providers MSPs who do not have a -171, FedRAMP moderate equivalent, or working towards CMMC level three themselves.
Organization Seeking Certification (OSC) Responsibilities
- Have a System Security Plan
- Have Policies, Plans, and Procedures
- Have Scope of Network Boundaries
- Have Shred Responsibility Matrices from in scope CSP, MSP
- Deliver a Briefing to C3PAO on high level overview of company
Certified Third Party Assesment Organization (C3PAO)
The C3PAO contracts with the Organzization Seeking Certification the (OSC). They hire and build an assessment team. The C3PAO schedules and manages assessments.They upload the CMMC assessment data to a government system called CMMC eMASS. C3PAOs. If a remediation process is required the C#PAO leads this as well. They then upload any updates from remediation to CMMC eMASS.
The C3PAO contracts with the Organization Seeking Certification (OSC). They then hire the assessors for the team. The C3PAO schedule and manages the assessments.
The Certified Third Party Organization also owns, handles, and transmits the assessment data. This begins at the planning phase of an assessment. The C3PAO will geta request from the OSC. The C3PAO then chooses a lead assessor. The C3PAO develops the assessment plan. They then verify the readiness to conduct an assessment. After the planning phase the C3PAO will upload all the information to CMMC eMASS. This includes information on how Conflicts of Interest were handled.
The C3PAO then conducts the assessment. They attend a briefing with the OSC. If any changes need to nbe made to the assessment plan the C3PAo will add updates to eMASSS. They then determine initial practice and process scores. They then validate these results and determing if the practice was met or not met.
The C3PAO then delivers the assessment results and handles the adjudication. If the C3PAO determines a remediation is warranted. They handle all the data and communicate with the AB. After remediation the final CMMC level gets determined and results uploaded to CMMC eMASS.
Certified Third Party Assesment Organization Responsibilities(C3PAO)
- Sign Agreement with the CMMC-AB
- Have insurance
- Complete an Organization Background Check
- Have an Association with a Certified Assessor
- Have an ISO 17020
- Achieve CMMc Level Three Certification
- Build a team of assessors with active NAC, DHS Suitability or Other DoD Accepted Clearanc
Licensed Partner Publisher
Licensed Partner Publishers develop approved curriculum. The Department of Defense capped the number of publishing partners to twenty. Currently 16 LPPs exist in the marketplace.
The LPPs design all of the curriculum in the ecosystem. They then send this curriculum off to ProCert, a third party company the AB uses to check for curriculum alignment. The Department of Defense has ultimate approval of all LPP curriculum
Licensed Partner Publisher
- Sign CMMC Code of Professional Conduct
- Pay an Annual Fee
- Complete Organizational Background Check
- 200 hours of previous content development experience
- 2 years experience delivering training
Licensed Training Partner
Licensed training providers deliver certified trainings. LTPs can only use curriculum from a Licensed Partner Publisher. The Licensed Training Partner will host the curriculum, schedule the venues, and run online classes. They will work with CMMC eMASS and the CMMC-AB to record learner data.</p<
Licensed Training Partner
- Sign CMMC Code of Professional Conduct
- Pay an Annual Fee
- Complete Organizational Background Check
- Deliver One Class a Year
- 2 years experience delivering training
Registered Professional Organization
Registered Professional Organizations offer consulting not assessments. The RPOs represent registered professionals and the CMMC-AB seal means they have a business focused on CMMC and took a class provided by the CMMC-AB to have a basic understanding of the model.
Registered Professional Organization’s Responsibilities
- Associate with Register Professional
- Pay an Annual Fee
- Complete Organizational Background Check
- Complete Basic Training Class
Individuals
The final grouping of players in the ecosystem get grouped as individuals. The people that make up the organizations.
Provisional Assessors
Provisional Assessors provide C
Provisional Assessor Prerequisites
- You must have completed the application process for the Certified Professional
- Complete the formal AB board-provided Provisional Assessor training
- Engage with clients through a C3PAO who registers the assessment team for each assessment on the CMMC-AB website
- Satisfy all of the other requirements for Certified Professionals and Assessors
Provisional Instructor
Provisional Instructor will teach classes deliverd by the LTPs. All classes must utilize a PI. At this time only the CMMC-AB can run classes to train Provisional Instructors.
Provisional Instructor Pre-requisites
- Ten years of cyber assessment.audit experience
- Two years training experience
- Take a Provisional Instructor class
Certified CMMC Professional
The Certified CMMC Professional (CCP) targets two career pathways. Folks who want to go down the assessment pathway and according to the AB, “Consultants who wish to advertise their deep knowledge and familiarity with the CMMC Standard when providing consulting services.”
Once training programs begin you should not engage any consultant without a CCP minimum. Plenty of talented 171 consultants exist outside of the ecosystem. You can utilize any of this talent for CMMC readiness. Yet the CCP provides a marker that the consultant got training from LTP using DoD approved curriculum developed by an LPP.
Certified CMMC Professional Pre-requisites
- College degree in a technical field or other equivalent experience (including military) OR
2+ Years in cyber or other information technology field - Gain CMMC-AB approval of the submitted application as to education and experience requirements
- Complete the DoD Mandatory CUI Training
Complete Certified CMMC Professional Class (CMMC model training) from an LTP (Licensed Training Provider)
Assessment Team Member
An assessment team member joins a C3PAO and a lead assessor. All assessment team members .must have an active NAC, DHS Suitability or Other DoD Accepted Clearance. You also must have
Assessment team members need to have a CCA certification for their level. So a level one CA can do level one assessments and a level three can do level one, two (nobody wants a two), or three.
Certified Assessor Level One (CCA-1) Prerequisites
- U.S. Person (Green card is acceptable). To participate as a team member on ML-2 assessments, U.S. citizenship is required.
- Certified CMMC Professional Credential
- Complete the training and exam for the Certified CMMC Assessor Level 1 credential
- Have or gain a favorably adjudicated Tier 1 Suitability Determination that results in no security clearance**
Certified Assessor Level Three (CCA-3) Prerequisites
- Certified CMMC Professional Credential
- Certified CMMC Assessor Level 1 Credential
- 4+ years of cyber or other information technology experience
- Complete the training and exam for the Certified CMMC Assessor Level 3 credential
- Have or gain a favorably adjudicated Tier 3 Suitability Determination that results in no security clearance
Certified Assessor Level Five (CCA-5) Prerequisites
- Certified CMMC Professional Credential
- Certified CMMC Assessor Level 1 Credential
- Certified CMMC Assessor Level 3 Credential
- Complete the training and exam for the Certified CMM Assessor Level 5 credential
- Successfully complete 15 CMMC ML-3 Assessments to be eligible for CCA-5 training
- Have or gain a favorably adjudicated Tier 3 Suitability Determination that results in no security clearance
Registered Practitioner
A registered practitioner signed an agreement and took a class delivered by the AB. Much has changed since the launch of the program. Once trainings begin you should only engage with consultants that have a CCP or a trusted member of the assessment community who may have no letters at all.
Certified Assessor Level Five (CCA-5) Prerequisites
- Pay $500.00
- Sign the CMMC Code of Professional Conduct
- Complete introductory training class