topic Re: DoD Cybersecurity Maturity Model Certification CMMC in Tech Talk

DoD Cybersecurity Maturity Model Certification

N_Bakewell — Fri, 20 Dec 2019 18:32:48 GMT

For a new DoD contractor requirement that is supposedly being released in January, just a few weeks from now, the industry and the DoD sure have seemed quiet about the CMMC. Have any of you been taking preparatory steps? Have any good resources besides the draft and FAQ (https://www.acq.osd.mil/cmmc/faq.html) ? The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.

Re: DoD Cybersecurity Maturity Model Certification

CraginS — Fri, 20 Dec 2019 20:54:56 GMT

@N_Bakewell wrote:
(https://www.acq.osd.mil/cmmc/faq.html) ? The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.

This is gonna get VERY interesting. Recalling that DoD is still doing a shoddy job of enforcing the individual certifications requirements under 8570, I will be watching for how long it takes them to actually put the CMMC into contracts and enforce them for companies.

Craig

Re: DoD Cybersecurity Maturity Model Certification

Caute_cautim — Mon, 23 Dec 2019 05:07:46 GMT

This is certainly going to become very interesting indeed - the Australian Government are doing a similar scheme via the IRAP certification to ensure that Federal Government agencies comply with mandated controls. Someone is going to be making a lot of money, and the rush to get certified will generate a lot of jobs for years to come.

https://www.cyber.gov.au/irap/irap_assessments

Regards

Caute_cautim

Re: DoD Cybersecurity Maturity Model Certification

TXWayne — Mon, 09 Mar 2020 15:35:47 GMT

Well I assure you this is happening. They have come to the realization that the initial aggressive timeline was a bit too unrealistic but you can expect CMMC to be in about 15 "pathfinder" contracts in the fall time frame with that flowing down to about 100 suppliers below. There will be opportunities to 3PAO's, individual and organizations, to perform the assessments. Biggest thing I see now are the snake oil salesmen out trying to tell folks they can sell you something to make you CMMC compliant, ummmmm no......

Re: DoD Cybersecurity Maturity Model Certification

Caute_cautim — Tue, 10 Mar 2020 03:52:32 GMT

@TXWayne This is interesting, whilst the Australian Security Directorate, have told all those who went through the IRAP certification process, that the certification for Cloud will be dropped in July 2020. The rationale is to open up competition - more likely a lot more work by the Agencies themselves to verify whether or not they should be using cloud services from those entrepreneurs, who may have very little regard for security & privacy.

A big headache coming up I reckon.

Regards

Caute_cautim

Re: DoD Cybersecurity Maturity Model Certification

CyberNorris — Wed, 18 Nov 2020 14:56:45 GMT

The rule will be final at the end of this month. This is getting real.

I'm working for a company that has been doing NIST 800-171 assessments and is already doing CMMC assessments. We are in line to be a CMMCAB Registered Practitioner.

Regards,

Norris Carden

MADSecurity

Re: DoD Cybersecurity Maturity Model Certification

CyberMenyaPro — Wed, 20 Jan 2021 21:31:14 GMT

Does anyone know what happens to DoD 8570 certifications like the CISSP once CMMC is fully implemented? It seems as though they may be reinventing the wheel on Cyber Security Training when there are already 100's of certifying organizations like ISC2 providing this globally recognized training.

Re: DoD Cybersecurity Maturity Model Certification

CraginS — Thu, 21 Jan 2021 13:50:46 GMT

@CyberMenyaPro wrote:
Does anyone know what happens to DoD 8570 certifications like the CISSP once CMMC is fully implemented? It seems as though they may be reinventing the wheel on Cyber Security Training when there are already 100's of certifying organizations like ISC2 providing this globally recognized training.

Samuel,

I am no longer working in that arena, but for many years I was directly involved with and tracking 8570 aspects and implementation. That said, I doubt that will CMMC will subsume or replace the basic 8570 structure. That is because 8570 is about the certified capability of individual infosec workers, including DoD employees, military members, and contractors. CMMC, on the other hand, is about the organizational expertise and approach of contracted companies performing infosec work for DoD. CMMC is not about individual certifications, It is about the processes a company has established and can prove they follow in dong infosec work.

This is not a wheel re-invention, it is about adding a second wheel to your vehicle.

Summary: CMMC will not cause 8570 to go away because it supplements 8570, rather than replace it.

Craig

Re: DoD Cybersecurity Maturity Model Certification

TXWayne — Thu, 21 Jan 2021 14:01:23 GMT

What Craig says is correct but I wouldn't even say CMMC supplements 8570, there really is no connection between the two at all for the reasons he described.

Re: DoD Cybersecurity Maturity Model Certification CMMC

CyberMenyaPro — Thu, 21 Jan 2021 15:01:13 GMT

Dr. Shelton,

Are you saying that the CMMC AB is going to require or accept DOD 8570 Certifications in lieu of custom curriculum they are developing for the RP - Registered Practitioner, CP Certified Professional, and CA Certified Assessor programs? Because those sound like their own custom certifications complete with Maturity Levels.

They are going to a lot of trouble to register vet and train LPP's and LTP's who will develop and teach their certification information which is describe as "rigorous". Additionally, they are also becoming a certification body under ISO/IEC 17020 & 11. So while I think you are right in the short term for the general DoD IT individual, I think they are reinventing the wheel for those practitioners working in CMMC eco system. This could lead to two competing standards. Hence my question. If the government is developing its own Cyber Security Certifications, why would they continue to support competing commercial certifications under 8570?

Thanks

Re: DoD Cybersecurity Maturity Model Certification CMMC

TXWayne — Thu, 21 Jan 2021 15:10:46 GMT

The CMMC AB is not going to do anything with DoD 8570 certifications. That certification requirement is based on individuals and CMMC is based on assessing and certifying an organization and their IT infrastructure to a specific level in the CMMC model. The two are not connected so they are not competing. Nowhere in NIST 800-171 or CMMC does it specify that an individual needs any specific certification.

Re: DoD Cybersecurity Maturity Model Certification CMMC

CraginS — Thu, 21 Jan 2021 16:53:20 GMT

@CyberMenyaPro wrote:
Dr. Shelton,

Are you saying that the CMMC AB is going to require or accept DOD 8570 Certifications in lieu of custom curriculum they are developing for the RP - Registered Practitioner, CP Certified Professional, and CA Certified Assessor programs? Because those sound like their own custom certifications complete with Maturity Levels.

No, i am not saying that at all. I am not familiar with the CMMC details, so I cannot answer about the relationship between 8570 individual infosec/cybersec certifications and role-specific training required for individuals in CMMC assessor organizations that you list. I would assume, but do not know, that under 8570 requirements those seeking to qualify for those roles they would need 8570 certification plus the role-specific training.

They are going to a lot of trouble to register vet and train LPP's and LTP's who will develop and teach their certification information which is describe as "rigorous". Additionally, they are also becoming a certification body under ISO/IEC 17020 & 11. So while I think you are right in the short term for the general DoD IT individual, I think they are reinventing the wheel for those practitioners working in CMMC eco system. This could lead to two competing standards. Hence my question. If the government is developing its own Cyber Security Certifications, why would they continue to support competing commercial certifications under 8570?

I am not sure, but I think you may be missing an understanding of the nature of capability maturity models (CMM). CMMs are used to evaluate organizations, not individual people. To prove it actuallyh is following the CMM requirements, an organization must undergo an audit or assessment of the policies, procedures, and records to prove they have documented processes that they actually follow in line with the CMM. The assessments are handled by approved assessing organizations, and the individual assessors that work the audits on-sie must be proven as knowledgeable in the field. 8570 establishes generic individual certifications for broad categories of infosec work types. However, there may be more specific training required to perform the work of very specific jobs. I think that is the CMMC role-linked training is that you list.

For another cybersec-related program that evaluates contracted companies, but those companies must themselves be certified or accredited at a specified level, look at the federal cloud security provider (CSP) program under FedRAMP. For a cloud provider to get a contract to serve Federal systems they must undergo an external, independent assessment by an approved assessor organization. DoD has supplemented the general FedRAMP program with additional requirements for the level of sensitivity (or classification) of the data to be stored or processed in that cloud.

The CMMC program is somewhat similar to the DoD FedRAMP program in that they are looking at contractors that will be storing and processing government Controlled Unclassified Information on the organization's informtion systems.

The ISO/IEC certification body levels are another layer of showing trustworthy compliance with the desired level of performance.

It is all about who will check the checkers.

So, to reiterate, no, this is not duplication or re-inventing any wheel. It is about confirming and documenting capability and integrity of individuals (8570) and organizations (FedRAMP & CMMC) to work with sensitive government information.

Craig