cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
N_Bakewell
Newcomer II

DoD Cybersecurity Maturity Model Certification

For a new DoD contractor requirement that is supposedly being released in January, just a few weeks from now, the industry and the DoD sure have seemed quiet about the CMMC.  Have any of you been taking preparatory steps?  Have any good resources besides the draft and FAQ (https://www.acq.osd.mil/cmmc/faq.html) ?  The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.

11 Replies
CraginS
Defender I


@N_Bakewell wrote:

(https://www.acq.osd.mil/cmmc/faq.html) ?  The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.


This is gonna get VERY interesting. Recalling that DoD is still doing a shoddy job of enforcing the individual certifications requirements under 8570, I will be watching for how long it takes them to actually put the CMMC into contracts and enforce them for companies.

 

Craig

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Caute_cautim
Community Champion

This is certainly going to become very interesting indeed - the Australian Government are doing a similar scheme via the IRAP certification to ensure that Federal Government agencies comply with mandated controls.  Someone is going to be making a lot of money, and the rush to get certified will generate a lot of jobs for years to come.

 

https://www.cyber.gov.au/irap/irap_assessments

 

Regards

 

Caute_cautim

TXWayne
Newcomer II

Well I assure you this is happening.  They have come to the realization that the initial aggressive timeline was a bit too unrealistic but you can expect CMMC to be in about 15 "pathfinder" contracts in the fall time frame with that flowing down to about 100 suppliers below.  There will be opportunities to 3PAO's, individual and organizations, to perform the assessments. Biggest thing I see now are the snake oil salesmen out trying to tell folks they can sell you something to make you CMMC compliant, ummmmm no......

Caute_cautim
Community Champion

@TXWayne   This is interesting, whilst the Australian Security Directorate, have told all those who went through the IRAP certification process, that the certification for Cloud will be dropped in July 2020.   The rationale is to open up competition - more likely a lot more work by the Agencies themselves to verify whether or not they should be using cloud services from those entrepreneurs, who may have very little regard for security & privacy.

 

A big headache coming up I reckon.

 

Regards

 

Caute_cautim

CyberNorris
Viewer

The rule will be final at the end of this month. This is getting real.

 

I'm working for a company that has been doing NIST 800-171 assessments and is already doing CMMC assessments. We are in line to be a CMMCAB Registered Practitioner. 

 

Regards,

 

Norris Carden

MADSecurity

CyberMenyaPro
Viewer II

Does anyone know what happens to DoD 8570 certifications like the CISSP once CMMC is fully implemented?  It seems as though they may be reinventing the wheel on Cyber Security Training when there are already 100's of certifying organizations like ISC2 providing this globally recognized training. 

CraginS
Defender I


@CyberMenyaPro wrote:

Does anyone know what happens to DoD 8570 certifications like the CISSP once CMMC is fully implemented?  It seems as though they may be reinventing the wheel on Cyber Security Training when there are already 100's of certifying organizations like ISC2 providing this globally recognized training. 


Samuel,

I am no longer working in that arena, but for many years I was directly  involved with and tracking 8570 aspects and implementation. That said, I doubt that will CMMC will subsume or replace the basic 8570 structure. That is because 8570 is about the certified capability of individual infosec workers, including DoD employees, military members, and contractors. CMMC, on the other hand, is about the organizational expertise and approach of contracted companies performing infosec work for DoD. CMMC is not about individual certifications, It is about the processes a company has established and can prove they follow in dong infosec work.

This is not a wheel re-invention, it is about adding a second wheel to your vehicle.

 

Summary: CMMC will not cause 8570 to go away because it supplements 8570, rather than replace it. 

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
TXWayne
Newcomer II

What Craig says is correct but I wouldn't even say CMMC supplements 8570, there really is no connection between the two at all for the reasons he described.   

CyberMenyaPro
Viewer II

Dr. Shelton,

 

Are you saying that the CMMC AB is going to require or accept DOD 8570 Certifications in lieu of custom curriculum they are developing for the RP - Registered Practitioner, CP Certified Professional, and CA Certified Assessor programs? Because those sound like their own custom certifications complete with Maturity Levels.

They are going to a lot of trouble to register vet and train LPP's and LTP's who will develop and teach their certification information which is describe as "rigorous". Additionally, they are also becoming a certification body under ISO/IEC 17020 & 11. So while I think you are right in the short term for the general DoD IT individual, I think they are reinventing the wheel for those practitioners working in CMMC eco system. This could lead to two competing standards. Hence my question. If the government is developing its own Cyber Security Certifications, why would they continue to support competing commercial certifications under 8570?

 

Thanks