Re: DoD Cybersecurity Maturity Model Certification CMMC
The CMMC AB is not going to do anything with DoD 8570 certifications. That certification requirement is based on individuals and CMMC is based on assessing and certifying an organization and their IT infrastructure to a specific level in the CMMC model. The two are not connected so they are not competing. Nowhere in NIST 800-171 or CMMC does it specify that an individual needs any specific certification.
Are you saying that the CMMC AB is going to require or accept DOD 8570 Certifications in lieu of custom curriculum they are developing for the RP - Registered Practitioner, CP Certified Professional, and CA Certified Assessor programs? Because those sound like their own custom certifications complete with Maturity Levels.
No, i am not saying that at all. I am not familiar with the CMMC details, so I cannot answer about the relationship between 8570 individual infosec/cybersec certifications and role-specific training required for individuals in CMMC assessor organizations that you list. I would assume, but do not know, that under 8570 requirements those seeking to qualify for those roles they would need 8570 certification plus the role-specific training.
They are going to a lot of trouble to register vet and train LPP's and LTP's who will develop and teach their certification information which is describe as "rigorous". Additionally, they are also becoming a certification body under ISO/IEC 17020 & 11. So while I think you are right in the short term for the general DoD IT individual, I think they are reinventing the wheel for those practitioners working in CMMC eco system. This could lead to two competing standards. Hence my question. If the government is developing its own Cyber Security Certifications, why would they continue to support competing commercial certifications under 8570?
I am not sure, but I think you may be missing an understanding of the nature of capability maturity models (CMM). CMMs are used to evaluate organizations, not individual people. To prove it actuallyh is following the CMM requirements, an organization must undergo an audit or assessment of the policies, procedures, and records to prove they have documented processes that they actually follow in line with the CMM. The assessments are handled by approved assessing organizations, and the individual assessors that work the audits on-sie must be proven as knowledgeable in the field. 8570 establishes generic individual certifications for broad categories of infosec work types. However, there may be more specific training required to perform the work of very specific jobs. I think that is the CMMC role-linked training is that you list.
For another cybersec-related program that evaluates contracted companies, but those companies must themselves be certified or accredited at a specified level, look at the federal cloud security provider (CSP) program under FedRAMP. For a cloud provider to get a contract to serve Federal systems they must undergo an external, independent assessment by an approved assessor organization. DoD has supplemented the general FedRAMP program with additional requirements for the level of sensitivity (or classification) of the data to be stored or processed in that cloud.
The CMMC program is somewhat similar to the DoD FedRAMP program in that they are looking at contractors that will be storing and processing government Controlled Unclassified Information on the organization's informtion systems.
The ISO/IEC certification body levels are another layer of showing trustworthy compliance with the desired level of performance.
It is all about who will check the checkers.
So, to reiterate, no, this is not duplication or re-inventing any wheel. It is about confirming and documenting capability and integrity of individuals (8570) and organizations (FedRAMP & CMMC) to work with sensitive government information.