The fifteen-member Cybersecurity Maturity Model Certification Accreditation Body hosted an online meeting of thousands today, with the biggest news being that no third-party assessment groups have yet been appointed to help in the effort by the Defense Department (DoD) to create formal cybersecurity certifications for defense industrial base firms.
Board Member James Goepel, who chairs the Finance Committee of the Accreditation Body, called cyber an “existential issue for us as a nation,” and said the CMMC provides “great uniformity” for businesses to improve their cyber practices.
Though technical difficulties cut the webinar short, Goepel said that no Certified Third-Party Assessment Organizations (C3PAOs) had been selected yet, and that the selection of C3PAOs was still “very much a work in progress.”
Goepel said organizations looking to meet the Department of Defense’s certification should start with the National Institute of Standards and Technology (NIST) Special Publication 800-171. “It is a core part of our foundation for what CMMC is,” he said.
Board Member John Weiler wrote in a comment that “NIST 800-171 is a subset of CMMC.” He also added in a comment that “Self-assessments did not work.”
“Now we are implementing a no-trust, must verify approach,” Weiler said.
CMMC Accreditation Board Chairman Ty Schieber estimated that there were 2,500 people on the call. Technical difficulties prevented Katie Arrington, the CISO for acquisition at the Department of Defense, from joining the conversation.
“We are going to do a redo, with a different delivery format that will allow people to consume it without challenge,” said Board Member Mark Berman, in an email to MeriTalk. “We won’t be providing a recording of today’s event given the technical issues in the delivery.”