As the exclusive accredidation partner for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program, the Cybersecurity Maturity Model Certification Accreditation Body has worked to make itself an accessible partner for the Defense Industrial Base.
And to advance that goal, the board has rebranded as the Cyber AB, although its mission remains the same.
The rebrand is only a “Doing Business As” name, meaning that functionally nothing will change for the organization, other than its name and website (cyberab.org). The move, however, will allow the Cyber AB to protect both its name and trademark, while clearing up confusion about whether the Cyber AB was a government entity, according to Cyber AB Director and CEO Matthew Travis.
“There were probably two factors that drove this,” Travis told MeriTalk. “One was kind of the optics and the phonetics and then the other was more of being able to protect the logo. … When I arrived a little over a year ago, it struck me that our formal or formal name is the Cybersecurity Maturity Model Certification Accreditation Body Incorporated. That’s not an efficient way to do business.”
Travis lamented that even the shortened version of the name, then the CMMC-AB, was six letters. However, he said the new name keeps the most recognizable component of the organization’s initials, the AB, while generalizing it in a way that both works for current partnerships and can potentially grow with the organization down the road.
“CMMC is challenging enough to describe to someone in terms of the whole framework and how it works, at least let’s try and make the name easier,” Travis said. “I wanted a name that was more accessible. A lot of people call this ‘The AB’ for short, so the Cyber AB really speaks to that portfolio of what we do – we exist to further the third-party assessment of cybersecurity maturity – currently, with DoD and potentially elsewhere down the road.”
Additionally, the Cyber AB will be able to trademark its name and logo, which it was previously unable to do with the prior name. However, Travis made sure to clarify that as far as operations go, “nothing has changed.”
A Name to Grow Into
Travis said that in addition to making the name phonetically easier, and allowing the organization to trademark its content, the name change also allows the organization’s mission to potentially grow to include third-party cyber assessments for more than just the DoD.
“We did want a name that could grow as we grow and evolve,” Travis said. “Just in the year that I’ve been here I’ve had discussions with representatives of other departments of other sectors of critical infrastructure, and even other countries who are interested in the value that the CMMC model brings.”
“Having a CMMC assessment is one way to buy down risk and so we know that’s an over the horizon,” he said. “I could certainly see where cybersecurity is going and there will be other entities that will want to adopt the CMMC model. They may not call it CMMC because that’s a DoD term, but it could be something similar.”
The organization is still small, with just seven full-time staff, but its crop of assessors is growing. Around 450 CMMC third-party assessment organizations (C3PAO) are seeking qualifications as certified CMMC assessors, Travis said. At the moment, 15 companies have completed all the requirements to become assessors and have clients at the ready.
“The ecosystem still growing,” Travis said. “The key, however, is: are there enough individuals to work for those companies? Are there enough people in a tight labor market that want to take the CMMC classes take the high stakes exam and be a professional assessor for CMMC?”
“We’ve got an additional 200 provisional assessors that we essentially blessed over the past year to get things started, but we need more assessors to fill that demand. That’s really the X-Factor,” Travis said.
Preparing for CMMC 2.0
The CMMC program underwent a lengthy internal review last year, ultimately being updated into the CMMC 2.0 program with fewer maturity levels than its predecessor. The program is now in the rulemaking process, with a final rule now expected around May 2023, according to Travis.
Travis said the latest information came courtesy of Dr. Kelly Fletcher at the RSA Conference in San Francisco. Travis said a rule is expected to be submitted to the Office of Management and Budget in July, with an interim designation coming out in March 2023. After that, DoD would have 60 days for public comment before expecting the rule to go live.
“May of 2023 is when the Department expects the rule to be active and for CMMC to be eligible as a mandate,” Travis said. “Now, they’re not going to put them in every contract right away. They’re going to scale this and phase it in over the next three years, and I think people often lose sight even from the very beginning of CMMC 1.0. It was always designed to be not fully scaled until the beginning of fiscal year 2026. So, it’s over three years away from when this was to be fully mature.”
A common talking point on the CMMC circuit this spring has been the potential that companies that adopt and meet CMMC 2.0 requirements ahead of time and get assessed could have the clock not start running on their certificates until the rule is put into effect. Travis said the Cyber AB has had some of those conversations with the DoD and said he is “confident” that will be a formal incentive for early adoption.
“They were looking at a full range of incentives,” Travis said. “Is there a way to offset the cost for early adopters? Is there a way to give them more points on a request for proposal response?”
“When we looked at some of those, those would have to go back into rulemaking,” he explained. “So they only had so much legal room to offer incentives, but they were on solid grounds – I understand it – to go ahead and offer that extra, essentially, a year.”
“The three-year clock [on certification] won’t start until rulemaking is finished, and so if you have a company that gets assessed this summer, you’re essentially looking at a four-year certificate instead of three years.”
His message for DIB companies, or anyone looking to do business with the DoD: “start now.”
“This is not something that you want to wait for,” he emphasized. “This is not an inspection checklist. … It’s a standard. I think people get confused [and think], ‘This is compliance.’ This is conformance. The compliance is in the DFARS (Defense Federal Acquisition Regulation Supplement) rule that you must be certified to bid on DoD contracts. If you don’t comply, you can’t bid. But the actual standard isn’t compliance, it’s conformance.”
“You’ve got to have these policies, procedures, the mindset, resources, the investment, and the awareness and the maintenance to show that you’re meeting that standard,” Travis said.