Last week, the first group of Cybersecurity Maturity Model Certification (CMMC) assessors began their training.
According to a press release by the CMMC Accreditation Body (CMMC-AB), 73 Provisional Assessors – out of several hundred who applied – have begun their training and will soon be ready to conduct assessments during a provisional period. The goal is “to create a strong and diverse pool of Provisional Assessors to provide the CMMC-AB, the subjects of the pilots, the pathfinders and DoD valuable feedback about their experience with the assessment process”, according to the CMMC-AB. The training is expected to be completed by the end of the month.
Whilst the Provisional Assessors will be performing mock assessments during this initial phase, after a summer of delays and uncertainty, this is a welcome announcement for both defense industrial base (DIB) companies as well as those looking to offer CMMC-related services. However, additional steps are still required before CMMC becomes law of the land. For that to happen, the DoD is still waiting for the Office of Management and Budget (OMB) to clear a rule change to the Defense Federal Acquisition Regulations (DFAR) that would result in CMMC clauses being included in defense contracts.
Although rule change is expected before the end of 2020, the US government is already including CMMC language in some contracts, according to Katie Arrington who is leading the CMMC initiative within the DoD Office of the Under Secretary of Defense for Acquisition and Sustainment. Ms Arrington has citied the example of the General Services Administration’s (GSA) contract for its STARS III program — posted in July — that stipulated that GSA “reserved the right” to have CMMC implemented in future task orders. This aligns with wider thinking around CMMC – that whilst DoD might be leading the effort and acting as the first adopter, CMMC is likely to be embraced by other US government agencies, and potentially even the private sector.
As we move closer to the next phase of the CMMC program, greater attention will now be focused on establishing baseline assessments of compliance with the framework and beginning to prepare for official assessments. At Titania, we continue to track developments related to CMMC and build partnerships with those organizations seeking to provide CMMC services – whether as one of the CMMC Third Party Assessor Organization (C3PAO) or a Registered Provider Organization (RPO). Using Titania software, C3PAOs, RPOs or internal network security teams can assess their network devices for compliance with 33 of the CMMC Network Device Security Practices across the following eight Domains:
•Access Controls (AC)
•Audit & Accountability (AU)
•Configuration Management (CM)
•Risk Management (RM)
•System & Communications Protection (SC)
•Asset Management (AM)
•Identification & Authentication (IA)
•Security Assessment (CA)
Taking just minutes to set up and generate accurate reports, Nipper automates the line-by-line analysis of your device configuration and operating system data, detecting precise security and compliance risks.
Already in service with all four arms of the DoD, Titania Nipper is trusted to automate the configuration assessments of core network devices against DISA STIG and CIS benchmarks to prove compliance with Risk Management Frameworks such as DISA RMF, NIST CSF, NIST 800-53/171 and CMMC. Indeed, Nipper’s proven accuracy advantage is estimated to save the DoD up to 3 hours per device not investigating false positives reported by other compliance tools.
For more information on how Titania can automate CMMC compliance assessments for your organization or clients, join our upcoming webinar on October, 7.
Matt Malarkey