CMMC Town Hall
Cyber AB Townhall
The Cyber AB Townhall on March 26 mostly dealt with the timeline for the proposed rules and public comments. Following that discussion was a discussion of how training is to change once the rules are finalized and CMMC is officially part of new solicitations. Finally, there was a discussion of the independent CMMC Industry Standards Council.
Public Comments
There were 787 comments received of which 368 are currently posted.
Reasons for the 411 comments not posted include:
- Many comments were repeated in various forms – so the most “complete comment
from the group was posted. - Some comments were “snarky” – questioning why the CMMC even exists. These comments were deemed not useful.
- Some comments contained proprietary information not suitable for a public forum.
- POA&M should be allowed 1 year for closeout.
Most Likely Timeline
The real issue is that the final review by OIRA needs to be submitted to congress 60 days before the end of the year to allow Congress time to read / approve / sign into law. If Congress does not act within the 60-day window the review will fall to the next Congress. So the most aggressive timeline show new solicitations including CMMC requirements starting in March 2025. Most likely timeline is that it slips to second quarter of 2025.
Training
All training that is being presented DOES NOT reflect the interim rules. As such when the rules are finalized all training will need to be redone and updated tests will be based on the final rule. It is not clear if people taking training now will need to pay for the updated version or updated tests. It is estimated that updates to the training and testing package will take 12-24 months.
There is a new role in the proposed (interim) rule called a Lead Certified CMMC Assessor (lead CCA). This role is a CCA with management / program management skills to lead an assessment. This will require new training and certification.
CMMC Industry Standards Council
This is a new organization – dedicated to addressing some of the more difficult issues with CMMC. Issues like how External Service Providers (CSP, E-Mail, MSP, MSSP) are to be evaluated under the CMMC model. The are trying to develop best practices that OSC and ESP can adopt to comply with CMMC requirements. Please note: The council has NO OFFICIAL DOD standing. This is a voluntary organization comprised of companies and personnel that have a vested interest in CMMC. This includes tool vendors, cloud providers and industry consultants.
Finally – we have been asked if the CMMC notes could be posted where they can be quickly referenced in addition to the e-mail. Starting next month – there will be a hyperlink to the ASCERTIS.Solutions web portal where current and past CMMC townhall notes can be viewed.
Reminder:
Lastly – if you are a company going through the CMMC process, and find you lack policies, procedures, handbooks – we have these artifacts that you can tailor to your specific organization. Companies have saved hundreds of labor hours using these documents.
Also, for current clients of ASCERTIS. DOD has changed how the scorecard is being used for RFP assessment. Previously the only criteria were the submission of the cyber scorecard. Now they are using the actual score. For those that purchased the Level 1 assessment engine, it is recommended that you upgrade to the level 2 assessment engine so that you can credit for <some> of the 93 controls that are not in level 1.
Also, for current clients of ASCERTIS, if you recommend our application or documents to another organization which results in a purchase, we will pay your organization 10% of the initial sale price.
Why Choose ASCERTIS Solutions
ASCERTIS Solutions can conduct a security assessment of a small business in a week and provide a roadmap for your company to implement a cyber defense strategy that fits your budget. Trained security professionals can be hired on a part-time basis to fill the role of Chief Cyber Security Officer (CISO) to assure that your roadmap is implemented in a timely and cost-effective fashion.
If interested, please contact [email protected].