CMMC stakeholders are concerned about the progress or fate of the certification model due to changes in leadership at DoD Acquisition & Sustainment, several missed deadlines, and lack of reassurance by CMMC leadership. There are several incidences that took place in the last few months.
- The PMO office of CMMC has been very quiet. They reduced public statements and appearances by a great deal over the past two months.
- The monthly CMMC-AB Town Hall didn’t take place in May
- Also, in May the CMMC Scoping Guide was about to release. However, it is yet to happen.
- The final rule of CMMC is not released by CMMC PMO.
- There is no guidance provided to C3PAOs about how to organize & report assessments. This guideline was due in April.
- No exact direction has been given to Licensed Training Publishers that was due last year.
Admittedly, these are big delays and it is natural that stakeholders might get frustrated. However, these delays point to bureaucracy and loss aversion more than anything else.
Now, let’s think logically and straight to the point. If CMMC was out of the equation we would probably see the following signs:
- DIBCAC assessments of candidate C3PAOs would stop.
- Members of the CMMC-Accreditation Body would resign in protest or quit.
- The government would not be releasing executive orders and holding congressional hearings about the criticality of cybersecurity.
So, is CMMC out of the equation?
The answer is a resounding ‘NO’ as we haven’t seen any of the above-taken places. The US really needs a comprehensive strategy for cybersecurity as the supply chain risk is a top priority for the administration as per the release of Executive Order 14028. The basic concept of CMMC is a good one. Right now, the model is just suffering from a lack of official guidance.
Why is the delay? Look to the C3PAOs
The “CMMC Third-Party Assessor Organizations” or C3PAOs are almost at the heart of the CMMC model. They are the only authorized entities that can enter into contracts with defense contractors to perform an assessment. Hence, the DoD has set very tough requirements to meet for C3PAOs before they actually start work. Seemingly, these requirements are causing all the delays because of some dependency bottlenecks.
- C3PAOs must pass a CMMC assessment by DIBCAC for their own information system. The bottleneck here is at present, DIBCAC is only capable of 20-30 CMMC assessments per year whereas there are more than 450 companies already applied to become C3PAOs.
- C3PAOs need to have at least 4 assessors on staff with Tier 3 background adjudication. The bottleneck—C3PAOs have not been allowed to submit their staff for Tier 3 background checks.
- C3PAOs must have some procedures to perform assessments before they are finally approved. This is obviously important but the bottleneck is the DoD or the CMMC-AB hasn’t provided any guidance yet.
The good side of it!
Yes, the long wait is painful but there is a good side to it. As a contractor, if you are not ready (almost 90% are not) these delays give you more time. The slow rollout will provide you a window to build knowledge about the exact requirements to pass the CMMC assessment.