Where can I get the latest information about the CMMC-AB?
- Our website and newsletter provide the latest information.
When will the CMMC-AB be formally created?
- The CMMC-AB is expected to incorporate in January 2020. We are accepting self-nominations for the board of directors through January 14, 2020 at 5 pm. Once the board is finalized it will approve corporate bylaws, formally engage in an MOU (memorandum of understanding) with DoD and begin hiring a professional staff to execute the CMMC-AB’s mission.
Certified Professionals (CP) and Certified Assessors (CA)
Where can I get trained as an Assessor?
- Since training does not yet exist, there are no locations approved to provide certified CMMC Assessor Training.
When do you expect Assessor training to be available?
- The DoD has indicated that it will provide initial training guidance to the CMMC-AB in the first quarter of 2020. We expect to work diligently from those materials to make training available as quickly as is practical, while balancing the need for quality, consistency, and speed.
If someone has several active Cybersecurity related certifications such as CISSP, CISM, or CISA, do they still have to start with the CMMC Certified Professional level? Is there a credit level applied for being certified and practicing Cybersecurity for several years?
- The CP is a “gateway” certification and proves out your knowledge of CMMC - not just cybersecurity.
While CMMC is based on much of NIST 800-171, there are additional practices and content for developing processes that are institutionalized. So all Certified Assessor candidates will need to first become CPs.
Can a CP or CA provide CMMC consulting services to OSCs?
- Yes, provided the CP or CA does not participate in the assessment of an OSC to which the CP or CA has provided consulting services.
How long are CP and CA certifications valid?
- CP and CA certifications are linked to the major version of the CMMC Model. When a new major version (i.e. CMMC Model Version 2.0) of the CMMC Model is released, the CP and CA will need to attend formal training and pass the corresponding examination. CPs and CAs must also complete any ongoing continuing education requirements set by the CMMC-AB.
When will CP and CA training be available?
- CP and CA training is expected to be available beginning in the first quarter of 2021.
Registered Practitioners (RP)
How long is an RP’s registration valid?
- Each RP must renew their registration, including undergoing training, annually.
When will RP training be available?
- RP training is expected to be available beginning in July, 2020.
Will RPs have access to updated training?
- Yes. The CMMC-AB’s materials are likely to continue to update and evolve and we will ensure RPs have access to the training materials, including any updates, during the time their registration is valid.
CP (Certified Professional) vs. RP (Registered Practioner)
Can I be an RP and a CP?
- Yes. However, CPs and CAs are not permitted to provide consulting services, regardless of whether pre- or post-assessment, to the OSCs they are assessing or have assessed. Put another way, your company and you must choose whether to perform assessments or provide consulting services for each individual OSC.
What are the differences?
My company already performs assessments under other standards/frameworks. Can we start offering CMMC assessments?
- The CMMC Standard is not yet finalized and no Assessors or C3PAOs are formally accredited or certified by the CMMC-AB. Therefore, it is currently inappropriate for any Assessor or C3PAO to claim to provide formal CMMC assessments that will meet the requirements for a DoD contract.
What about pre-assessments?
- To be clear, offering pre-assessments or consulting using the most current draft of the standard is acceptable and encouraged. However, it is not currently appropriate for any vendor to offer a formal CMMC assessment claiming that is authorized by the CMMC-AB.
Will Third-Party Providers (TPP), like Managed Service Providers (MSP), who support Organizations Seeking Certification (OSC) by contract that receive, store, and transmit* FCI/CUI data be required to be CMMC certified?
- Basic Answer. TPPs are expected to be required to certify under the DoD rule change.
- More Details. TPPs MUST meet CURRENT DFARS 252.204-7012 requirements if they receive, store, and transmit CUI data under DFARS 252.204-7012(m). MSPs must also meet unique requirements in 252.204-7012(b)(2)(ii)(D). Those requirements should be represented "word for word" within the contract terms and conditions or service level agreement (SLA). The TPPs, until they are CMMC certified, must participate during the assessment of the OSC to validate and verify certain practices and requirements between the OSC and TPP for certification.
- TPP Exception: Those TPP's that only provide services such as "maintenance", "consulting services", etc and only requires "access", but do not require receiving, transmitting, or storing FCI/CUI from an OSC's environment, could then be included as any other "1099 subcontractor" with remote or direct system access. All device(s) and personnel training, practices, processes and governance required of the OSC would govern the TPP contracted activities.
Why should an OSC engage an RPO to provide CMMC consulting services?
- Many OSCs need assistance in preparing for an assessment. Engaging an RPO to provide assessment preparation services ensures that the OSC is engaging a company and individuals who are committed to excellence and ethical behavior, and individuals who have received formal training in the CMMC-AB’s approach to CMMC assessment and compliance.
RPO vs. C3PAO
What is the difference between a Registered Provider Organization and a C3PAO?
- Registered Provider Organizations are companies that provide pre-assessment consulting services to government contractors and other organizations seeking certification (“OSCs”). CMMC Third-party Assessment Organizations (“C3PAOs”) are organizations that focus on assessing the OSCs against CMMC requirements using the tools and techniques approved by the CMMC-AB.
Can my company be both an RPO and a C3PAO?
- Yes. However, C3PAOs are not permitted to provide consulting services, regardless of whether pre- or post-assessment, to the OSCs they are assessing or have assessed. Put another way, your company must choose whether to perform assessments or provide consulting services for each individual OSC.
Organizations Seeking Certification
Do you have a list of Assessors who have received formal, CMMC-AB authorized training?
- The CMMC-AB will publish a publicly available list of Assessors after the standard is complete, the training is developed, and Assessors are certified to provide CMMC certification. However, the CMMC is still being finalized and the related training materials are still under development by DoD and the CMMC-AB. Accordingly, formal training is not yet available, and no Assessors are yet trained.
Do you have a list of accredited C3PAOs?
- Not yet. The CMMC-AB is building the C3PAO accreditation process with formal adoption and approval by the CMMC AB in the coming months. No C3PAOs are yet formally designated nor accredited by the CMMC-AB, therefore we cannot provide a list.
- If the CMMC standard is still in flux and there aren’t any Assessors or C3PAOs, should an organization wait for the final standard to be available before it begins preparing for CMMC?
- In short, NO! If your organization conducts business with the DOD and your contract includes the DFARS 252.204.7012; you must comply with the guidance identified in NIST SP 800-171. Ensuring compliance with that current DFARS regulation has the benefit of easing compliance with CMMC when it is complete. We suggest organizations start preparation now.
- Although the CMMC standard is not finalized, the publicly available early drafts provide good insight for organizations wishing to get ahead of the CMMC compliance process.
I heard that all DoD contracts will include a CMMC requirement starting in September 2020; is that true?
- We do not speak for the DoD, but they have previously indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020. We do not have any more detailed visibility into DoD’s specific plan.
- According to reports in Federal Computing Week (https://fcw.com/articles/2020/01/09/cmmc-chair-cyber-cert.aspx), the Department of Defense has indicated that a subset of contracts will initially be chosen for application of the CMMC requirement.
What is the current version of the CMMC Model?
- Check our page where we will publish the CMMC-AB Standard. It will always have a link to the current version of the DoD CMMC model and any materials that DoD publishes. https://cmmcab.org/standard.
What is DoD’s expectation with respect to "________"?
- We are not the DoD and cannot speak for them.