General

Where can I get the latest information about the CMMC-AB?
  • Our website and newsletter provide the latest information.
When will the CMMC-AB be formally created?
  • The CMMC-AB is expected to incorporate in January 2020.  We are accepting self-nominations for the board of directors through January 14, 2020 at 5 pm.  Once the board is finalized it will approve corporate bylaws, formally engage in an MOU (memorandum of understanding) with DoD and begin hiring a professional staff to execute the CMMC-AB’s mission.

Prospective Assessors

Where can I get trained as an Assessor?
  • Since training does not yet exist, there are no locations approved to provide certified CMMC Assessor Training.
When do you expect Assessor training to be available?
  • The DoD has indicated that it will provide initial training guidance to the CMMC-AB in the first quarter of 2020.  We expect to work diligently from those materials to make training available as quickly as is practical, while balancing the need for quality, consistency, and speed.
If someone has several active Cybersecurity related certifications such as CISSP, CISM, or CISA, do they still have to start with the CMMC Certified Professional level? Is there a credit level applied for being certified and practicing Cybersecurity for several years?
  • The CP is a “gateway” certification and proves out your knowledge of CMMC - not just cybersecurity.  
     
    While CMMC is based on much of NIST 800-171, there are additional practices and content for developing processes that are institutionalized.  So all Certified Assessor candidates will need to first become CPs.
 

Prospective C3PAOs

My company already performs assessments under other standards/frameworks.  Can we start offering CMMC assessments?
  • The CMMC Standard is not yet finalized and no Assessors or C3PAOs are formally accredited or certified by the CMMC-AB. Therefore, it is currently inappropriate for any Assessor or C3PAO to claim to provide formal CMMC assessments that will meet the requirements for a DoD contract.
What about pre-assessments?
  • To be clear, offering pre-assessments or consulting using the most current draft of the standard is acceptable and encouraged. However, it is not currently appropriate for any vendor to offer a formal CMMC assessment claiming that is authorized by the CMMC-AB.

Organizations Seeking Certification

Do you have a list of Assessors who have received formal, CMMC-AB authorized training?
  • The CMMC-AB will publish a publicly available list of Assessors after the standard is complete, the training is developed, and Assessors are certified to provide CMMC certification.  However, the CMMC is still being finalized and the related training materials are still under development by DoD and the CMMC-AB. Accordingly, formal training is not yet available, and no Assessors are yet trained.
Do you have a list of accredited C3PAOs?
  • Not yet. The CMMC-AB is building the C3PAO accreditation process with formal adoption and approval by the CMMC AB in the coming months.  No C3PAOs are yet formally designated nor accredited by the CMMC-AB, therefore we cannot provide a list.
  • If the CMMC standard is still in flux and there aren’t any Assessors or C3PAOs, should an organization wait for the final standard to be available before it begins preparing for CMMC?
    • In short, NO!  If your organization conducts business with the DOD and your contract includes the DFARS 252.204.7012; you must comply with the guidance identified in NIST SP 800-171.  Ensuring compliance with that current DFARS regulation has the benefit of easing compliance with CMMC when it is complete. We suggest organizations start preparation now.
    •  Although the CMMC standard is not finalized, the publicly available early drafts provide good insight for organizations wishing to get ahead of the CMMC compliance process.
I heard that all DoD contracts will include a CMMC requirement starting in September 2020; is that true?
  • We do not speak for the DoD, but they have previously indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020. We do not have any more detailed visibility into DoD’s specific plan.
  • According to reports in Federal Computing Week (https://fcw.com/articles/2020/01/09/cmmc-chair-cyber-cert.aspx), the Department of Defense has indicated that a subset of contracts will initially be chosen for application of the CMMC requirement.
When will DoD release Version 1.0 of the CMMC?
  • We are not the DoD and cannot speak for them.  Previously published reports suggested that it will be ready by the end of January.
What is DoD’s expectation with respect to "________"?
  • We are not the DoD and cannot speak for them.
Board Ethics

Site Improvements? webmaster@cmmcab.org
© 2020 CMMC (Cybersecurity Maturity Model Certification) Accreditation Body