As much of the World grinds to a halt with the spread of COVID-19, the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) are charging forward with implementing the CMMC.  The CMMC AB is charged with several large tasks to make the CMMC a success, which include certifying CMMC auditors and C3PAOs (the companies who employ the CMMC auditors).  Both the CMMC auditors and the C3PAOs must meet a set of requirements being established by the CMMC AB in order to perform the network assessments/audits that will be recognized by the DoD as meeting the new CMMC requirement.  The DoD intends to include the CMMC requirements in 10 new requests for proposals (RFPs) in fall 2020.  The DoD estimates that 1,000 companies will be impacted by the CMMC requirement in the initial 10 RFPs.  The current timeline of the CMMC implementation will require all 1,000 companies to receive their CMMC certification by time of contract award, which could be as late as June 2021 (let us assume June 1st for now).  

The CMMC AB intends to qualify CMMC auditors via in-person CMMC auditor training.  The auditor training will be conducted by trainers who are trained by the CMMC AB.  Only auditors who attend the approved CMMC auditor training will be considered qualified to conduct the CMMC audits recognized by the DoD. The CMMC AB plans to launch initial train-the-trainer training in April 2020.  It is unclear how long the training for auditor trainers will last, and what the throughput will be, but let’s say that CMMC AB approved auditor training for auditors had planned to begin in earnest in June 2020.  With COVID-19 making in-person training impossible for the foreseeable future (as evidenced by many state school systems canceling in-person classes until the 20-21 school year), it is unclear if training for trainers will kick off in April as planned.

For simplicity, let’s also assume that each audit takes on average two weeks and requires two auditors to complete, realizing that CMMC Level 5 audits will require more time and manpower than a CMMC Level 1 audit.  In order to prevent a bottleneck in the DoD supply chain on June 1, 2021, more than 60 auditors need to be certified by the CMMC AB each month starting in June 2020.  It is difficult to see how the current method of training-the-trainer and conducting certified CMMC auditor training will meet this initial demand, let alone see how it will scale to meet the exponentially growing demand over the next five years.  In addition to in-person training not being easily scalable (especially given that the current CDC guidance suggests no gathering larger than 10 people), the flaws in this method is even more apparent in this new COVID-19 reality of telework and widespread government mandated lockdowns.  It is hard to know exactly when training could commence.  

Instead of continuing with the model for training trainers, providing training to auditors, and waiting out a world-wide pandemic, the CMMC AB should spend its limited time and manpower developing a CMMC auditor certification.  According to the American National Standards Institute (ANSI) National Accreditation Board (ANAB) “a certification reflects attainment of established criteria for proficiency or competency in a profession or occupation and is granted upon an assessment of an individual’s knowledge, skills, and abilities. Certification is valid for a specific time period. A certification program has ongoing requirements for maintaining proficiency or competency and can be revoked if ongoing requirements are not met.”  Creating a CMMC auditor certification is a scalable model for qualifying auditors around the globe in a short amount of time.  

ANSI does not allow an organization that owns a certification to also conduct training for that certification.  This practice prevents organizations from simply training personnel to pass a test.  It allows only third parties without knowledge of the examination criteria to provide training on the knowledge, skills, and abilities that are tested for in the certification exam.  Establishing the CMMC auditor certification frees the CMMC AB from having to conduct CMMC auditor training.  Instead, the CMMC AB could partner with established training companies to enable them to provide official CMMC auditor training in a much more scalable manner.  Companies that specialize in training can rapidly develop and deploy CMMC auditor training through established training pipelines, including through online and virtual formats that are nearly impervious to the COVID-19 limitations.  

The Department of Defense has been using ANSI approved certifications to set baseline qualification standards since 2005 when DoD CIO published DoD 8570.01-Manual.  8570.01-Manual established a list of baseline certifications for the DoD Cybersecurity Workforce. Personnel performing cybersecurity functions must obtain one of the certifications listed for their position category or specialty and level in order to be considered qualified for their position.  In the same way that having an approved 8570.01-Manual certification does not guarantee that an employee is fully qualified, having a CMMC auditor certification would be a good baseline qualification standard but does not guarantee a fully qualified CMMC auditor.  Cybersecurity auditors have existed for at least 10 years, so the concept for creating CMMC auditors is not entirely novel.  The CMMC AB could put in place a robust set of experiential requirements for CMMC auditors, to add to the CMMC auditor certification, to ensure they have the most qualified CMMC auditors possible.  

The new reality created by COVID-19 has caused even the oldest institutions to reconsider how they currently conduct business, and the CMMC AB should similarly adjust.  There is still time to make these changes, and the CMMC AB should strongly consider this alternate path to qualifying auditors. Creating a CMMC Auditor certification will create a larger auditor workforce in a shorter amount of time, and has the ability to ensure a more highly qualified auditor workforce than CMMC AB auditor training alone can provide.

—————

Leslie Weinstein is an Army veteran and management consultant with 14 years of experience in intelligence and cyber operations, and strategy and policy consulting with eight years of experience in a joint environment, and three years of experience at the OSD level. Five years of active duty, complementing eight years as a federal civilian and consultant provides her a diverse and unique skill set that she has successfully leveraged to solve some of the most complex issues facing the Department of Defense.