CMMC Blog

An ongoing series of original and candid CMMC thoughts and insights

Who are the CMMC Provisional Assessors?

July 15, 2020

Written by:  Leslie Weinstein

Originally published here: https://medium.com/@leslie_8039/cmmc-provisional-assessors-69a3ff1e58c0

The first year of the CMMC implementation is being called a “pilot” program. Usually, pilot programs within the Department of Defense are smaller test-cases for larger and more expensive programs to ensure that the concept is viable and the results of the pilot are used to make tweaks and modifications to the program before it is rolled out into a larger and longer-term project. Usually, pilot programs conclude before the long-term plans are settled. Pilot programs are heavily scrutinized and reports upon reports are generated and briefed to senior leaders within the sponsoring agency. The CMMC however, seems to be charting a different path. The CMMC pilot program will be running concurrently with ongoing efforts to rollout a long-term training and certification program for CMMC assessors by the CMMC-AB. Nevertheless, the CMMC pilot program will still be critical for providing important metrics and indicators of long-term success and viability. According to the DoD there will only be 10 or 15 new requests for proposals (RFPs) that contain the CMMC requirement during the pilot program, with an estimated 1,500 companies being be impacted.


The key to the CMMC’s long-term success will be the success of the CMMC pilot program. The CMMC pilot program begins this year and includes the use of provisional assessors. The CMMC-AB said that more information about the provisional assessors would be available on July 6th, but today is July 15th and we don’t have any clarifying information. It is not as if an assessment and audit industry does not already exist, so what is the hold up with establishing and publishing the qualification standards and selection process for the provisional assessors?


The CMMC-AB is responsible for training and certifying the provisional assessors for the pilot program. The CMMC-AB has stated that they plan to select 60 provisional assessors for the CMMC pilot program, and these 60 assessors will be responsible for assessing the initial 1,500 companies. These 60 assessors will be instrumental to the success and the longevity of the CMMC program. It is essential that the provisional assessors are highly skilled and qualified, so who will they be and where will they come from?


On May 21, 2020 in a “National Conversation” video posted to the AB’s website, Ben Tchoubineh, the CMMC-AB’s Training Committee Chairman, had the following statement regarding the 60 provisional assessors:


“We’re going to go out to industry and recruit what I call the first class of Assessors…Now this is going to be a very select group of seasoned and highly experienced Assessors and we’re going to look for 60 candidates to pass the exam and go through the course of pass the exam and be part of the first class. Remember these guys are going to work with us in a very close manner you know under lots of control and making sure that in this limited way we learn from them and they learn from us. Now the details of the application process have actually been worked out and we’re going to be getting that out there very soon to allow C3PAO organizations and their Assessor candidates to apply and after they’ve applied and we’ve selected the 60 candidates we’re going to start their training sometime in the summer.” -Taken from YouTube transcripts: https://www.youtube.com/watch?time_continue=1499&v=GbQenucsehg&feature=emb_logo


Is the CMMC-AB going to go out to industry and recruit the provisional assessors, or are the assessors responsible for applying and then being hand selected by the CMMC-AB from the pool of applicants? These comments seem a little confusing but considering no official written guidance from either the DoD or the CMMC AB has been published, it isn’t surprising that the plan isn’t straightforward here. Either way, if experienced and highly qualified assessors are selected for this pilot program the pilot will be in good shape.


Except, on July 5, 2020 at an industry webinar event, fellow CMMC-AB Director Chris Golden, said the following about the provisional assessors:


“So it’s gonna be random everybody that raises their hand and registers on the website to be an Assessor goes into a pool we’ll assign them a number one-to-n and that will have a random numbers. A random number generator will start picking numbers, so just like the lottery so if you win the lottery you’ll be invited to the first training session. It’s either going to be a one-time 60-person training session or three 20 person training sessions, we’re not quite sure yet which way we’re going to go. On that Covid obviously will have an impact it’ll probably be virtual probably not will be you know in in person face to face if you’re one of those 60 Assessors then you’ll take the test you’ll pass the test to be certified as a provisional Assessor. ” -Taken from YouTube transcripts: https://www.youtube.com/watch?v=XinEqpC9K0I


Is Chris Golden saying that the invaluable provisional assessors will be picked at random from a candidate pool which anyone can join-anyone with $1,000 to cover the application fee that is? Chris later clarified via a LinkedIn comment that only assessors who meet the minimum qualifications can be selected as provisional assessors from the applicant pool. But which minimum qualifications exactly? Will the provisional assessors be CMMC Level 1, CMMC Level 3, or a combination of both? Will applicants need to have a security clearance and have U.S. citizenship (required for CMMC Level 3 assessors), or will a commercial background check and U.S. personhood (required for CMMC Level 1 assessors) suffice? What are the education and certification requirements of these randomly chosen assessors? Are any of the qualification requirements mapped to DoD 8570-M or to the Cyber Workforce Framework?

Join Mailing List

CMMC-AB Memorandum of Understanding (MOU) with the DoD Summary

June 10, 2020

Written by:  Alara Dinc, Jay Rastegar, and Leslie Weinstein

The Department of Defense (DoD), Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), and the Cybersecurity Maturity Model Certification Accreditation Body, Inc (CMMC-AB) signed a Memorandum of Understanding (MOU) which defines the expectations between the two parties. The MOU outlines the responsibilities and intentions of both the CMMC-AB and the DoD in collaborating to build a successful accreditation system. The MOU is not a contract and cannot legally enforce duties or obligations for either party. It simply sets forth the understandings between the parties. Additionally, any action that either party decides to make regarding the MOU is subject to the availability or personnel, resources, and funds. The memorandum was endorsed and signed by The Honorable Ellen M. Lord of USD(A&S) on March 17, 2020 and Board Chairman of CMMC-AB, Ty A. Schieber, on March 23, 2020.


The CMMC-AB was incorporated in the state of Maryland on January 21, 2020 by Mark Berman (a current CMMC-AB board member) and is seeking federal tax exemption under Section 501(c)(3) of the IRS Code. The CMMC-AB was incorporated with seven directors, but in May refiled to show 15 directors on the board of directors.

The MOU recognizes the CMMC-AB as the accreditation body that will develop, validate, certify, administer, implement, and protect the “CMMC Standard” on behalf of the Department of Defense. The CMMC Standard is defined as the “criteria or requirements” used by the CMMC-AB to “certify individuals and accredit entities” to conduct recognized CMMC assessments.


The MOU directs the AB to achieve and maintain the current International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 17020 and 17011 certifications. The ISO/IEC 17020 standard is the General Criteria for the Operation of Various Types of Bodies Performing Inspections, and ISO/IEC 17011 is the standard for Accreditation Bodies Accrediting Conformity Assessment Bodies.


The MOU makes it clear that the AB will be self-sustaining with no funding provided by the DoD. The DoD also requires all outsourced IT or Managed Service Providers (MSP) of the AB to undergo CMMC Level 3 assessment. The DoD expects the CMMC-AB to participate in an annual review by the CMMC PMO, and to collaborate with the DoD to assess potential supply chain risks.


For its role in the CMMC, the DoD will establish and maintain a CMMC Program Management Office (CMMC PMO) which will maintain and update the CMMC Model and CMMC assessment guide. The CMMC PMO will also provide the CMMC-AB with updates to the model and assessment guide, updates to critical cybersecurity developments and threat information, initial draft training, as well as subject matter expertise in support of CMMC-AB activities. The DoD will establish and maintain the CMMC Certification Database infrastructure.


Upon the implementation of the CMMC, the DoD will only accept CMMC certifications issued by an assessor approved by the official CMMC Accreditation Body or a Third-Party Assessment Organization (C3PAO) recognized by the DoD.


The MOU is effective upon being signed by authorized officials of the CMMC-AB and DoD. It does not affect or supersede any existing future understandings of arrangements between parties and will remain in effect till modified or terminated by either party. It should be noted that both parties acknowledge that leadership or other changes have potential ramifications with respect to the expectations and understandings established by the MOU.  

Join Mailing List

What is CUI?

April 26, 2020


Why is there so much confusion over CUI? The national CUI program has been around for more than 10 years now! It was established by President Obama to create uniformity in the way that federal agencies mark controlled unclassified information. This program was meant to replace the ever-popular marking of “FOR OFFICIAL USE ONLY” or “FOUO” for short, and other agency specific markings (like LES which stands for Law Enforcement Sensitive). For those of us who have been in the Department of Defense for any length of time know that WE STILL USE THE FOUO MARKING! That’s right, the DoD is using a marking that was technically replaced more than 10 years go! There would be so much less confusion over CUI if everyone in the DoD would simply understand that CUI = FOUO!


CUI is broken down into two different flavors…. Well, there aren’t exactly two types of CUI per se, but you will see CUI described in two ways-- as CUI Basic and CUI Specified. CUI Basic is information that requires the general handling and safeguarding measures that are outlined in 32 CFR Part 2002. CUI Specified, on the other hand, has additional laws, regulations, and/or policies that require specific protection. CUI Specified has unique markings, enhanced physical safeguarding requirements, and limits on who can access that information. Some CUI Specified information has civil and criminal penalties associated with mishandling it, so it is imperative to understand what it is and how to identify it.


It is mandatory that all documents that contain CUI have a CUI banner marking, which is written in bold letters across the top of the document. The DoD CUI program requires that the bottom of the document also contain a CUI banner marking. CUI Basic banner markings must at least contain either “CONTROLLED” or “CUI”. CUI Specified banner markings must not only contain “CONTROLLED” or “CUI” but must also include the CUI category or subcategory marking. Both CUI Basic and CUI Specified must also contain any limited dissemination control markings in the CUI banners.

A lot of people blame the government and DoD for not marking CUI and claim that that is why the DoD supply chain has been unable to properly protect CUI. The DoD’s failure to label CUI is an invalid excuse for the DoD supply chain’s improper handling of CUI. The CUI Registry, which is on the National Archive’s CUI website, lists all the CUI categories. In addition to listing the CUI categories, the CUI Registry also describes each CUI category so that one will be able to identify unlabeled CUI as CUI.


Let’s look at how the CUI registry provides the information necessary to identify and handle Defense CUI.


Defense CUI Category: Naval Nuclear Propulsion Information

Category Description: Related to the safety of reactors and associated naval nuclear propulsion plants, and control of radiation and radioactivity associated with naval nuclear propulsion activities, including prescribing and enforcing standards and regulations for these areas as they affect the environment and the safety and health of workers, operators, and the general public.


Category Marking: NNPI

CUI Category: CUI Basic and CUI Specified

CUI Specified Banner Marking: CUI//SP-NNPI

https://www.archives.gov/cui/registry/category-detail/naval-nuclear-propulsion-info


Even with this description of CUI, it might be hard to identify NNPI out of context.


So, let’s also consider the context in which DoD suppliers could receive unmarked DoD CUI. Defense contractors receive information from the DoD so that they may fulfill their contracts with the DoD. In order to win a contract with the DoD suppliers must submit a robust proposal that explains how knowledgeable and experienced their company is and explain how they will deliver on the contract better than all other companies. These DoD suppliers are self-professed experts, and by awarding them a contract, DoD somewhat agrees with their self-attestation.


Companies that are awarded naval nuclear propulsion contracts, that are aware of the NNPI description, *should* very easily be able to identify unmarked CUI. This is why I say that the supply chain cannot blame DoD for their lack of understanding of CUI.

Thankfully, the new DoD Instruction 5200.48, which establishes the DoD CUI Registry, also mandates initial and annual CUI training for “loddy doddy, everybody”. 

Join Mailing List

What Level of CMMC Maturity Will I Need?

April 19, 2020

In order to walk through the exercise of trying to figure out what level of CMMC maturity a small business might need, I have put on my small-business-owner-that-has-no-cybersecurity-experience-hat.


As of April 19, 2020, there are no DoD guidelines on how to independently determine which CMMC maturity level I will need to be awarded contracts in the future. The only way I will know for certain which CMMC maturity level I need is to bid on an RFP that has the CMMC requirement listed in it. Considering I am a small business, it is more likely that I will be a subcontractor to a larger prime, so determining my required CMMC maturity level is less straightforward. While the prime’s required CMMC maturity level will be listed in an RFP, the DoD says that it will be up to the primes to “flow down” the appropriate level of CMMC maturity to its supply chain. This means that not all subcontractors will necessarily need the same level of CMMC maturity as the prime. Will the CMMC maturity level become the next DFARS 252.204-7012 clause (that requires companies to comply with NIST SP 800-171), which gets placed into nearly all contracts from primes to “CYA” or CY their A? Or will the primes conduct an analysis of their supply chain to determine which subcontractors need the same maturity level, which subcontractors do not, and ensure that only the appropriate DoD information gets transferred to each subcontractor?


It seems that to divine my required CMMC maturity level based on being a subcontractor on future RFPs is a dead-end, for now, so let us consider a different way.


The next way I could attempt to determine my necessary CMMC maturity level is by looking at what products and services my company provides for, and in support of, DoD contracts. This method requires me to understand the type of DoD information that I might receive (from a prime) and what type of information I will generate (for the prime). I must determine if that information is, or could be considered, controlled unclassified information (CUI). CUI is defined in law (32 CFR § 2002.4) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” If I can determine that my company has the need to transmit, process, and/or store CUI it means that I need to achieve at least a CMMC Level 3 certification (current guidance is that only CMMC Levels 3-5 may process CUI).


But what does CUI look like? To understand the substance of CUI, I’ll have to turn to the National Archive’s CUI registry 

(https://www.archives.gov/cui). It turns out there are more than 100 categories of CUI in the CUI registry! Thankfully, there are only four types of defense CUI in the registry, so that should help narrow it down a bit! But then I remember that DoD recently published a CUI policy (DoD Instruction 5200.48), which provides a link to the DoD CUI registry -so I should probably check there to best understand DoD CUI. The DoD CUI registry can be found here: https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx


Go ahead and check it out…I’ll wait.


Oh…you can’t access the DoD CUI Registry? 


That’s right; the official DoD CUI Registry is behind a CAC wall, which means that unless you are a current DoD employee or contractor with a CAC card, you cannot access the DoD CUI Registry.  How can I possibly understand what DoD CUI is without being able to access the registry?


It appears that trying to determine which CMMC maturity level I need based on my company’s need to process, store, and transmit DoD CUI is another dead-end.


This exercise was meant to illustrate the insufficiency of the publicly available information to most small businesses about which level of CMMC maturity they should strive to achieve.


What do you think? Am I missing something?

Join Mailing List

CMMC Secret Menu Items! (FIRST BLOG POST!)

April 12, 2020

On January 31, 2020 the Department of Defense (DoD) published the Cybersecurity Maturity Model (CMMC) version 1.0. Just a couple months later, on March 18th, the DoD released the CMMC version 1.02. The new CMMC version does not contain too many substantial changes this time, however, the DoD is planning future substantial updates so it is important to always reference the latest version of the CMMC when determining how your company will implement CMMC practices and for preparing for the actual CMMC audit.

Another important aspect of the CMMC to note is that the CMMC framework, which is only 28 pages, is accompanied by a totally separate document known as the CMMC appendices. The CMMC appendices are a whopping 338 pages and contain essential CMMC clarifications for each practice with references and discussions from the original sources of the control (if not a new CMMC requirement). The appendices are also hiding a pretty big CMMC secret-there are an additional 51 CMMC practices for CMMC level 3 that are not explicitly listed in the 28-page CMMC framework! If you look at the bottom of page nine (9) of the CMMC version 1.02, you will see a CMMC Process table that explains the Maturity Levels (MLs). For ML 2 processes are “documented” and at ML 3 practices are “managed”-meaning processed are established (via policy), maintained, and resourced (i.e.: funded, staffed, etc.). These descriptions of the CMMC maturity levels don’t really mean too much to the casual observer, however, those that know they must then reference the CMMC appendices truly understand the impact of those ML descriptions. If you don’t understand where I am going with this, or even if you do, please keep reading and follow along!

Take a minute to download and open the CMMC appendices. Go ahead…I’ll wait. (https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf). You can also download the CMMC and CMMC Appendices at the top of this page!

Scroll to PDF page 6.

Under the section heading for Process Maturity (ML), you’ll notice a casual note that says: “The maturity processes are repeated in each domain.” The table below this note provides the nomenclature for the ML processes that are required for each domain. For example, for the Asset Management (AM) domain the ML requirements are annotated as AM.2.999, AM.2.998, and AM.3.997. These ML controls appear in every domain. What that means is there are 51 additional CMMC items (17 x 3 = 51) for CMMC Level 3 that are NOT explicitly listed in the CMMC version 1.02, bringing the grand total to 181. I can't help but feel that these additional 51 items for CMMC Level 3 (and an additional 85 items for CMMC Level 5) are secret CMMC menu items.

Thoughts? Concerns? Were you aware of this already?

Join Mailing List