The Cybersecurity Maturity Model (CMMC): Part 3 — So You Want to Be A CMMC Assessor?

By: Shawn Scott, Vice President of Success at PlexTrac, Inc

In the second part of this CMMC blog series, we highlighted one of the key differentiators between the Cybersecurity Maturity Model Certification (CMMC): Third-party certification is required.

If you are a small government contractor already dealing with the challenges of 2020, this requirement undoubtedly has you concerned about yet another hit to your bottom line.

If you are an information security practitioner, you smell opportunity.

If you are the former, most of this article is not for you. But before you navigate away, I do want to offer a few words that may make this new requirement a little more palatable.

As a novice information security professional, I received a rather sage counseling session which I shall paraphrase.

Compliance is not security. But compliance is why most people stroke checks for information security investment and services. Without a requirement, security becomes a “nice to have” in the eyes of many executives. As a practitioner, we must ethically leverage requirements to not only bring our partners into a state of compliance, but to do so in a way that truly improves their information security posture.

If you are an information security professional and you are interested in becoming a certified CMMC assessor, I humbly ask that you subscribe to this philosophy. If you don’t do it for altruistic reasons, just remember that a “compliant” customer who gets pwned may look elsewhere when it is time for their next assessment.

I’ll step off my soapbox now and help you understand how you can leverage the new CMMC requirements to help the Defense Industrial Base achieve greater security while enhancing your own economic security posture.

The CMMC Accreditation Body (AB)

To have an ecosystem of certified CMMC assessors, you need a body to perform the certification. The CMMC Accreditation Body is the governing organization for all facets of the CMMC program, to include:

Establishment and revision of the Standard
Development of standards for certification levels
Production of accredited training for certifiers
Development / administration of examinations

With version 1.02 of the CMMC published, the AB has focused heavily on creation of the training and certification programs that produce the first cadre of CMMC certified assessors. With deadlines for implementation fast approaching, there has been a decent bit of criticism at the lack of information available to anxious information security providers. While much of this has been valid, the AB has now publicly released enough information on the accreditation process to facilitate planning (and temper expectations). This body has been charged with a herculean task, so as a community let’s look to the future and support their efforts with patience and grace.

Tiered levels of CMMC certification

As discussed in our prior article, CMMC is a tiered certification. The level of contract your organization wishes to pursue drives the level of maturity you need to reach. Thus, it only makes sense that the personnel performing these certifications must have training and skills commensurate to the maturity level they are assessing.

As of today, there are four levels of certification for information security professionals seeking to perform official CMMC assessments:

Certified Professional

This is the baseline for anyone who will be performing any level of CMMC assessment. A Certified Professional can participate as an assessment team member under the supervision of a Certified Assessor. To become a Certified Professional, the candidate must complete a CMMC AB Certified Professional Class from a licensed training provider. For those for who wish to progress to become an Assessor (the later tiers), an exam is required. This exam is optional for those who only wish to operate as Certified Professionals.

Unfortunately, neither the class, the licensed training providers nor the exam yet exist. We’ll discuss the roadmap for education later, but those seeking to become Certified Professionals must also meet education, citizenship/residency and background check requirements.

Certified CA-1 Assessor

This is the baseline certification for anyone who wishes to conduct CMMC assessments to the Maturity Level 1 standard. To achieve this level, you must first become a Certified Professional. This is a theme – advancement through the tiers requires that you obtain the lessor certifications.

This is also the level at which you can expect to incur significant costs – no less than $3,000 and likely more. This is due to the addition of a requirement beyond training and testing: formal observation.

After passing the CA-1 Certification exam, the Assessor must schedule and conduct their first assessment under the eye of an AB staff member or an AB-contracted senior assessor. These services are not free – everyone has mouths to feed. The CMMC AB website currently lists the cost for the observer at $2500 per day, not to include costs for travel and per diem.

The AB’s intent isn’t just for these “ride-alongs” to be silent evaluations. The senior assessor is there to provide coaching, in addition to reporting performance of the candidate to the AB.

Pro-tip: Asking questions and engaging your senior assessor will not make you look uninformed. Quite the opposite – it will demonstrate your desire for self-improvement as an assessor.

Certified CA-3 Assessor

Individuals wishing to perform CMMC level 3 assessments must become a Certified CA-3 Assessor. The process mirrors that of becoming a CA-1 Assessor (and requires having the CA-1 credential). There are a few additional requirements with regards to citizenship and background screening.

Level 3 Assessors must be U.S. Citizens, unlike CA-1 Assessors who only need to demonstrate legal residency.
Level 3 Assessors must pass a National Agency Check, DHS Suitability credential or other DoD accepted clearance. CA-1 Assessors may operate with a commercial background check.

You may have noted that there is no CA-2 certification. To perform CMMC assessments to level 2, a CA-3 certification is required.

Certified CA-5 Assessor

You have probably already figured out that you will need a CA-5 Assessor certification to perform CMMC level 5 assessments, and probably surmise that the process will look similar to CA-3. Achieve the prior certification (CA-3), take the training, take the exam, and pass an observation.

There is one significant new requirement at this level: experience performing CMMC assessments. While you can theoretically advance very rapidly to CA-3 through academics and a single observation event, CA-5 certification requires that you perform 15 CMMC level 3 assessments.

Given that no one has performed a single CA-3 assessment to date, it will certainly be a while till this certification is even available.

How do I become an assessor?

Simply put, you can’t right now – and most will not be able to until at least the beginning of 2021.

I personally sat through formally approved training for NIST 800-171, and to be frank, it did not meet my expectations. I believe that the CMMC AB is making the correct call in their approach, which is measured. Their approach builds in opportunities for the CMMC AB to revise and refine the curriculum, which will ideally lead to a more mature and robust training experience.

So here is what we know as of today:

Registration to become a certified CMMC Assessor opened on June 23, 2020. However, registration itself is no guarantee of any training opportunities for quite some time. The CMMC AB will cherry-pick 60 highly qualified information security assessors to form a provisional class. This initial cadre will begin training at a TBD date in the summer of 2020. The lessons learned from this initial cadre will be incorporated into the initial training criteria, set to be published in the fall of 2020. If all goes according to plan, certified training will become available late in 2020, with first certifications being awarded in early 2021.

The Certified Third-Party Assessor Organization (C3PAO)

While the Certified Professionals and Certified Assessors are the “boots on ground” performing CMMC assessments, the CMMC program requires organizations to be credentialed as Certified Third-Party Assessor Organizations (C3PAO).

Only C3PAOs are authorized to enter into contracts to deliver CMMC assessments with certified assessors. And much like the assessors themselves, C3PAOs will be certified to perform at levels 1, 3 and 5. Also like the certification costs for assessors, there are certification costs to become a C3PAO. There are also requirements such as maintaining various insurance policies that larger organizations probably already have in place, but which may present a barrier to entry to smaller consultancies.

The CMMC AB has committed to providing more granular details about the C3PAO initial roll-out (“Provisional Program”) on or about 6 July 2020.

Do you still want to perform CMMC assessments?

While the requirement for third-party assessments does open tremendous business opportunities for information security professionals, it may not be the wisest choice for every organization. The financial costs combined with the training time present significant barriers for smaller information security consultancies. It is also likely that many of the organizations in the Defense Industrial Base (DIB) that will require CMMC certification already have an existing relationship with an information security consultancy. So, while there may be a great deal of new work, it may not go to a great deal of organizations not currently operating in the DIB space.

However, as 2025 approaches and all of the 300,000 organizations in the DIB require some level of certification, that may change. Some of our customers are hedging their bets at this point; they are educating themselves on the standard and offering preparatory advisory services. In essence, they are performing the “assessment before the assessment,” then assisting their clients in addressing the gaps that might prevent a passing assessment.

This approach allows them to gain expertise in the standard, establish relationships and gain a better feel for the market — all without having to pay a dime in formal CMMC training or an hour in a formal training session.

The CMMC AB offers a similar yet formalized option for those who want to dip their toes before plunging head-first. The CMMC Registered Practitioner track is designed for those practitioners who only want to provide the consultative services and not the formal assessment. This program provides the practitioner with some basic training on the standard. In return, the practitioner gets to use the official logo presenting their credentials as a CMMC AB-recognized Registered Practitioner. This route can be completed with just a few hundred dollars and a minimum amount of time.

So, whether you are ready to commit to becoming a certified assessor, or just want to offer advisory services, there is a path for you. However, you are interacting with the standard, remember that PlexTrac comes pre-staged with v1.02 of the CMMC controls in the Assessments module. This makes administration of an assessment a snap and facilitates easy refinement and enrichment of the data. Once the assessment is complete, your clients can view their results and track remediation through the client portal. Interested in how PlexTrac can help you speed your CMMC assessments? Hop over to our website and register for a demo: https://plextrac.com/demo/

UPDATE: The release of CMMC 2.0 may have changed proposed requirement regarding assessment and becoming an assessor. The above article represents the path according to documentation available when CMMC was initially released in 2020. Find up-to-date documentation regarding the CMMC assessment process here.