CMMC Provisional Assessors
The first year of the CMMC implementation is being called a “pilot” program. Usually, pilot programs within the Department of Defense are smaller test-cases for larger and more expensive programs to ensure that the concept is viable and the results of the pilot are used to make tweaks and modifications to the program before it is rolled out into a larger and longer-term project. Usually, pilot programs conclude before the long-term plans are settled. Pilot programs are heavily scrutinized and reports upon reports are generated and briefed to senior leaders within the sponsoring agency. The CMMC however, seems to be charting a different path. The CMMC pilot program will be running concurrently with ongoing efforts to rollout a long-term training and certification program for CMMC assessors by the CMMC-AB. Nevertheless, the CMMC pilot program will still be critical for providing important metrics and indicators of long-term success and viability. According to the DoD there will only be 10 or 15 new requests for proposals (RFPs) that contain the CMMC requirement during the pilot program, with an estimated 1,500 companies being be impacted.
The key to the CMMC’s long-term success will be the success of the CMMC pilot program. The CMMC pilot program begins this year and includes the use of provisional assessors. The CMMC-AB said that more information about the provisional assessors would be available on July 6th, but today is July 15th and we don’t have any clarifying information. It is not as if an assessment and audit industry does not already exist, so what is the hold up with establishing and publishing the qualification standards and selection process for the provisional assessors?
The CMMC-AB is responsible for training and certifying the provisional assessors for the pilot program. The CMMC-AB has stated that they plan to select 60 provisional assessors for the CMMC pilot program, and these 60 assessors will be responsible for assessing the initial 1,500 companies. These 60 assessors will be instrumental to the success and the longevity of the CMMC program. It is essential that the provisional assessors are highly skilled and qualified, so who will they be and where will they come from?
On May 21, 2020 in a “National Conversation” video posted to the AB’s website, Ben Tchoubineh, the CMMC-AB’s Training Committee Chairman, had the following statement regarding the 60 provisional assessors:
“We’re going to go out to industry and recruit what I call the first class of Assessors…Now this is going to be a very select group of seasoned and highly experienced Assessors and we’re going to look for 60 candidates to pass the exam and go through the course of pass the exam and be part of the first class. Remember these guys are going to work with us in a very close manner you know under lots of control and making sure that in this limited way we learn from them and they learn from us. Now the details of the application process have actually been worked out and we’re going to be getting that out there very soon to allow C3PAO organizations and their Assessor candidates to apply and after they’ve applied and we’ve selected the 60 candidates we’re going to start their training sometime in the summer.” -Taken from YouTube transcripts: https://www.youtube.com/watch?time_continue=1499&v=GbQenucsehg&feature=emb_logo
Is the CMMC-AB going to go out to industry and recruit the provisional assessors, or are the assessors responsible for applying and then being hand selected by the CMMC-AB from the pool of applicants? These comments seem a little confusing but considering no official written guidance from either the DoD or the CMMC AB has been published, it isn’t surprising that the plan isn’t straightforward here. Either way, if experienced and highly qualified assessors are selected for this pilot program the pilot will be in good shape.
Except, on July 5, 2020 at an industry webinar event, fellow CMMC-AB Director Chris Golden, said the following about the provisional assessors:
“So it’s gonna be random everybody that raises their hand and registers on the website to be an Assessor goes into a pool we’ll assign them a number one-to-n and that will have a random numbers. A random number generator will start picking numbers, so just like the lottery so if you win the lottery you’ll be invited to the first training session. It’s either going to be a one-time 60-person training session or three 20 person training sessions, we’re not quite sure yet which way we’re going to go. On that Covid obviously will have an impact it’ll probably be virtual probably not will be you know in in person face to face if you’re one of those 60 Assessors then you’ll take the test you’ll pass the test to be certified as a provisional Assessor. ” -Taken from YouTube transcripts: (https://www.youtube.com/watch?v=XinEqpC9K0I)
Is Chris Golden saying that the invaluable provisional assessors will be picked at random from a candidate pool which anyone can join-anyone with $1,000 to cover the application fee that is? Chris later clarified via a LinkedIn comment that only assessors who meet the minimum qualifications can be selected as provisional assessors from the applicant pool. But which minimum qualifications exactly? Will the provisional assessors be CMMC Level 1, CMMC Level 3, or a combination of both? Will applicants need to have a security clearance and have U.S. citizenship (required for CMMC Level 3 assessors), or will a commercial background check and U.S. personhood (required for CMMC Level 1 assessors) suffice? What are the education and certification requirements of these randomly chosen assessors? Are any of the qualification requirements mapped to DoD 8570-M or to the Cyber Workforce Framework?
