CMMC Logo
CMMC Logo

The first year of the CMMC implementation is being called a “pilot” program. Usually, pilot programs within the Department of Defense are smaller test-cases for larger and more expensive programs to ensure that the concept is viable and the results of the pilot are used to make tweaks and modifications to the program before it is rolled out into a larger and longer-term project. Usually, pilot programs conclude before the long-term plans are settled. Pilot programs are heavily scrutinized and reports upon reports are generated and briefed to senior leaders within the sponsoring agency. The CMMC however, seems to be charting a different path. The CMMC pilot program will be running concurrently with ongoing efforts to rollout a long-term training and certification program for CMMC assessors by the CMMC-AB. Nevertheless, the CMMC pilot program will still be critical for providing important metrics and indicators of long-term success and viability. According to the DoD there will only be 10 or 15 new requests for proposals (RFPs) that contain the CMMC requirement during the pilot program, with an estimated 1,500 companies being be impacted.

The key to the CMMC’s long-term success will be the success of the CMMC pilot program. The CMMC pilot program begins this year and includes the use of provisional assessors. The CMMC-AB said that more information about the provisional assessors would be available on July 6th, but today is July 15th and we don’t have any clarifying information. It is not as if an assessment and audit industry does not already exist, so what is the hold up with establishing and publishing the qualification standards and selection process for the provisional assessors?

The CMMC-AB is responsible for training and certifying the provisional assessors for the pilot program. The CMMC-AB has stated that they plan to select 60 provisional assessors for the CMMC pilot program, and these 60 assessors will be responsible for assessing the initial 1,500 companies. These 60 assessors will be instrumental to the success and the longevity of the CMMC program. It is essential that the provisional assessors are highly skilled and qualified, so who will they be and where will they come from?

On May 21, 2020 in a “National Conversation” video posted to the AB’s website, Ben Tchoubineh, the CMMC-AB’s Training Committee Chairman, had the following statement regarding the 60 provisional assessors:

Is the CMMC-AB going to go out to industry and recruit the provisional assessors, or are the assessors responsible for applying and then being hand selected by the CMMC-AB from the pool of applicants? These comments seem a little confusing but considering no official written guidance from either the DoD or the CMMC AB has been published, it isn’t surprising that the plan isn’t straightforward here. Either way, if experienced and highly qualified assessors are selected for this pilot program the pilot will be in good shape.

Except, on July 5, 2020 at an industry webinar event, fellow CMMC-AB Director Chris Golden, said the following about the provisional assessors:

Is Chris Golden saying that the invaluable provisional assessors will be picked at random from a candidate pool which anyone can join-anyone with $1,000 to cover the application fee that is? Chris later clarified via a LinkedIn comment that only assessors who meet the minimum qualifications can be selected as provisional assessors from the applicant pool. But which minimum qualifications exactly? Will the provisional assessors be CMMC Level 1, CMMC Level 3, or a combination of both? Will applicants need to have a security clearance and have U.S. citizenship (required for CMMC Level 3 assessors), or will a commercial background check and U.S. personhood (required for CMMC Level 1 assessors) suffice? What are the education and certification requirements of these randomly chosen assessors? Are any of the qualification requirements mapped to DoD 8570-M or to the Cyber Workforce Framework?

Written by

President, CMMC Consulting LLC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store