Where is CMMC Now?
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 17 minutes
prepping for C MMC Now
the big question. Where? ISS cmm See now
I wish I was a genie night. Could you just go look in a crystal ball and be able to tell you the exact dates that everything will happen?
But I can't,
but I can tell you where they are today,
and we'll review as far as with the C m M c A. B. Remember that. See Accreditation body.
The board's defined
what processes air defined,
assessments defined and really the management defined overall.
So let's go back to our little Tic Tac or oclock and Countdown in 2020 and as mentioned before the credit Dacian body has been established,
non profit organization is established. Cmm c, a b dot org's And remember, you can go up there to get the latest and greatest with it, and Spring will see the training and accreditation will start in that time frame and again
slide. Definitely. But
viewing is with me is that since that a B body is already together, the board defined, they've been hitting their hallmarks pretty close, so
spring time looks like some time to see that training and the accreditation to occur sometime in the summer. Again, you'll see the assessments of Begin and then the requirement off. See, MMC certification
will be stamped on the RFP ease.
So the board announced that this week
that the steps to the C M M C A B board formation body is all checked off.
Um, they have 14 people
listed up on the site. You can see each individual that is on the board, their background where they came from, so you can see the diverse backgrounds of the people on the board.
And again, this is one thing that impressed me instead of the D of d, just creating maybe a new department or a new area saying, OK, here's the area that's going to do of the sea MMC and control it. I think there were wise to go out
and solicit the business industry.
The people within business
to come in and be part of that Cmm c A b.
They know business. They know expectations. They understand the tightness of regulations and what it means to be regulated and what that's all about, and by having business people on the board and then that will make up the structure
off cmm c A b
iss So good to hear. And I think this is one of the big reasons that see MMC will be successful.
So here we have ah detail graph that actually came from a 0.7 overview where they tried toe layout.
How now remember that set? The a time in point that they had put this up of how they see the workflow going from the men's concept to see MMC all the way toe awarding that contract
and all the steps in between. Does that mean this is exactly how it's gonna happen? No,
but I think it's a pretty good outline to be able to see not only the flow but everything that's involved to make this happen so that if d o. D. Does have a Dawei in any of their steps, go back to this diagram.
Look at everything that has toe happen. It's not only just the process is you have to have the people one supporting the processes, the approval off these processes so that it can happen
and all the other mechanism if application tools, etcetera, hosting the data of everything that's accumulated with it and being able tohave all the constraints and controls on everything. This is where you can see that
look at all the steps just to get to that are of P
and then they do their selection and then they award the contract on it. So all that has to go back and make sure that that contractor has been certified.
Prive similar as far as what you saw in the other diagrams. It's just I thought it was a nice diagram to show you just a little bit different way out. I know when I look at things some when their new I like to see different conceptual diagrams,
it makes a little bit easier for me to kind of swallow the whole process,
understand where it is. And maybe the way the accreditation body is laid out here makes more sense to me than in another diagram they had. And as far as how the training's gonna occur, the guidance for the assessment and just the whole
model development. If you look at it 0.6 dot seven drafts,
they were out
2019 and have 2020 slated for version 20200.1 that is probably the key to this whole process, because without version 0.1 an official version of what all the practices capabilities domains are gonna be,
you can't do anything else. How are you going to create training? Well, knowing what exactly the practices are are gonna be how you create certain certifications without knowing what version one, what all the practices air gonna be. Everything evolves on version one,
and hopefully it will be out sooner than later.
Because once I've is out, then you can really start looking at your infrastructure. You can If you want to be a trainer, you can look at it and say, This is what my responsibilities will be in training. If you're going to be an assessor, these are my responsibilities. This is my guideline,
my Bible that I have toe have to be an assessor.
So overall, the basis of everything is on version one.
Now let's step back a little bit. And here's a different layout of the
if I call infrastructure, but I guess it's the whole way out of the accreditation body. So under the accreditation body manager, there will be a training sector.
You have an infrastructure supporting the systems as faras. All the knowledge store. Yet the marketplace as far as what tools can I use? What are going to be approved? Tools, records management? All this information has to be in a secure place
so that all comes under the infrastructure
support of the systems.
Next, the real big issue is accreditation. That's what everybody's going for. I need Mike Contractor to be
accredited and also survive and also my subs.
So they will grant c three p a owes
accreditations. They will have to go through the certification, training, etcetera to do that. And then internally, they will be auditing the whole structure to make sure that it's sound. And everyone's following the best practice that has been established by a D. O. D. And the accreditation body
and also, as usual, anywhere. There will be complaints,
and I think more so questions because you got to make sure that people going into this
fully understand, and this is where I think it's so important
that each contractor reaches out to get help on this because it's new.
Yes, 801 71 is a self assessment. You've been following it,
but now someone's gonna be knocking on your door and coming in and doing assessment. So there's that kind of in between
Uncomfortable maybe, maybe not. But
I remember way back when I had a regular salary job and I went out on my own with a company. The I. R s came knocking on my door and said You made this much money in one year next year, all, son, your income really dropped. Well,
I had my own business and expenses, etcetera. First year especially,
were pretty high.
So I went into the I. R s office and this was pre computer 1990 and I took my box. And in it I have 12 forwards for each month and a couple other supplemental folders and a huge spreadsheet.
I laid out the spreadsheet for the eyes. Are I R s auditor? He worked at the spreadsheet.
Let me pick out two months and validate that your spreadsheet is what you state. It is kind of similar to 801 71 self assessment.
So he picked out two folders validated that what was there was true.
He said, pack up and wave And this, I think, is really key to where? If you're organized,
if you have everything together, where you can demonstrate
that your self assessment works is secure, that you're following the best practice of 801 71 far and of cybersecurity remember one thing that I see with companies I want to embark
Security does not equal compliance.
Compliance is that you're following a set of rules. Security is that you have protected yourself
against harm, whether it's insider,
whether it's a hacker
and the D. O. D really is concerned for the U. S.
And you are working with them as a partner.
So you have to take cyber security seriously and they're doing their best effort. Teoh. Ease it in for you to make a natural step for you so that security is not really painful, that it's just another process in doing business. And it's not only just
in department offense, it's in banking.
It's an education everywhere. Everybody's going through this, and the D. O. D just has to raise the bar one more notch. It's protecting the U. S.
Let's move on to credentialing so they will grant individual credentials, certify IRS and accredited certified hours again this process of how it's done. Organizations involved with all this will be declared as the accreditation body
matures and and d o D gets the process in place.
There will be assessment operations where they'll be quality control, technical appeals. There will be management assessment tools and they'll publish out who see MMC serves. Certificates are out. Now
that's been one question. It will be interesting to see exactly
how much is really sent out. And I think that's one thing that diode D with accreditation body will come up with a method off doing that, publishing with it. So
credentialing and assessment operations make up the accreditation body.
So with the board, they're trying to put all these pieces in place. It's a huge task, but so far the board is doing a great job. So with this, they have the metrics. They have to make sure disputes are handled accordingly, and they have to integrate coordinate
all these functional areas. It's a big job.
It's almost like a startup company, and I guess, and one aspect it is. So if you see timelines fall a little bit on this,
understand what they're going through if the timelines air meant it's a very, very
a pause for the accreditation body of how they've handled the whole structure and two d o. D. Working with the accreditation body.