Where is CMMC Now?

00:01

prepping for C MMC Now

00:04

the big question. Where? ISS cmm See now

00:08

I wish I was a genie night. Could you just go look in a crystal ball and be able to tell you the exact dates that everything will happen?

00:17

But I can't,

00:19

but I can tell you where they are today,

00:23

and we'll review as far as with the C m M c A. B. Remember that. See Accreditation body.

00:31

The board's defined

00:33

what processes air defined,

00:36

assessments defined and really the management defined overall.

00:42

So let's go back to our little Tic Tac or oclock and Countdown in 2020 and as mentioned before the credit Dacian body has been established,

00:54

non profit organization is established. Cmm c, a b dot org's And remember, you can go up there to get the latest and greatest with it, and Spring will see the training and accreditation will start in that time frame and again

01:14

could have

01:14

slide. Definitely. But

01:18

viewing is with me is that since that a B body is already together, the board defined, they've been hitting their hallmarks pretty close, so

01:29

spring time looks like some time to see that training and the accreditation to occur sometime in the summer. Again, you'll see the assessments of Begin and then the requirement off. See, MMC certification

01:46

will be stamped on the RFP ease.

01:51

So the board announced that this week

01:55

that the steps to the C M M C A B board formation body is all checked off.

02:01

Um, they have 14 people

02:06

listed up on the site. You can see each individual that is on the board, their background where they came from, so you can see the diverse backgrounds of the people on the board.

02:20

And again, this is one thing that impressed me instead of the D of d, just creating maybe a new department or a new area saying, OK, here's the area that's going to do of the sea MMC and control it. I think there were wise to go out

02:38

and solicit the business industry.

02:42

The people within business

02:44

to come in and be part of that Cmm c A b.

02:50

They know business. They know expectations. They understand the tightness of regulations and what it means to be regulated and what that's all about, and by having business people on the board and then that will make up the structure

03:08

off cmm c A b

03:10

iss So good to hear. And I think this is one of the big reasons that see MMC will be successful.

03:22

So here we have ah detail graph that actually came from a 0.7 overview where they tried toe layout.

03:31

How now remember that set? The a time in point that they had put this up of how they see the workflow going from the men's concept to see MMC all the way toe awarding that contract

03:49

and all the steps in between. Does that mean this is exactly how it's gonna happen? No,

03:54

but I think it's a pretty good outline to be able to see not only the flow but everything that's involved to make this happen so that if d o. D. Does have a Dawei in any of their steps, go back to this diagram.

04:11

Look at everything that has toe happen. It's not only just the process is you have to have the people one supporting the processes, the approval off these processes so that it can happen

04:25

and all the other mechanism if application tools, etcetera, hosting the data of everything that's accumulated with it and being able tohave all the constraints and controls on everything. This is where you can see that

04:43

look at all the steps just to get to that are of P

04:47

and then they do their selection and then they award the contract on it. So all that has to go back and make sure that that contractor has been certified.

05:01

This is

05:03

Prive similar as far as what you saw in the other diagrams. It's just I thought it was a nice diagram to show you just a little bit different way out. I know when I look at things some when their new I like to see different conceptual diagrams,

05:19

it makes a little bit easier for me to kind of swallow the whole process,

05:25

understand where it is. And maybe the way the accreditation body is laid out here makes more sense to me than in another diagram they had. And as far as how the training's gonna occur, the guidance for the assessment and just the whole

05:41

model development. If you look at it 0.6 dot seven drafts,

05:46

they were out

05:47

2019 and have 2020 slated for version 20200.1 that is probably the key to this whole process, because without version 0.1 an official version of what all the practices capabilities domains are gonna be,

06:09

you can't do anything else. How are you going to create training? Well, knowing what exactly the practices are are gonna be how you create certain certifications without knowing what version one, what all the practices air gonna be. Everything evolves on version one,

06:28

and hopefully it will be out sooner than later.

06:31

Because once I've is out, then you can really start looking at your infrastructure. You can If you want to be a trainer, you can look at it and say, This is what my responsibilities will be in training. If you're going to be an assessor, these are my responsibilities. This is my guideline,

06:50

my Bible that I have toe have to be an assessor.

06:54

So overall, the basis of everything is on version one.

07:01

Now let's step back a little bit. And here's a different layout of the

07:10

if I call infrastructure, but I guess it's the whole way out of the accreditation body. So under the accreditation body manager, there will be a training sector.

07:24

You have an infrastructure supporting the systems as faras. All the knowledge store. Yet the marketplace as far as what tools can I use? What are going to be approved? Tools, records management? All this information has to be in a secure place

07:43

so that all comes under the infrastructure

07:46

support of the systems.

07:47

Next, the real big issue is accreditation. That's what everybody's going for. I need Mike Contractor to be

07:58

accredited and also survive and also my subs.

08:03

So they will grant c three p a owes

08:07

accreditations. They will have to go through the certification, training, etcetera to do that. And then internally, they will be auditing the whole structure to make sure that it's sound. And everyone's following the best practice that has been established by a D. O. D. And the accreditation body

08:26

and also, as usual, anywhere. There will be complaints,

08:31

and I think more so questions because you got to make sure that people going into this

08:39

fully understand, and this is where I think it's so important

08:45

that each contractor reaches out to get help on this because it's new.

08:52

Yes, 801 71 is a self assessment. You've been following it,

08:56

but now someone's gonna be knocking on your door and coming in and doing assessment. So there's that kind of in between

09:07

Uncomfortable maybe, maybe not. But

09:11

I remember way back when I had a regular salary job and I went out on my own with a company. The I. R s came knocking on my door and said You made this much money in one year next year, all, son, your income really dropped. Well,

09:28

I had my own business and expenses, etcetera. First year especially,

09:33

were pretty high.

09:35

So I went into the I. R s office and this was pre computer 1990 and I took my box. And in it I have 12 forwards for each month and a couple other supplemental folders and a huge spreadsheet.

09:52

I laid out the spreadsheet for the eyes. Are I R s auditor? He worked at the spreadsheet.

09:58

Let me pick out two months and validate that your spreadsheet is what you state. It is kind of similar to 801 71 self assessment.

10:09

So he picked out two folders validated that what was there was true.

10:16

He said, pack up and wave And this, I think, is really key to where? If you're organized,

10:24

if you have everything together, where you can demonstrate

10:30

that your self assessment works is secure, that you're following the best practice of 801 71 far and of cybersecurity remember one thing that I see with companies I want to embark

10:46

upon you.

10:46

Security does not equal compliance.

10:50

Compliance is that you're following a set of rules. Security is that you have protected yourself

11:00

against harm, whether it's insider,

11:05

whether it's a hacker

11:07

and the D. O. D really is concerned for the U. S.

11:11

And you are working with them as a partner.

11:16

So you have to take cyber security seriously and they're doing their best effort. Teoh. Ease it in for you to make a natural step for you so that security is not really painful, that it's just another process in doing business. And it's not only just

11:35

in department offense, it's in banking.

11:39

It's an education everywhere. Everybody's going through this, and the D. O. D just has to raise the bar one more notch. It's protecting the U. S.

11:50

Let's move on to credentialing so they will grant individual credentials, certify IRS and accredited certified hours again this process of how it's done. Organizations involved with all this will be declared as the accreditation body

12:09

matures and and d o D gets the process in place.

12:16

There will be assessment operations where they'll be quality control, technical appeals. There will be management assessment tools and they'll publish out who see MMC serves. Certificates are out. Now

12:31

that's been one question. It will be interesting to see exactly

12:35

how much is really sent out. And I think that's one thing that diode D with accreditation body will come up with a method off doing that, publishing with it. So

12:48

training,

12:50

infrastructure, accreditation,

12:54

credentialing and assessment operations make up the accreditation body.

13:00

So with the board, they're trying to put all these pieces in place. It's a huge task, but so far the board is doing a great job. So with this, they have the metrics. They have to make sure disputes are handled accordingly, and they have to integrate coordinate

13:20

all these functional areas. It's a big job.

13:22

It's almost like a startup company, and I guess, and one aspect it is. So if you see timelines fall a little bit on this,

13:33

understand what they're going through if the timelines air meant it's a very, very

13:41

good, um,