Cyber AB Townhall: CMMC Rulemaking and CAP Public Comments

    The monthly Cyber AB town hall for January took place on Tuesday, January 31st.

    By
    2 Minutes Read

    The monthly Cyber AB town hall for January took place on Tuesday, January 31st. 

     During this month’s townhall members of the Cyber AB and the CAICO distributed information and fielded questions on the following agenda:  

     

    1. Rulemaking Ruminations with Robert Metzger 
    2. DRAFT CMMC Assessment Process (CAP) Public Comments 
    3. CAICO Update  

     

    CMMC Ecosystem and Program Updates   

     The following is a list of the

    program updates and priority issues covered during CEO Matt Travis’s opening remarks:   

    • There are now 35 accredited C3PAOS, an increase of 8 since the last town hall. 
    • The total number of Joint Surveillance Voluntary assessments completed or in progress has increased to 7, nearly double from the last town hall.  
    • A Marketing campaign is in the works to highlight RPs, RPAs, and RPOs. This campaign is designed to highlight their abilities to assist OSCs in achieving CMMC compliance.  
    • The Cyber AB website is implementing improvements to better support non-us operations for professionals.  

     

     

    Rulemaking Ruminations with Robert Metzger 

    Robert Metzger joined this month's Townhall meeting as a special guest to discuss the current state of CMMC rulemaking and to provide his perspectives. Here is a brief summary of his discussion: 

    • The CMMC rule is more complex than any other rule package the DoD has ever submitted. 
    • Congress is stressing the DoD to pay special attention to the rule's impact on Small Businesses. 
    • DoD could have scrapped the CMMC program altogether and reverted back to self-attestation, but they didn’t, and that should speak volumes about their commitment to the program. 
    • It’s reasonable and likely to think that Incident response and reporting requirements will be strengthened to align with the trend in government initiatives.  
    • ~ 90% of the clauses in interim rules will be seen when the rule goes final. Very few changes to the clauses should be expected. 
    • Regardless. DFARS 7012 still exists. No action is the incorrect approach.  

     

     

    DRAFT CMMC Assessment Process (CAP) Public Comments 

    The Cyber AB recently published a list of comments submitted in response to the call for public comments CMMC Assessment Proces (CAP) document.  The following is what Mr. Travis had to distribute regarding these comments and the CAP document: 

    •  There were 540 comments submitted in response to the CMMC Assessment Process (CAP) document.  
    • The Cyber AB has added each comment to a publicly available excel spreadsheet and assigned each comment with ID, topic, type, and source. 
    • The Cyber AB will adjudicate the comments to fix the CAP with ecosystem involvement from the ecosystem.  
    • No comments made were discarded by the Cyber AB. All comments were added for transparency purposes. 
    • Among the topics receiving the most comments were: cloud services, assessment process, evidence, POA&M, and document format  

     

    CAICO Update 

    Finally, CAICO Director Kyle Gingrich joined the meeting this month to provide an update on behalf of The Cybersecurity Assessor and Instructor Certification Organization (CAICO). Among the updates delivered were the following: 

    • Provisional Assessors (PAs) must earn their CMMC Certified Professional (CCP) by April 19th, or they lose their provisional status and the associated benefits of the provisional program  
    • Additionally, Provisional Assessors (PAs) must earn their CMMC Certified Assessor (CCA) by June 16th, or they will lose their provisional status and the associated benefits of the provisional program.  
    • The CAICO website is developing, and more information will be distributed in the following months.  
    • The requirements for a CMMC Certified Assessor (CCA) to complete three assessments prior to earning assessor suitability still exists. However, it does not stop CCPs from testing out to become CCA. 
    • A Plan of the proposal has been submitted to provide clarity with three assessment rules. However, it may be a delayed resolution because everyone is focusing their attention on the CMMC rule right now.  

     

      

    The next Cyber AB Town Hall is scheduled to take place on Tuesday, February 28th.   

       

    Previous Town Halls are available here: https://cyberab.org/News-Events/Town-halls  

     

    Picture of Jason Sproesser

    Jason Sproesser

    Jason Sproesser is Director of Product Management at Summit 7. Jason's mission is to empower organizations to achieve their cybersecurity and compliance goals by simplifying complex concepts, translating them into digestible insights, and developing industry-leading offerings that help clients protect their critical data and systems from cyber threats while satisfying compliance requirements. Jason is a CMMC Certified Professional (CCP) and Provisional Instructor (PI).

    Author