CMMC board clarifies assessor training timeline
- By Lauren C. Williams
- Jul 07, 2021
Training materials and certification exams for the assessors and instructors needed to implement the Defense Department's third-party cybersecurity program for contractors are several months away from delivery, officials say.
The board had previously indicated that training for the Cybersecurity Maturity Model
Certification program could be ready by the end of the summer. However, it looks like that timeline has slipped to the fall.
Melanie Kyle Gingrich, the training director for CMMC's accreditation body (AB), said the objectives for measurement, which are based on the CMMC framework and will be used as the basis to develop training materials and certification exams for certified assessors and professionals, have not yet been finalized or been approved by DOD. Gingrich said that could happen in the next month, but isn't guaranteed.
A statement from the AB to FCW reads: "Nothing happens until we pass Phase Gate 1 at this point. The AB will send out a notification once we have the final DOD approval on objectives."
Once those objectives are finalized, training content, which is developed by licensed publishing partners (LPPS), should become available after eight weeks. About four weeks after that, training courses from licensed training providers should begin to become available.
"There are multiple LPPs delivering content in different modalities, so the timeframe to ensure they have the quality checks to release that content to market," Gingrich said during a June 29 town hall event. "There's a lot of moving pieces and parts."
There are currently 16 companies listed as licensed publishing partners and 39 licensed training providers, according to the CMMC AB's website.
Course content from LPPs is then used by licensed training professionals, who conduct the courses assessors need.
Development of CMMC certified professional exams is slated for late fall in 2021. That date could change based on progress of development of LPP content.
When asked how the timeline for exams would impact assessor certifications, the AB said the provisional assessors, who have already received DOD-approved training and were used to 'seed' the market would test to become certified assessors or professionals. DOD "certified assessors" must also pass a "suitability check along with the completion of training and passing the official exam…at the level they are seeking."
Gingrich's presentation targeted potential confusion about CMMC training timelines and address issues with unauthorized training offered by companies that have not been approved by the CMMC Accreditation Body.
"There is a lot of training starting to occur. Now, training is always a good thing, however, we want to make sure everybody understands how this ecosystem works so that they're being very aware about the decisions that they're making," Gingrich said, later adding that CCP training wasn't yet available "because we don't know what the final outcomes are," for the objectives of measurement for CMMC assessments.
The comments came soon after the board issued an alert warning potential defense contractors "about companies and organizations misrepresenting their ability to train individuals in preparation for the CMMC assessor and CMMC instructor certification exams" for DOD.
Jeff Dalton, vice chairman of the board who helped stand up the training environment, said there were no CMMC certified professionals or assessors.
"There are no CCPs at all, there just aren't, that training hasn't happened," Dalton said.
Dalton said the training, which covers how to be a good assessor and ensure mastery of the CMMC model, can't be circumvented or supplanted by other cybersecurity certifications.
"You have to take this training because getting this right is important for the livelihoods of the people you are assessing. This isn't just a simple exam," Dalton said, "you have a lot of responsibility as a CCP or CCA that affects the livelihood, the mortgage payments, the student loans, the food on people's tables by your decisions."
This article first appeared on FCW, a Defense Systems partner site.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.