CMMC board chief talks assessors, IT staff

Matt Travis, the CEO for the Cybersecurity Maturity Model Certification Accreditation Body, said proper training and IT access to the Defense Department's Enterprise Mission Assurance Support Service (eMASS) application, which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.

secure network (jijomathaidesigners/Shutterstock.com)
 

What's standing between defense contractors and the upcoming cyber assessments? A bit of IT.

Matt Travis, the CEO for the Cybersecurity Maturity Model Certification Accreditation Body, said training and IT access to the Defense Department's Enterprise Mission Assurance Support Service (eMASS) application, which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.

"While they're authorized in the marketplace, we're not yet in a place where we can authorize them to conduct assessments, but we're not far away. And that burden is on us and the Pentagon in terms of getting those companies access to eMASS," Travis said during an Aug. 20 Washington Technology virtual event.

Travis said the AB and DOD are working on finalizing eMASS orientation, training, and access connections for the three authorized CMMC Third Party Assessment Organizations (C3PAOs). Additionally, the AB is working on guidance for the 3PAO assessment process.

"On the doctrinal side, we're finalizing some of the guidance documents to the resolution process, what we call the CMMC assessment process. And so we need to give those documents to the C3PAOs to empower them," Travis said, adding that the organizations will take on assessments once the policy issues are resolved.

The Defense Department is currently reviewing the CMMC program as instructed by Deputy Defense Secretary Kathleen Hicks earlier this year. But the standard is still being rolled out for certain contracts.

Tony Buenger, a CMMC strategist and provisional assessor for Redspin, one of the authorized C3PAOs, said interest in meeting the standard has grown, even for those who don't have contracts with the CMMC clause, and the company has begun scheduling assessments.

"There's a lot of interest out there for those who are not under the pathfinder, as...they know they have upcoming contracts that may or may not have the CMMC clause in it, but they want to be prepared anyway," Buenger said Aug. 20. "And as of right now, we're waiting for the final pieces of the puzzle to come into place, access to a system called eMASS so we can actually submit our assessment reports to the AB."

The AB is also looking to add IT staff to comply with the CMMC standard and attain International Standards Organization (ISO) certification for accrediting bodies. Travis said the organization wants to hire "someone to run our own accreditation process" to meet those standards, adding that the AB was in the same position as many defense contractors.

"I've got to build up our IT staff just like a lot of [defense industrial base] companies," Travis said, "we're certainly in that same category."