Five Key Takeaways from the August 31, 2021, CMMC-AB Town Hall Meeting

August 31, 2021

As the CMMC Accreditation Board continues its march towards certifying CMMC assessors and helping Defense Industrial Base (DIB) member organizations become CMMC certified, it has provided an update on progress at the CMMC-AB Town Hall meeting on August 31st. If you didn’t have a chance to attend, here are five key takeaways:

There are now four certified C3PAO’s. Here are some of the lessons learned from their journey through the CMMC certification process and beyond:

- Be prepared. It takes a great deal of time and effort to get ready for an assessment.
- Daily threat monitoring is highly advisable to prove cybersecurity maturity.
- Be critical of your own preparedness. If necessary, develop your own assessment tool.
- The certified C3PAOs are hearing a lot of cost concerns from the organizations seeking certification (OSC’s).
- Scaling up to meet the demand for services is challenging.

CMMC-AB Created the Industry Advisory Council (IAC) to address the flood of requests for clarification

- IAC chartered by the CMMC-AB to be a standing mechanism for DIB sector engagement and feedback
- To contact by email: iac@cmmcab.org
- Trying to distill feedback into actionable intelligence for the CMMC-AB
- Are particularly sensitive to helping SMB’s address costs and effort involved

The program is having trouble scaling

- CMMC-RP and RPO programs are okay, progressing at a suitable pace
- C3PA/C3PAO certification is going very slowly
  - Hundreds have applied
  - Four are certified
  - Training and certification materials are still not available
  - Provisional C3PAO’s must retest once exams are available
  - The certification process involves many background checks, assessment, suitability, and acceptance steps in three discrete phases:
    - For applicants: 7 steps
    - For candidates: 13 steps
    - To authorize: 7 steps