Dawn Greenman, deputy program manager for Cybersecurity with Johns Hopkins University Applied Physics Laboratory, and Ty Schieber, board chairman for CMMC Accreditation Body served as panelists during Potomac Officers Club’s (POC) CMMC Virtual Forum 2020 on June 24th.
If you missed the virtual event, you can still register to watch the footage in Potomac Officers Club’s Event Archive.
Alka Bhave, Perspecta’s vice president of Performance Excellence, moderated the panel. She opened the discussion by providing an overview of the Cybersecurity Maturity Model Certification (CMMC). Bhave then introduced Schieber and Greenman, noting the panelists’ knowledge and expertise within the sector and federal government.
“The government and the CMMC accreditation body, through multiple working groups have been diligently working over the past several months to develop a framework and standards for CMMC,” Bhave stated.
During the first round of questions, the panelists focused on the pathfinders of CMMC. The Department of Defense (DoD) released mock C3PAOs in order to assess companies without an official score.
Greenman noted that the pathfinders will enable the CMMC team to develop multiple trials to gain a deeper insight into the assessment and accreditation process. It will enable the team to develop any modifications to the process that would simplify the official implementation.
Greenman answered a question from the audience, regarding whether the companies chosen to participate in the pathfinders will be aware that they are under review or not. “The pathfinders that I supervise are aware that they are a part of the process,” she answered.
Schieber added that the pathfinder trials are an initial run at CMMC levels 1-3 to get experience feedback and input to move to the next round of CMMC implementation called the “provisional period.” The provisional period will include assessors that are officially qualified to receive further feedback to be rolled into a baseline training.
Bhave introduced a new topic, focusing on companies that have research and development networks, or closed networks, that introduce malware intentionally to learn from it. The panelists discussed whether or not these companies would require the same level or certification as organizations that fight against cyberattacks.
Greenman stated, “part of the development of CMMC is asking, ‘how do you scope the network?’ If you’re a part of a research and development firm, it would not be included as part of the CMMC assessment boundary. The actual lab would be an enclave, separated from the rest of the network. This gets down to scope. If you have divided business offerings it really boils down to the scope of your organization. This is why we have pathfinders.”
Bhave then moved to in-person auditing for CMMC levels 3 and above. She asked the panel, “With organizations with multiple sites, should the companies expect for auditors to visit every site, or would a sampling approach be implemented?”
Schieber stated that it would involve a sampling approach. He added, “When you look at what CMMC accreditation body is all about, there are two points of emphasis. One is to protect data, the other is to change the culture.”
He noted that there has to be an understanding of how much investigation is necessary for larger organizations to satisfy the question of whether or not they are doing what needs to be done to achieve a certification. Schieber concluded that he expects to see a statistical sampling for these organizations.
Bhave changed topics to continuous monitoring, focusing on when the CMMC accreditation body would plan to implement the supervision after receiving a level of certification. Schieber noted that continuous monitoring is not integrated into the process as of yet, but instead the CMMC team will put its efforts on driving implementation.
“We also recognize that we need to be forward looking. The advisory is not sitting still. We need to be investigating new and innovative approaches to help protect the DIB, some that may be recommendations related to the implementation of CMMC and others that do not fit into implementation and that needs to be changed. Continuous monitoring is not on the table,” Schieber added.
After the panel discussion concluded, the panelist answered questions from the audience regarding a variety of topics based on CMMC implementation, the auditing process and how pathfinders would be run.
One of the audience members asked when DoD KOs would be educated on CMMC levels and requirements. Greenman answered the question by providing a timeline and expectations the educational team has projected for ensuring that the KOs will be qualified for certification.
Greenman said, “We are working on an outline of what education would look like. That will be integrated into our pathfinders project in addition to the mock trials that we will perform.”
After the panel concluded additional questions from the audience, the panelists gave their closing remarks, concerning how the public and private sector can work together moving forward with CMMC implementation and integration.
“We are in the initial stages of something that is very complex and complicated and perfection doesn’t come overnight. What I would implore you to do is be patient. As this comes online and as you have opportunities to observe, let’s work together to shape the model and make it better. This is a team sport, we are building it together,” Schieber concluded.
Greenman closed, stating, “This is a crawl, walk, run effort that should take a collaborative approach. We’ve taken an agile, iterative approach in order to garner feedback from industry, small business and weigh out how to protect controlled unclassified information. At the same time we have to figure out how to make it cost effective and fair. We don’t have all the answers yet, but we are hopeful that the pathfinders will reduce risk and give additional insight of where to go from here.”
To view the full panel discussion, click here to replay POC’s CMMC Virtual Forum.
Mark your calendars for Potomac Officers Club’s Future Virtual Battlefield Virtual Event on July 22, 2020.
Maj. Gen. Maria Gervais, director of Synthetic Training Environment Cross-Functional Team with Army Futures Command, will serve as a keynote speaker at the virtual event. She will address how the federal government and defense agencies continue to integrate more emerging technologies.