The CMMC Training and Certification Ecosystem

Cole French:

The success of any compliance framework is driven by a strong ecosystem of experienced, qualified, and trained personnel capable of carrying out the framework’s security objectives. CMMC’s training and certification efforts represent an ambitious undertaking, not normally seen in supportive compliance frameworks. Join us today as we break down the training and certification side of the CMMC framework.

Welcome to the Cyber Compliance and Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now let’s get to today’s episode and help you move cybersecurity forward.

As the CMMC ecosystem has evolved during the last few years, a parallel ecosystem has been evolving alongside of it, the CMMC training and certification ecosystem. There are key designations and certifications, both organizational and individual that are required to operate in the broader CMMC ecosystem, whether as a publisher of training materials, an instructor of the same, or an assessor. CMMC’s efforts to create a full scope training and certification ecosystem are ambitious, actively wrestling with the tension between the need for consistency of interpretation and a framework that is generally vague.

Joining me on today’s episode is Joe Lissenden of Precision Execution. Joe has a wealth of experience across compliance frameworks including ISO, FedRAMP, and CMMC. Joe provides valuable contributions to the CMMC training and certification ecosystem via his participation in various Cyber AB training working groups, and his work as an instructor and assessor.

On today’s episode, we’ll dive into the details and nuances of training and certification requirements in the CMMC ecosystem. Specifically, we define the terms, discuss the requirements, contrast CMMC training and certification with other compliance frameworks, grapple with challenges, and talk about what lies ahead. Joe, thank you for taking the time to join us on today’s episode to discuss training and certification specifics as it relates to the CMMC ecosystem.

Joe Lissenden:

Thanks for having me, Cole. I look forward to the conversation.

Cole French:

Let’s get right to it. So can you give us an overview of the CMMC training and certification ecosystem for all our listeners out there?

Joe Lissenden:

Absolutely. There are licensed publishing partners, which are the companies who are authorized to create the courses. There are licensed training partners who are the companies who are approved to deliver the training. And the training courses are the Certified CMMC Professional, CCP. And the subjects of knowledge there are Level 1 scoping, ethics, the ecosystem who participates in the CMMC, the CMMC model, introduction to federal contract information and confidential and classified information, a very detailed review of the 17 Level 1 practice requirements, and a high level overview of the Phase 2 requirements, and an introduction to the CAP.

There’s also a Certified CMMC Assessor course, CCA, which the four primary pillars of that course are context, so getting used to adjusting to big companies, small companies that make everything that the DOD needs, Level 2 scoping, details of those Level 2 requirements, and the CAP in great detail from a practitioner’s point of view. And we have a lead assessor, but there is no lead assessor course. All the lead assessors come from the pool of CMMC assessors.

There’s also provisional instructors, or we call them PIs. Those folks were trained by the CAICO and those are the only folks that are qualified to train these courses. The course material is CMMC Authorized Training Material, we call it CATM, and that has to be approved by ProCert QA, which is a vendor that was approved by the CAICO to make sure that all of the curriculum is somewhat standard.

Cole French:

So you mentioned the CAICO. That’s a key component of the CMMC training and certification ecosystem. I guess you could say it is the component from a accreditation or certification body perspective. Can you spell out that acronym real quick?

Joe Lissenden:

Absolutely. Let me put it in a little context here. The Cyber AB is the organization that is the accrediting body for the C3PAOs. And for them to be credible, it needs to be a completely separate organization that would be training and qualifying the instructors and assessors. And so the Cyber AB has split off the Cyber Assessment and Instructor Certification Organization. We call that the CAICO, and they are in charge of the training and qualifications for the instructors. And ultimately that does help add to the credibility of the whole ecosystem because instead of the C3PAOs making up all the rules, it does make sure that everything is very independent and there are independent rules for the assessors and the instructors.

Cole French:

So I’m going to break down the ecosystem a little bit. It sounds like from what you were saying, so we have the content itself, so that’s the training material and that’s where your publishing partners come into play that you mentioned at the beginning. Then there are instructors who are certified to teach from that approved material. Now, that approved material could come from a bunch of different vendors. There’s a lot of vendors out there that are publishing partners and have material that they publish that has been approved for publishing and for use by the instructors who are trained and certified.

So we have the content itself, then we have the trainers, and then finally we have the practitioners you mentioned. And so the practitioners are those who are actually going to go out working for C3PAOs. They’re going to go out and conduct these assessments against organizations’ implementations of the security requirements. So the practitioners are trained using the approved material from the approved publishing partners, and then they are trained by the licensed instructors. Then they get the certification once they pass the exam obviously, after going through the instructor-led training. They pass the exam, they have the certification that enables them to go out and perform assessments. Did I summarize, condense that accurately? Is there anything I missed there?

Joe Lissenden:

Absolutely, that’s exactly correct.

Cole French:

So now that we have the particulars of the CMMC training and certification ecosystem, I’m curious, there’s a lot of assessment frameworks out there, ISO, FedRAMP, SOC. I know that you’ve worked in a lot of those particular arenas providing training and things of that sort. So I’m curious, are CMMC training and certification requirements significantly different than some of those other frameworks?

Joe Lissenden:

There are some similarities and some differences. Let me point out that I have about 30 years of experience in the realm of ISO in about eight different standards. In the ISO framework there is a big focus on implementation or practitioner experience, then getting training or lead assessor training, and then that just gets you to the table to go and watch some audits, and then co-audit, and then ultimately conduct a qualifying review. And that’s a pretty rigorous process both at the assessor level and also at the lead assessor level.

Those benefits are ultimately leading to consistency and ensuring that assessors are comfortable and also are following the policies of the auditing agency that they’re auditing for. In this case, some of the differences of course is that the curriculum is standardized, the testing is standardized, and as soon as you pass the exam, that means that you can go out according to the Cyber AB and CAICO and become a practitioner. And that is one of the primary differences in the system as it’s set up.

Cole French:

So you’re saying in the context of ISO as the example that you mentioned, what are the requirements that you would have to fulfill after going through the training and all that, that are, I guess you would say above and beyond? Because it sounds like you’re saying CMMC, you can pass the exam and then go right into being a practitioner. But are you saying that with other frameworks it’s different and there’s other milestones that you have to meet before you can go out and perform assessments?

Joe Lissenden:

Yes, absolutely. There is a significant focus on industry experience, having either implemented or managed such a system that you’re going to be assessing. That helps from auditor context and perspective, including SIC codes and industry background. If you have worked in the electronics industry, that makes you much more capable and comfortable asking questions around electronics or engineering types of topics.

The ISO scheme that I was speaking of does in fact require that assessors observe other assessors doing the audits to a policy that is set out by the certification agency. And then the second step would be to co-audit with another assessor and then do what’s called a qualifying review where a senior person watches that person to confirm that they know how to assess or interpreting per the model and following the policies that they should be following.

Cole French:

I can see that that would be beneficial and I’m thinking about it and from a CMMC standpoint, especially what you just mentioned about going through that learning experience, I guess, of watching an audit, co-auditing, and then going out there, and in particular around interpretation of the controls. I’m curious what your thoughts are on this. CMMC, one of the reputations of the framework is that the control set is pretty vague. So do you think that CMMC’s approach is going to lead the ecosystem to having a consistent interpretation of controls or do you foresee that the way we’re doing things currently is going to lead to a lot of different interpretations of controls? Or do you think that’s just the nature of a vague framework like CMMC?

Joe Lissenden:

I believe that this is going to be determined by the decisions that are made in the near future. For example, the companies that are doing the assessments now, the C3PAOs, none of them have been ISO 17020 certified with the specific intent of doing CMMC assessments. Some of them are because they already assess to other frameworks and therefore they have had to. And in those cases they are required to set up their own policies for hiring, training, qualifying, continuing to develop those assessors and standardize their interpretations.

And so I don’t think the system has been set up right now to standardize interpretations. I was involved in several working groups in the early days and there was a discussion about a wiki site or a body of knowledge. If you’re a certified project manager, you’ve probably heard of PMBOK, the Project Management Body of Knowledge. So there’s a discussion about some standardized interpretations, but I haven’t seen any movement toward that.

And I believe that the nature of the standard is going to lead to variances in interpretations. For example, just a basic example is there’s going to be companies coming through the assessment process who do not currently store, transmit, or process CUI, however, they are undergoing a Level 2 assessment. Some assessors are going to say that certain practices are not met or that they don’t need FIPS 140 certified encryption modules, while others will say, “Well, you don’t have any CUI running through your network, so you don’t need that.” So there is going to be some variance in interpretation.

And I think what I was describing in terms of it being down to the C3PAO to manage the variances and what they allow is potentially a good thing in the future to ensure that interpretations are at least consistent. That is a primary goal of the CMMC assessment processes and all the documentation is to make sure that there is some similarity between the systems. Even though the complexity and details, technology and tools, and how it’s put together is going to look different in most companies, we’re still looking to get a fair and accurate assessment, yet independent assessment.

Cole French:

I think too, there’s a level of learning and growing and all the things that come with learning and growing, which typically involves some sort of pain, if you will. So I think we’re going to develop the consistency, or at least my hope is that we’ll develop the consistency over time through industry and a lot of these events, a lot of these forums and other things that allow us to share information. And I think as we go along we’ll develop that consistency.

I do think that there are challenges, like you mentioned. There’s a lot of different organizations, they’ve opened this up. It’s an open market. So like you mentioned, there’s organizations that can go through this, get a Level 2 certification, but they don’t actually store, process, transmit or maybe even protect CUI. Maybe they will at some point in the future, but we’re going to be assessing things that maybe don’t even necessarily meet the intent and requirements upfront that CMMC is seeking to achieve, which is namely to protect the DIB supply chain. And then even further to that, protecting controlled unclassified information, and to I guess a lesser degree, federal contract information since that’s just the smaller level set of Level 1 controls.

I’m curious though, so in your experience with ISO and ISO has been around for a long time, so to that point about developing the consistency over time, would you say that from an ISO standpoint and your experience with audits and things of that nature, is it fairly consistent? Is the interpretation across ISO audits pretty rigorous and consistent?

Joe Lissenden:

I think it’s pretty consistent. I’m not going to make an overstatement that there aren’t people out there that are certification body shopping. And by that I think that’s something that we really don’t want in CMMC, meaning that if we don’t get the interpretation that we want from the C3PAO, that we just go to another assessment body who will give us the answer that we want. I don’t think that’s going to be helpful.

I think that’s pretty limited with ISO. For example, one of the policies that is in place with ISO is if you have had a major finding, you cannot transfer that certificate to another certification body until you fixed the major finding. So that does lead there to be some level of consistency across. And also, the firms are audited by an accredited body every year. They are out auditing the auditors and auditing the office to make sure that the office is following all the processes that they’re supposed to. And they do get findings, they do have corrective actions, and they do make changes. And some companies get a lot of findings because they have a lot of issues, and those issues lead ultimately to better consistency. But it’s not a guarantee and it doesn’t happen with every company all the time.

But I would say to answer your question, on the net, I do think that there is minimal certification body shopping and there is significant consistency across interpretations. If I could tell you a quick story about that, Cole, I audited an ISO assessment with a person that I worked at the same company with about a 20-year separation from. So we weren’t there at the same time, but we were trained to the same methodology and it was amazing to see how we actually interpreted the standard.

I always say that my mother and father were both from the same certification body because I’ve learned how to interpret the same way. That in fact was shocking to me because we were from different backgrounds, different eras, and we interpreted the standard identically the same, which to me was a statement of how important and how strong a good solid base, and when this is emphasized across an independent certification agency, how important it is that that is implemented and enforced.

Cole French:

That’s a great story. I mean obviously if we’re all working together, we’re going to have a consistent interpretation, but I think even more than that, we want to have the disparate parts, even the people that we don’t necessarily work with and that have different levels of experience and all that stuff that we all have that same consistent interpretation.

So I’m curious, do you think that the consistency from an ISO standpoint is the training and growing up, the auditors, or is it the controls themselves and the way that they’re written? Because I feel like one of the challenges with CMMC is, I mean, yeah, I think that we’re going to develop consistency with the way we do the training and the certifications and all that stuff that we’ve already mentioned, but I also think that the framework itself and the way controls are written does lend itself to an open interpretation. It is kind of vague. It’s really putting the onus on organizations to define a lot of these things, to implement them, and giving them a lot of leeway to do it, which I think does make it harder as assessors to assess compliance sometimes.

So I’m curious, do you think that the ISO framework and the ISO controls are written in a way that makes it easier for there to be consistency in interpretation, or do you think that CMMC is similar? Or do you think the way the controls are written will pose some challenges to consistency?

Joe Lissenden:

Well, I think it’s a very interesting question because the early ISO standards that were coming out in the ’70s were very checklist, were very documentation-heavy, and it made it easier, I think for assessors to just ask for a document. Why? Because the standard required you have a document, and you didn’t have a document, then that was a problem. But we do, I think, want thinkers in our implementation and assessment part of the ecosystem. I think it’s undesirable to have a robotic set of requirements that we just check the box, oh, you have a piece paper, I’ll just get that from a template online and therefore I have it.

We need thinkers because we need these assessors to make sure this is a maturity model after all. So there is some degree of grayness, it was implemented last week, it was implemented last night, a new technological tool was implemented. And ultimately we need an assessor to take the context of what they’re seeing right then in front of them, but also to look through the prism of adequacy and sufficiency. Is it enough information, is it the right type of information to make an informed decision?

And so I think there is a little bit of science to that. I do think that ISO moved to more of a process orientation over the years. So that has, one, made managers and P&L managers and leaders all more interested in it because it drove greater value. And I think as CMMC develops, it will develop over time, the requirements themselves, the skills of the assessors. This is all going to evolve, I think will hopefully drive greater value. There is a need to be somewhat consistent in interpretation, but we are all different people with different backgrounds and there is going to be some variance. We just have to agree on how much variance we are okay with.

Cole French:

Yeah, I think that’s one of the biggest hopes I have for CMMC personally is I actually think the vagueness, I don’t even know if I want to call it vagueness, but the lack of a prescription. It’s not, hey, you need to do X and with this particular configuration. I actually think that that’s one of the greatest benefits of the CMMC framework, like you mentioned too, the maturity component. I hope that the framework eventually, yeah, we have consistency in how we evaluate it, but that we retain that freedom to tailor it to how your organization functions and how security functions within your organization. I think that’s a big plus with the CMMC framework is the organization’s ability to develop a solution that really works for their particular organization.

I think one of the consistency components that we have to work on is, and this gets more into the advisory side of CMMC compliance, helping organizations become compliant is helping organizations build those solutions specific to their organizations. I think we tend to come at things a lot of times from a top-down approach and we want a one-size-fits-all thing. But one-size-fits-all doesn’t really work because you have large prime organizations and then you have mom-and-pop machine shops and the requirements, and really the ability to implement security is just vastly different in those organizations. And we need a framework that’s open-ended and that organizations can leverage to create solutions that are compliant, but also that take into account the challenges that they face as a business or maybe even the challenges that they don’t and they don’t need to worry about those particular things.

So now that we’ve covered the framework, the certification requirements, the training requirements, all that, I know you’re familiar with a lot of the talk that’s been out there over, I mean really since we started all of this, and especially as we got closer and closer to flipping the lights on and CMMC assessments beginning, is the capacity challenges. There’s only a certain number of organizations that are C3PAOs. There’s only a certain number of assessors that have either the CCP or the CCA that we talked about earlier, which are the certifications that are required in order to perform an assessment and to act as an assessor for an organization seeking certification.

So I’m curious, Joe, what are your thoughts on the capacity challenges? And what I mean by that is the ability of the training and certification to keep up with the need for those who are trained and certified. First of all, do you think that’s an overstated problem? Or if not, how do you foresee that problem working itself out as we get going with assessments here in the new year?

Joe Lissenden:

Well, from what I can see of supply and demand, there is a significantly higher number of companies who would like to schedule an assessment with companies who are available and assessors and team members who can execute. I don’t think that that is a very difficult problem to solve. To me, it’s just a math problem. We have training courses every month, so we can train 20 CCPs a month, we can train 20 CCAs. There’s many companies who have written the course material. There’s many other companies who are approved to train. So to me, it’s just a math problem.

There’s also self-guided, there’s lots of different modalities that folks can get their training through. So it doesn’t always have to be instructor led. It can be virtual instructor led. It can be a little bit on your own time, and we’ve had a lot of interest and pacing of that. But the numbers that I’m looking at are there are about 464 CCPs according to the marketplace, about 269 CCAs. And then of those, 120 are lead assessors.

So to me, there’s definitely a shortage. A lot of these folks that are CCAs and lead CCAs are also the instructors. So that puts some pressure. These provisional instructors have been waiting for a designation called the CMMC Certified Instructor, the CCI, but those requirements have not yet come out. We need to get those out so that we can have more trainers. I think right now it’s set up pretty smartly where the assessors who are instructing have what I’ll call battlefield experience. So instead of just being an academic and teach it out of a book.

Actually next week, we’re on an assessment and I believe the first 40 days or so of the year I’m going to be doing assessments. So the good news is I’ll be doing assessments. The bad news is we have training courses that are largely being taught by a lot of the same personnel.

So to get back to answering your question about capacity, I think right now if you did the math of the number of companies who have said that they are interested in assessment with the number of C3PAOs who are qualified with the number of assessment team members who are currently ready and available, I think you’re going to find some tough math. But one of the things that I’ve found through the last year or two is that even though there are defense contractors getting ready, there’s a real mismatch I think between the industry’s state of readiness.

I can’t tell you how many times somebody tells me that they have scored a 110 on a NIST 800-171 assessment, and I ask them, oh, great, can I see your SSP? Oh, well, it’s still in draft and it’s not been signed. Okay, well, I have no idea how you got a 110 because there’s no chance you should have a 110 because if you did a NIST 800-171 assessment properly, you shouldn’t even have a score.

And that’s just a minor example of I like to bring in the scoping issue. There is scoping guidance that is now available for Level 1. There’s additional scoping guidance for Level 2, and there’s additional guidance for Level 3. So any organization that’s going to enter this pipeline, and let’s say they claim they’re ready with the C3PAO, if the scope doesn’t comply with that scoping guide and the C3PAO can’t make heads or tails of what they’re actually assessing or they haven’t provided the inventory of procedures, policies, artifacts, and people that they need all the way down to the 320 assessment objectives, it’s going to be difficult to progress into Phase 2.

So I think the interest level of companies ready for assessment in their mind is I think ahead of their skis. I think what we’re going to find is that there’s going to be a lot of companies who are really not going to be allowed to pass the gate through that. I’ll call it pre-Phase 1 because if you’ve read the new CAP, a lot of this discussion is before you actually even get to Phase 1.

But that scoping discussion really is very important. And I think again, we’re going to have a lot more people who are interested and thinking they’re ready to go, but really are not ready to go, and there’s going to take some time for level setting. There’s a significant number of expectations that we cover in these courses, CCP and CCA, that’s in these documents from the model to the scoping guide to the CAP.

There’s a significant number of things and information in there that if companies have implemented and they think they’re ready to go, they’re going to be faced with the same thing that I mentioned earlier of, oh, I have a 110, I scored myself as a 110. Well, how did you do that? Well, we have an automated technological tool that scans our network and it spits out that we got a 110. Well, I’m not really sure that’s very credible because there’s way more to it than that.

So at any rate, I think this is a problem that can get solved, but I think in the short term, there’s going to be a continued surge of C3PAOs who are trying to get across the finish line and become actual candidates to become a C3PAO. There’s a lot of people waiting for their Tier 3 suitability reviews. Cyber AB is well aware of the queue in there and are doing what they can.

There’s also a lot of people who, one of the things that we would like to do with CMMC is create really good employment opportunities for some of our veterans. And a lot of these folks or even veterans or just have IT experience and have a top secret clearance, that’s going to help them accelerate through this Tier 3 suitability queue because they’re not going to have to go through that. They already have the clearance and they’re ready to go. They just need the training and other things that we’ve talked about.

So I do think that it is just simply a math problem, but I do think that there is a lot of companies that are going to have a little bit of a rude awakening when it comes time for a readiness review or leading up into these assessments. There’s going to be a lot of people, sorry, a very few number of people who are ready for the assessments except the companies themselves claiming they’re ready. I think there’s going to be a lot of companies actually not ready.

And the consequences of that, you might ask, well, what’s the big deal, they get going, and let’s say they don’t have a 110? There’s 320 assessment objectives, let’s say that they have somehow fallen short and they can meet 70% of those. Well, in the CAP, there is a requirement to remediate and ultimately leave this Phase 3 of a CMMC assessment with a Level 2 interim certification. You do have to get over a certain threshold.

And back to my point about, I don’t think industry is very familiar with how this is going to work, but I do know that a lot of companies who think they’re ready, very well could push for their assessment, get 70% conformance, and then they are told that they are not even qualified to remediate, which means they just paid for an assessment that got them probably pretty close to nothing. They’re not even on track to remediate.

So that I think could happen. And to the extent we’re pushing people through the process that aren’t ready, it’s going to create conflict in the assessments. OSCs are going to pay more money than they need to for these assessments, and there’s already a lot of whining and complaining about how expensive this stuff is. If you do things efficiently and you move from point A to point B without doing a lot of false starts at moving forward and backwards and redoing things, it doesn’t have to be very expensive at all. And small companies are going to get very creative at this, and big companies are going to be having an opportunity to innovate. But yeah, I do think this is just a math problem and it can be overcome, but there’s some interesting dynamics I think, ahead for us, Cole.

Cole French:

So before I add on to that, I just want to mention we’ve kicked around a lot of acronyms in this conversation, so not to worry. We will definitely drop those acronyms and definitions in the show notes, and we’ll also provide links and other things to things like the CAP, which is the Certification Assessment Process, which is an important document for more on the practitioner side, assessors performing assessments, but is also a useful document, I think if you’re an organization about to go through an assessment.

And I think to that great breakdown you just gave us, Joe, I hadn’t even thought of the capacity challenges to quite that degree. And you’re right, there’s a ton of complex factors in play. I hadn’t even thought of, for instance, the issue with CMMC certified assessors and then instructors and a lot of those being the same people and say, “Yeah, you’re going to run into a conflict.” We need to get more people trained, but those people are out doing assessments. I can see how that creates a problem.

But I think one thing we can hang our hat on, and I think this is important for folks out there listening that are organizations potentially seeking a certification. We’re a year, well, the Title 48 rule has not gone into effect yet and won’t until sometime in 2025. So we’re not to the place yet where CMMC requirements can be put into contracts and Phase 1 kicks off whenever the Title 48 rule goes into effect. And that Phase 1, there won’t be any Level 2 requirements put into contracts.

So these assessment requirements and the need for C3PAOs, CCAs, et cetera, is not really going to become a thing from a contractual perspective until some point in 2026. So we kind of have a year, if you will, to a year plus I guess at this point, depending on how long it takes the Title 48 rule to make its way through rulemaking. But we have a little over a year to chip away at and solve this math problem hopefully, and get the ecosystem on the practitioner side to a place where it can support the demand that is definitely going to come.

And I completely agree, there’s the majority of, I don’t know if it’s the majority, but I do feel like a lot of organizations that think they’re ready, maybe aren’t as ready as they think they are. There’s a lot of nuance to a lot of this stuff. Definitely encourage organizations out there to, if you’re seeking this, at least talk to an advisor, at least talk to a registered provider organization, which is the credential if you will, that organizations that provide consulting services in the CMMC space maintain. Look at those, talk to somebody, get some advice on where you’re at.

And it could be a very simple thing or things that you need to do to get yourself ready. It could be a lot of different things, but having a trained set of eyes to help you walk through that, I think is very important. And to that end, and segueing into, as we close out this conversation about the CMMC training and certification ecosystem, in your response to my previous question, Joe, something came to mind. And this is something I’ve been telling organizations for a bit, and I’m just curious what your thoughts are on it.

And that is, I think we think a lot of times of the training and then the certification. We think of the CMMC training and certification as really just for practitioners, but I think it’s also very beneficial for folks that work in operations for these organizations that are going to need to get certified at some point. So I’m just curious, do you think that it’s beneficial?

If I’m a CIO for instance, or a CTO or somebody in the C-level and I have folks that are working for me, performing operations tasks, making sure my security is on par, do you think it’s beneficial for me to spend the money and send folks, if CMMC is going to be something that my organization’s going to need to achieve at some point and maintain, do you think it’s beneficial to send my operations folks to that training so they can familiarize themselves with the language and the requirements and so on and so forth?

Joe Lissenden:

Well, yeah, I mean, I really am a big fan of a strategic approach to training, not just doing, I used to work for a British company and I learned the term sheep-dip, which is some companies that put thousands of people through training just to say that they’ve put thousands of people through training. That doesn’t really make any sense. But to help this CMMC acceleration of implementations, I was suggesting that I think there’s going to be a lot of companies moving forward who think that they’re ready for a readiness review and are going to be sadly mistaken when they’re not recommended to move forward quite yet. It is going to be collaborative and iterative. So it doesn’t mean that they stop, but it does mean they’re going to have to go back to the drawing board.

I think to accelerate that process, having people on staff at OSCs who are trained to the CCP at a minimum is really going to learn the tribal knowledge. And I’ve been teaching this course, Precision was I think the second course that was CATM approved. And so as I teach this course over and over again and our instructors teach it over and over again, one of the things that we have concerned ourselves with is this is great that all the people who are taking the course now know this information.

However, there’s 325,000 some defense contractors, and a lot of them aren’t knowledgeable of any of this information. And if they go into these assessments without this tribal knowledge about what the rules for appeals are, what does the CAP say, what does the qualifications for assessors and conflicts of interest? There’s so much information that I think that they would learn in terms of scoping. If you say, “Oh, well, I run a defense company and the scope is my whole company.” Okay, that is definitely one way to do it. But I think you and I have seen this over time, that if you want to have success with your CMMC scope, probably a minimization strategy of getting that as narrow as you possibly can to just get it as small as possible is going to increase your chances, and the CCP can help you do that.

In addition to strategic training, you had talked about what about executives? There are some folks who would benefit from the full Monty, if you will, the full CCP course in all of its glory. But it’d be very valuable to abbreviate some of that information to make sure the executives know what CUI is, confidential unclassified information. I think probably if you’re in the engineering side of the house, you have a lot of examples of the government and or a prime organization has given you CUI and funny enough, it’s not marked properly. But what do you do? You receive it and you send it to your suppliers, also unmarked and thus proliferating this massive problem we’ve got.

We have to teach people what CUI is, how to understand from our contracting officers what CUI we’re responsible for, how to mark it properly. We’re not allowed to mark CUI as we recognize that it’s not marked, but we can work with our primes and our government agencies to make sure that it is. And then we can do our best to safeguard it all the way down the supply chain, which most of us know that it’s like a seven layer tier of suppliers. So it’s going to go down and it’s going to get to some pretty small companies. And if it leaves the government without properly being marked, it’s not going to be marked properly anywhere. And the possibility for spillage or bad things really goes up when that happens.

So there’s all kinds of different training. I mentioned executives, but from implementation. The practice requirements themselves require training around insider threat. It requires threat around the risks of CUI, so the loss of confidentiality, integrity, and availability of your information that is CUI or an unauthorized disclosure. We need to be recognizing what those things are at more than just the IT department level.

I think anyone who has implemented anything from an enterprise level knows that if you take the, it’s the IT department’s job, this is not going to get done properly. It really needs a cross-functional team from HR executives, operations. You can have IT be the lead sled dog, but you’re going to need a lot of different people from different functional departments all with their oars in the water, knowing what to do and participating, not just saying, “Oh, the IT department, that’s the IT department’s job. This is CMMC. We can’t do anything. We don’t know what to do.” So I think there’s a lot of training and ultimately the systems that work the best are going to be the ones that have more people with more oars in the water.

Cole French:

I think we’ve talked about the importance of the tribal knowledge. I kind of mentioned it earlier, but I think operations folks and even the C-level folks going through at least some of the basic training, I think is a huge benefit and it helps get everyone on the same page and speak the same language. And as I’m sure our listeners have noted, and like I mentioned earlier, the number of acronyms within this framework and really within any compliance framework or anything related to how the government does business, the acronyms themselves are enough to necessitate training, I feel like in some instances, and this one is no different.

So as we close up our conversation, which by the way, I’ve really enjoyed, Joe, I’m grateful you were able to come on and talk about this important topic. But just curious, as we close, as you think about the future of CMMC and training and certification, do you see any improvements that you feel are likely or are needed? Or just in general, where do you see the CMMC training and certification ecosystem going as really we get the CMMC program going?

Joe Lissenden:

Cole, thanks for having me. I’ve also enjoyed the conversation. It’s been lively. I think there’s a number of topics on the horizon for future of CMMC training. When we were originally brought in as a publisher, we were told that there was going to be an opportunity for seven different certifications. And that has changed and that’s fine. This will change and morph, and that’ll be healthy and good for everybody.

But one of the things that is definitely going to be coming down the pipe is the need for continuing education. Anyone who is going to be a CCP or a CCA, all these documents and processes are changing. For example, NIST 800-171 Rev. 3 is already out, and it will be the assessment practice requirements that we’re going to be assessing Level 2 in a couple of years. The exact date hasn’t been decided, but it will be coming. And assessors and organizations and implementations all need to in sync, be prepared for that, know what they say, and start moving in that general direction.

In terms of other improvements, I think there is, in my opinion, some convolution about what can a CCP do on these assessments and what is their role. I think it’s fairly clear that they can play a pretty big role and as Level 1 implementation, they can do a Level 1 self-certification. They can participate in a Level 2 assessment. And they can do quite a number of things on a Level 2 assessment, but they can’t actually assess Level 2 requirements. That’s fairly set out, but there’s, I think, a lot more that they could do.

I think there could be some more role clarity between what the CCPs, the CCAs can do, and what the lead CCAs can do. Because as long as there’s going to be constraints on CCAs, like I said, if I wanted to do 52 different assessments next year, I think that that would probably be very easily arranged because there’s very few assessors or very few lead assessors. So what that means is there’s going to be some planning work that has to be done before the assessment. There’s a tail on a lot of these assessments, so the reports and finishing the job. There’s a lot of work that has to be done.

But becoming more clear about what it is that the CCP does, what it is that the CCA does, what it is that the lead does, and also back to tribal knowledge, what does the affirming officer do? The people at the OSC, what are they supposed to be doing? I already know because we’ve asked for information from several of the C3PAOs that I work for, and the clients don’t know what we’re talking about. They don’t know what a Level 2 scope guide is. They don’t know what CRMA is, they don’t know what SPA is. They are definitely in need of a greater understanding of what needs to be in these scopes to make sure that these assessments can be done with any degree of alacrity.

And then I would also say the other thing is we have provisional instructors. We’ve really got to get the requirements for what it takes to become a certified instructor completed and out. And we need to convert these provisional instructors over so we can have some clarity because some people are going to be teaching and assessing, some just assessing. But in order to do some economic forecasting and seeing how many instructors we need, we need to establish what it is that we require of our CMMC certified instructors. And lots of other ideas, but I think we’ll just leave it at that. But thank you, Cole, for inviting us in today.

Cole French:

Yeah, Joe, thank you for joining us on the Cyber Compliance and Beyond Podcast today. We’re grateful for your perspective and contribution to this important, challenging, and I think as we’ve hit home, very actively evolving topic.

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter @KratosDefense, or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.