CMMC AB Finalizing Details of Assessment Process, CEO Says

The Cybersecurity Maturity Model Certification Accreditation Body is finalizing the documents containing details on how CMMC assessments will be performed, an official said.

CMMC AB CEO Matthew Travis, a speaker at a past Potomac Officers Club event, said that the CMMC Assessment Process Guide will be released in “two to three weeks,” Federal News Network reported Wednesday.

Travis said that the updated CAP will take into account feedback provided by the Department of Defense’s CMMC program management office.

He added that the current version of CMMC has significantly changed from the original rules that were written over a year ago, and that the accreditation body wants to avoid inconsistencies.

One of the biggest changes was the introduction of the “CMMC 2.0” policy in November, an update that consolidated the program’s five security levels down to three.

The move was aimed at lowering barriers to compliance, especially for smaller businesses only seeking the lowest clearance level. Under the new rules, companies may secure Level 1 certification through annual self-assessments.

Under the new rules, most of the 220,000 companies in the defense industrial base may vie for CMMC AB accreditation without going through a third-party assessment, Federal News Network reported.

Despite the reduced role of third-party assessors, Travis said that the accreditation body will still grow its CMMC ecosystem. He added that up to 80,000 defense contractors may still eventually require third-party assessments.

Travis said that the accreditation body plans to launch promotional campaigns over the spring to attract candidate assessors.