CMMC AB Lacks Funds for Continuous Monitoring Tools, Official Says

The first batch of assessors being trained to implement the Cybersecurity Maturity Model Certification program is set to receive approval. But they may not have access to continuous monitoring during initial audits due to a lack of funds, according to an official.

Chris Golden, a member of the board of directors of the CMMC accreditation body, said his organization does not have any external funds to run normal business activities, including continuous monitoring, staffing and insurance. 

“We’ve been struggling spending a significant amount of our time trying to figure those things out versus figuring out what the ecosystem is going to look like and training people and getting assessments going and those kinds of things,” Golden said. 

Golden again highlighted the importance of having a continuous monitoring solution, for which the accreditation body previously released a request for proposal.

He said such a solution would allow accreditors to constantly monitor companies in the three-year periods between required certifications, as well as prepare them for what they should expect to see from the companies before inspections. 

According to Golden, it is unclear if the provisional assessors will have access to continuous monitoring tools during their first audits, which are expected to help improve future ones.

He said some funds have been raised for the establishment of some infrastructure and cloud instances that might serve well enough as a continuous monitoring tool. 

"If we can get that up and running and then tie a continuous monitoring solution to that we will probably execute on that in the near term. If we can’t get there by the time assessments start, then no, it won’t be available for them,” Golden said.