CMMC assessment
requirement
CMMC-AB Chief Says eMASS Training, Access Needed Before Assessments Can Begin
Matt Travis, CEO of the Cybersecurity Maturity Model Certification Accreditation Body, said training and IT access to the Department of Defense Enterprise Mission Assurance Support Service application needs to be finalized before CMMC third-party organizations can perform cyber assessments.
Travis, previously the deputy director of the Cybersecurity and Infrastructure Security Agency, said the CMMC-AB and the DOD are working on finalizing eMASS orientation, training and access connections for the three authorized CMMC third party assessment organizations. The CMMC-AB is also working on guidance for the C3PAO assessment process, he revealed.
The DOD is currently reviewing the CMMC program as instructed by Deputy Defense Secretary Kathleen Hicks earlier this year. Nevertheless, the standard is still being rolled out for certain contracts, FCW reported Friday.
Travis said that it is up to the CMMC-AB and the Pentagon to provide concerned companies access to eMASS. He said agencies are not yet ready to give those businesses the authority to conduct assessments but he expects the situation to change soon. The Accreditation Body’s top official said guidance documents to the resolution process are currently being drawn up.
The AB is also looking to add IT staff to comply with the CMMC standard and attain International Standards Organization certification for accrediting bodies, Travis said.
Meanwhile, Tony Buenger, a CMMC strategist and provisional assessor for Redspin, one of the authorized C3PAOs, said interest in meeting the standard has grown. He explained that interest is high even among companies who do not have contracts with the CMMC clause, which is what prompted his company to begin scheduling assessments.
Category: Cybersecurity