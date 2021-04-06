The group of volunteers that the Ministry of Defense has tasked with implementing a monumental change in its cybersecurity policy will seek support from foundations and other donors, according to the chairman of the board of directors of the association.

The cybersecurity maturity model certification program will usher in a new era of defense contractors requiring independent and third-party audit of their cybersecurity practices. Companies currently only certify their adherence to standards issued by the National Institute of Standards and Technology.

The Defense Department Defense Contracts Management Agency can conduct audits through the Defense Industrial Base Cybersecurity Assessment Center, but its capacity is limited, so the ministry has developed CMMC in order to extend audit operations to all of its estimated 300,000 subcontractors. Some entrepreneurs are anxiously waiting for the CMMC to level the playing field, while others are not thrilled about having to pay for another certification.

A rule for implementing the program and a statement of work describe the tasks of the CMMC accreditation body to approve new entities that will perform the audits and to establish training requirements for their assessors. CMMC AB, as it’s known, came together at an industry event hosted by DOD to kick off the program. Participants volunteered to support a non-profit organization to put the pieces together.

The group came under close scrutiny due to uncertainty over how it would fund its operations, with the former chairman of the group’s board resigning amid what was seen as a payment system to play and there are concerns about potential conflicts of interest given their ties to the industry.

In a conversation with Nextgov, CMMC AB volunteer board chairman Karlton Johnson dispelled what he called misinformation about how AB supports its work and explained how he sees the transition from board to over the next few years.

The AB is funded by the fees collected for the accreditation of potential auditors and other professionals who will be part of the new CMMC ecosystem, Johnson said. The revenue stream alone could support the organization in the future, he said, but also noted other possibilities if the nonprofit organization’s application to the Internal Revenue Service goes down. materialized.

The board applied for nonprofit status in February, Johnson said. He expects the process to be recognized as a 501 (c) (3) entity under the tax code will take approximately eight months.

As we evolve, we’ll take a look at what other opportunities normal 501 (c) (3) are capable of, whether it’s grants etc. available to any nonprofit organization, Johnson said. [We’re] open to exploring these options to improve the mission and looking for opportunities to give back as much as possible to industry, wherever we can. You will hear more about this later.

Johnson said it was not true that the board got into debt in order to run its operations, a suggestion made in October by Katie Arrington, head of the DOD CMMC program, who said she believed the The organization had taken out lines of credit.

We haven’t gotten any loans to my knowledge, Johnson said. It is disinformation that exists.

Regarding conflict of interest concerns, Johnson said DOD’s intention from the outset was to allow industry to have a say in the process. The Board stressed that it would operate separately from the organizations performing the actual audits, but questions remain unanswered as to the role the Board will play in the event of contested assessments.

The only way for us to get involved is if, again, what you’re getting at is arbitration issues, and that is also arguing with the government, where appropriate, he said, stressing that the process will have to be fine. adjusted and calibrated to avoid conflicts of interest while preserving due diligence.

Johnson pointed out that in general, the DOD has full oversight over BA operations.

When in doubt, the government exercises oversight with us and therefore worked hand in hand with the government, he said. There is a lot of misinformation out there. It would be nice if people saw us as the AB professionals.

At present, Johnsons’ main focus is to transition from the work currently being done by the Volunteer Council to the professional paid staff of AB. A major change on this front came with former Deputy Director of the Cybersecurity and Infrastructure Security Agency Matt Travis becoming CEO. The AB is also actively seeking a CFO and vice presidents for training, operations and other roles currently performed by board members.

At some point, he said, the board will only attend quarterly or even semi-annual meetings. This will allow the board to focus on achieving the important mission of CMMC, said Johnson, a retired Air Force colonel.

It’s really to deter the opponent, he said. At the end of the day, I want to be able to pass the cost of doing business into this system to them. I want them to bear all the costs, trying to figure out how to get around our defenses. I want them to work harder and I want to make sure we never give them a freebie.