Due to overwhelming attendance that caused technical difficulties this afternoon, the CMMC Accreditation Body: A National Conversation was postponed. However, before the conclusion of the meeting, the Board was able to answer some questions that were sent in. Here is what we learned:

• While penetration testing is not required for CMMC levels 1, 2, and 3, they are specifically mentioned in levels 4 and therefore level 5.
  • Vulnerability scanning and penetration tests are included as practices within the model.
  • Level 2 Risk Management (RM) practice includes vulnerability scans (does not specify).
  • Level 3 Security Assessment (CA) practice distinguishes internal form external testing (does not specify). 
  • Level 4 CA practice specifically identifies penetration testing.
  • Level 5 would be required to meet the Level 4 practice as well.
  • RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  • CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
  • CA.4.164 Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.

• Companies will not be required to have a CISO as part of CMMC
• No single organization has been named a C3PAO and there is no official selection or registration process established at this point
• Reciprocity for FedRAMP is not established at this time, though it is worth noting John Weiler (Co-Chair, Committee on Standards) shared it was his opinion there should be some consideration for FedRAMP certifications
• There is intention to reach out to all communities of practice that have affiliation to the national security agenda. More to come from the Accreditation Body.
• CMMC is better than self-attestation and existing policy because it provides for a way to “check the homework” and normalize cyber practices across the board
• The CMMC AB recommends getting in-line with NIST 800-171 as the best way to get your company on a “positive CMMC trajectory”
• Classified systems are out of scope for CMMC. There is no plan for assessors to have clearance. There could be background checks for individual assessors to go into client shops

The Accreditation Body plans to continue this discussion, further in depth, at a later date. When that time comes, we will be here to bring you the answers to the “so what’s?” and “what if’s?” Please note that what we learned today is subject to change as more policy surrounding CMMC is established.

7 Apr 2020 - Updated with further clarification on penetration testing from Regan Edens, Director, CMMC-AB.