• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Notes from the CMMC AB: A National Conversation

April 6, 2020 Posted by Kate Upton CMMC, IT Security

Due to overwhelming attendance that caused technical difficulties this afternoon, the CMMC Accreditation Body: A National Conversation was postponed. However, before the conclusion of the meeting, the Board was able to answer some questions that were sent in. Here is what we learned:

  • While penetration testing is not required for CMMC levels 1, 2, and 3, they are specifically mentioned in levels 4 and therefore level 5.
    • Vulnerability scanning and penetration tests are included as practices within the model.
    • Level 2 Risk Management (RM) practice includes vulnerability scans (does not specify).
    • Level 3 Security Assessment (CA) practice distinguishes internal form external testing (does not specify). 
    • Level 4 CA practice specifically identifies penetration testing.
    • Level 5 would be required to meet the Level 4 practice as well.
    • RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
    • CA.4.164 Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
  • Companies will not be required to have a CISO as part of CMMC
  • No single organization has been named a C3PAO and there is no official selection or registration process established at this point
  • Reciprocity for FedRAMP is not established at this time, though it is worth noting John Weiler (Co-Chair, Committee on Standards) shared it was his opinion there should be some consideration for FedRAMP certifications
  • There is intention to reach out to all communities of practice that have affiliation to the national security agenda. More to come from the Accreditation Body.
  • CMMC is better than self-attestation and existing policy because it provides for a way to “check the homework” and normalize cyber practices across the board
  • The CMMC AB recommends getting in-line with NIST 800-171 as the best way to get your company on a “positive CMMC trajectory”
  • Classified systems are out of scope for CMMC. There is no plan for assessors to have clearance. There could be background checks for individual assessors to go into client shops

The Accreditation Body plans to continue this discussion, further in depth, at a later date. When that time comes, we will be here to bring you the answers to the “so what’s?” and “what if’s?” Please note that what we learned today is subject to change as more policy surrounding CMMC is established.

7 Apr 2020 – Updated with further clarification on penetration testing from Regan Edens, Director, CMMC-AB.

Tags: CMMC-ABnist 800-171
Share
0
Kate Upton

About Kate Upton

Kate Upton is the IT Government Compliance Team Lead at OCD-Tech. Kate has been with the firm since May 2019. Before joining the firm, Kate received her Bachelor’s degree in Political Science & Legal Studies from the University of Maine and went on to earn a Master’s degree from Northeastern University in Strategic Intelligence. She dedicates her time at the firm to meeting the unique compliance needs of clients in the Defense Industrial Base with projects including CMMC, NIST 800-171, NIST 800-53, and DFARS rules. Kate lives in Portland, Maine with her dog Lucy.

You also might be interested in

The DFARS Deadline Has Passed

The DFARS Deadline Has Passed

Jan 3, 2018

Did you miss the DFARS cybersecurity deadline of December 31,[...]

cybersecurity requirements

Enhanced Cybersecurity Requirements for Federal Contractors

Feb 5, 2018

The Defense Federal Acquisition Regulation Supplement (DFARS) has been a[...]

DFARS Clause and NIST SP800-171 – Are You Covered?

Feb 27, 2017

Do you work with the Department of Defense (DoD)? Does[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next