April 26, 2025
8
min read
OCD Tech

Notes from the CMMC AB: A National Conversation

Editor
OCD Tech
Category
CMMC
Date
April 26, 2025
Share:
Twitter
Instagram
LinkedIn

Due to overwhelming attendance that caused technical difficulties this afternoon, the CMMC Accreditation Body: A National Conversation was postponed. However, before the conclusion of the meeting, the Board was able to answer some questions that were sent in. Here is what we learned:

  • While penetration testing is not required for CMMC levels 1, 2, and 3, they are specifically mentioned in levels 4 and therefore level 5.
    • Vulnerability scanning and penetration tests are included as practices within the model.
    • Level 2 Risk Management (RM) practice includes vulnerability scans (does not specify).
    • Level 3 Security Assessment (CA) practice distinguishes internal form external testing (does not specify). 
    • Level 4 CA practice specifically identifies penetration testing.
    • Level 5 would be required to meet the Level 4 practice as well.
    • RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
    • CA.4.164 Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
  • Companies will not be required to have a CISO as part of CMMC
  • No single organization has been named a C3PAO and there is no official selection or registration process established at this point
  • Reciprocity for FedRAMP is not established at this time, though it is worth noting John Weiler (Co-Chair, Committee on Standards) shared it was his opinion there should be some consideration for FedRAMP certifications
  • There is intention to reach out to all communities of practice that have affiliation to the national security agenda. More to come from the Accreditation Body.
  • CMMC is better than self-attestation and existing policy because it provides for a way to “check the homework” and normalize cyber practices across the board
  • The CMMC AB recommends getting in-line with NIST 800-171 as the best way to get your company on a “positive CMMC trajectory”
  • Classified systems are out of scope for CMMC. There is no plan for assessors to have clearance. There could be background checks for individual assessors to go into client shops

The Accreditation Body plans to continue this discussion, further in depth, at a later date. When that time comes, we will be here to bring you the answers to the “so what’s?” and “what if’s?” Please note that what we learned today is subject to change as more policy surrounding CMMC is established.

7 Apr 2020 - Updated with further clarification on penetration testing from Regan Edens, Director, CMMC-AB.

Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

OCD Tech

25 BHOP, Suite 407, Braintree MA, 02184

844-623-8324

https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
SOC 2 ® Readiness Assessment
SOC 2 ®
SOC 3 ®
SOC for Cybersecurity ®
IT Advisory Services
IT Vulnerability Assessment
Penetration Testing
Privileged Access Management
Social Engineering
WISP
General IT Controls Review
IT Government Compliance Services
CMMC
DFARS Compliance
FTC Safeguards vCISO

Industries

Financial Services
Government
Enterprise
Auto Dealerships

Blog
Category

Notes from the CMMC AB: A National Conversation

By  
OCD Tech
April 6, 2020
8
min read
Share this post

Due to overwhelming attendance that caused technical difficulties this afternoon, the CMMC Accreditation Body: A National Conversation was postponed. However, before the conclusion of the meeting, the Board was able to answer some questions that were sent in. Here is what we learned:

  • While penetration testing is not required for CMMC levels 1, 2, and 3, they are specifically mentioned in levels 4 and therefore level 5.
    • Vulnerability scanning and penetration tests are included as practices within the model.
    • Level 2 Risk Management (RM) practice includes vulnerability scans (does not specify).
    • Level 3 Security Assessment (CA) practice distinguishes internal form external testing (does not specify). 
    • Level 4 CA practice specifically identifies penetration testing.
    • Level 5 would be required to meet the Level 4 practice as well.
    • RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
    • CA.4.164 Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
  • Companies will not be required to have a CISO as part of CMMC
  • No single organization has been named a C3PAO and there is no official selection or registration process established at this point
  • Reciprocity for FedRAMP is not established at this time, though it is worth noting John Weiler (Co-Chair, Committee on Standards) shared it was his opinion there should be some consideration for FedRAMP certifications
  • There is intention to reach out to all communities of practice that have affiliation to the national security agenda. More to come from the Accreditation Body.
  • CMMC is better than self-attestation and existing policy because it provides for a way to “check the homework” and normalize cyber practices across the board
  • The CMMC AB recommends getting in-line with NIST 800-171 as the best way to get your company on a “positive CMMC trajectory”
  • Classified systems are out of scope for CMMC. There is no plan for assessors to have clearance. There could be background checks for individual assessors to go into client shops

The Accreditation Body plans to continue this discussion, further in depth, at a later date. When that time comes, we will be here to bring you the answers to the “so what’s?” and “what if’s?” Please note that what we learned today is subject to change as more policy surrounding CMMC is established.

7 Apr 2020 - Updated with further clarification on penetration testing from Regan Edens, Director, CMMC-AB.

Share this post
OCD Tech

Similar articles

CMMC

Preparing for the 180-Day Plan of Action and Milestones (PoA&M) Deadline Under CMMC

Nick Reed
December 5, 2024
4
min read
CMMC

CMMC Day, May 15th 2023

OCD Tech
May 15, 2023
1
min read
CMMC

DoD Rulemaking Update and Impact on Defense Contractors

Robbie Harriman
January 18, 2023
10
min read
CMMC

Microsoft Power Query is a Game Changer

Heads up to all of my contacts who are still in the military as either a soldier or contractor.
OCD Tech
August 10, 2021
10
min read
View all
Company
About UsBlog
About
Privacy policyCookies Settings
CONTACT US
25 Braintree Hill Office Park, Suite 407
Braintree MA, 02184info@ocd-tech.com844-623-8324
Copyright © 2025 OCD Tech