Right from the beginning, it seemed everyone was overly optimistic about how fast the Cybersecurity Maturity Model Certification (CMMC) could be rolled out across the defense industry to ensure the requirements could be included in all defense contracts starting in 2025. The only things that needed to be accomplished were to build an ecosystem of trained and certified assessors from scratch, and then, get over 300,000 companies that make up the Defense Industrial Base (DIB), to pass their cybersecurity assessments with perfect scores.
So, what could possibly go wrong? As it turned out, a lot of things.
The Department of Defense (DOD) created the CMMC requirements and signed a contract with a new organization — the CMMC Accreditation Body (CMMC-AB) — to implement the certification program. Assessments would be carried out by independent organizations that would then recommend that the CMMC-AB certify businesses that passed.
The CMMC announced a complex program that involved licensed training publishers creating licensed training materials to be taught by certified trainers in licensed training facilities. As a result, thousands of individuals would be trained as consultants and assessors, and organizations would go through a rigorous certification process and inspection to become a Certified Third-party Assessor Organization (C3PAO).
In recent months, the CMMC-AB hired its first Chief Executive Officer and a VP of Training and Development, who was the former head of training for CompTIA. Previously, the CMMC-AB was run by volunteer board members until it could generate revenue and hire full-time staff members.