Stacy Bostjanick, director of the Cybersecurity Maturity Model Certification policy office within the office of the defense undersecretary for acquisition and sustainment, said the first batch of third-party assessment organizations should be available by late summer and that the Pentagon intends to finalize the assessment and training guides for CMMC in March, Federal News Network reported Monday.
She said the independent accreditation body will come up with training classes for third-party assessors between April and June and expects the first set of vendors to undergo the evaluation process by June or July in preparation for the first 15 procurements requiring the cyber standards.
“The accreditation body is working with us to develop training material to accredit third-party assessors. There will be a marketplace for them as they go through the two-week course and test for level 3 accreditor certifications,” Bostjanick said. “We also will have Defense Acquisition University training where we will be working with program managers and contracting officers so they understand what the different CMMC levels are and give them a layman’s guide to controlled unclassified information so program managers can figure out how to disaggregate the data and flow down the CMMC requirements.”
Bostjanick also warned vendors against fraudulent third-party CMMC assessors and cited plans for a new defense federal acquisition regulations notice for the new cyber framework.