“The cost of some Cybersecurity Maturity Model Certification assessments could soon increase as the Department of Defense considers introducing new requirements, four people familiar with the matter told FedScoop.
DOD and the CMMC Accreditation Body are working to finalize requirements that could mandate having more experienced — and expensive — assessors conduct the needed tests of contractor networks that transmit controlled unclassified information. In effect, it could raise the price for some assessments as the per-hour cost of provisional assessors is higher than the original plan…”
“While the proposed requirement is not finalized and would only apply to CMMC level three assessments for companies that handle the department’s controlled unclassified information, it is part of a growing list of ideas that the DOD CMMC Program Management Office is generating that several people familiar with the process worry will negatively impact the program’s cost and timely implementation…”
“Under the changes, for an assessment at level three, Certified Third Party Assessor Organizations (C3PAOs) would need to hire four full-time provisional assessors. It was previously understood that these authorized assessment companies would only need to hire one assessor and three ‘registered practitioners’ — entry-level assessors that do not meet the standards needed to become an assessor — to conduct a level three assessment.
To be eligible to be an assessor for level three assessments, an applicant needs at least four years of cyber or IT experience and to pass through on levels one and two first, according to the CMMC Accreditation Body’s website, which manages the ecosystem…” Read the full article here.
Source: CMMC assessment requirements could be changing, potentially raising costs for some – By Jackson Barnett, July 12, 2021. FedScoop.