Karlton Johnson chairs CMMC-AB after serving as interim since September of 2020. The accreditation body can now continue in its efforts to accredit sufficient assessors to certify the cybersecurity maturity of Department of Defense contractors. The body had faced a challenges when on September 2, 2020 two members of the Cybersecurity Maturity Model Certification Accreditation Board were voted off in the midst of a conflict of interest controversy involving a pay to play strategy.
Background on Karlton Johnson
Karlton Johnson, a decorated combat veteran, served as the Chief Information Officer (CIO) for the Multinational Security Transition Command-Iraq building ICT capabilities for a variety of agencies of the Iraqi government. He then went on to serve as the senior U.S. cyber executive for South Korea. In 2014 Johnson retired from the United States Air Force after 26 years of service as a Colonel.
From military service, Johnson engaged in the private sector where he specialized in overseeing large-scale initiatives from the concept phase to full implementation. More recently Johnson originally served as vice chair of the accreditation body CMMC-AB and as the acting chair since September 2020.
Challenges Moving Forward
Now that Karlton Johnson chairs the CMMC-AB, it is expected that stability on the board will ensue. This is based on numerous supportive statements of fellow board members. This stability will be required to successfully provide accreditation for the large number of cyber security certified assessors needed for implementing CMMC for Department of Defense (DoD) contractors and subcontractors. This must occur while CMMC requirements are still being finalized.
Background on CMMC
CMMC was created by the Office of the Under Secretary of Defense for Acquisition & Sustainment as an effective means of implementing risk based management approaches to cybersecurity. It is a cooperative effort between the DoD and industry and is coordinated by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB).
The CMMC was enacted to place cybersecurity requirements on DoD contractors to achieve levels of cybersecurity maturity to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the defense industrial base supply chain. Katie Arrington is the current director of CMMC and has stated the necessity of creating an enterprise centric solution for the protection of CUI.
Current Status of CMMC
As of this posting, interim ruling, DFARS 252.204-7012 Interim Rule, has placed immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors. Among the changes is a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology. This assessment must be completed by the contractor before DoD contracts can be awarded.
This assessment is based on a scoring methodology of security requirements. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor.
What Lies Ahead?
When the CMMC-AB approves the registration bodies, there will be a set of Third Party Assessment Organizations (C3PAOs) approved. These Third party organizations are accredited by the official CMMC Accreditation Body and will then be authorized to conduct CMMC assessments and grant CMMC certifications.
CVG Strategy Can Help
Meeting cybersecurity requirements is proving to be a challenge for DoD contractors, especially smaller businesses involved in subcontracting. CVG Strategy can provide pre-assessment training, implementation and subject matter support. We can also provide integrated solutions for CMMC implementation using proven business management approaches.