Can CMMC be implemented successfully?

I have been seeing a lot of people out there stating that CMMC can’t be done. Well, I beg to differ. I did the math and I’m going to make an argument here for why it can work. (Granted it is back of the cocktail napkin math. But it is math none the less!)

Let me start by acknowledging CMMC is going to be a hard thing to do for all parties involved. Certainly, the Organizations Seeking Certification (OSC) will bear the brunt of it financially. I do not discount that. But there are a lot of other hard parts as well (e.g., getting the standard right, getting the government contracting engine aligned, navigating the politics, training an army of assessors, getting good advice and guidance out to the OSC).

It is going to be hard, but we as a nation do hard things. Let’s do this one!

I have been in the cybersecurity business now for over 37 years (yikes). The majority of which I have been supporting the DoD and Intel community and for the last 10 years or so, the commercial world. During that time, I have witnessed many attempts at “acquisition reform” aimed at trying to improve the security of the systems the government buys and the protection of information critical to the security of the United States.

Some have made a dent, but most have failed miserably. CMMC represents what I believe to be the “best” right way to accomplish the goal to date. Is it perfect? HECK NO! Can it be improved? HECK YES! Should we wait until it is perfect? Only if you want to continue to bleed our sensitive and critical information to our adversaries.

So, can we do this? Let’s get back to the math…

The popular number to start with is 300,000 DoD contractors making up the Defense Industrial Base (DIB). These contractors must all be certified at some level of CMMC by September 30, 2025 (according to the Interim Rule). Assessments haven’t started yet; so, for the sake of my napkin math, let’s assume we have four years to get 300,000 companies assessed.

Let’s make a whole bunch of unfounded assumptions, so I can use less napkins:

    1. Assume the 300,000 only need one assessment (there will be a bunch who require multiple assessments for different departments and divisions)
    2. Assume the average assessment is full-time for two weeks (this will vary wildly, based on complexity, geographics, etc.)
    3. The average assessment team size is three assessors between the Level 1 and Level 3 assessments that need to be completed (the DoD is currently directing that Maturity Level 3 assessment teams must have a minimum of 4 assessors, regardless of the size and scope)

So, assessing 300,000 companies equates to 600,000 assessment weeks. One single assessment team can do 26 assessments in a year (who needs a vacation!), that is 11,538 assessment years. Fun! But a meaningless number. On to the next napkin.

So, if a team could do 26 assessments a year, and we have four years to accomplish this, then we need 2,885 teams working full time starting October 1, 2021. That is 8,654 trained and certified assessors. OK! Next napkin!

As of today, June 21, 2021, there are 100 Provisional Assessors, two Certified Third-Party Assessment Organizations (C3PAO) authorized, and 167 Candidate C3PAOs. Now, I am told there are more C3PAOs coming, but they haven’t cleared the first hurdle yet.

So, what’s the big deal? Just turn on those C3PAOs and let them use the cybersecurity professionals in the field to get the work done. Right? Well…we do need to make sure that all of those 300,000 companies are being assessed fairly and equitably. Otherwise, the contracting world will become an uneven and unbalanced playing field. That would be very bad for the country as well.

We must train the 8,654 assessors.  And…we must train them NOW!

This also assumes every organization that is assessed, will pass and achieve CMMC certification. What if a company doesn’t pass the assessment? What if they got really poor advice from either their internal experts or their consultants? We need to ensure those people are trained as well.

I don’t have enough napkins to calculate all of the probabilities of a successful assessment and how many will have to be redone. Companies have to be reassessed every 3 years! That is another 75,000 assessments in that 4-year time span. More napkins, please!

Companies, like Edwards, are busily developing the curriculum to train the army of assessors and the even larger army of consultants and internal corporate resources. Hopefully, the DoD will finalize the few remaining pieces of the puzzle soon so the official certification curriculum can be authorized, and we can start to get individuals ready for this marathon.

Obviously, even focusing purely on the assessors, the training world will be busy. Currently, in the CMMC-AB Marketplace, there are 38 Licensed Training Providers (LTP) listed. Let’s assume there will be 40 by the time the curriculum is approved. Also, let’s assume an even distribution of the student assessors across the LTPs. This means that each LTP needs to train up 216 assessors to prime the pump. That seems very doable, right?

Of course, let’s also assume that 5% of the DIB companies want to have in-house resources trained as assessors also, so they can manage their internal program. That is an additional 15,000 people to train. Now assume that the other 95% want to hire a consultant that is trained to the Certified CMMC Professional (CCP) entry level for assessors. Let’s say that a consultant can work with 26 companies a year. That means there may be over 10,000 others that seek the CCP training. To be a Certified CMMC Assessor (CCA) at Level 1, you must first be certified as a CCP. To be a CCA at Level 3 you must first be a CCA-1.

I ran out of napkins so, QED (short for the Latin phrase “quad erat demonstrandium,” meaning “thus it has been demonstrated”)!

So, the math proves out that this is going to be hard. But with the enterprising folks in our country, it is doable. The deadlines may not work out and are likely to be adjusted anyway, but we can implement CMMC and improve the security of our nation. Let’s do this!

As my colleague at Edwards always says, “We are all in this together!”


With 32+ years of cybersecurity experience, Brian was responsible for all strategic Commercial initiatives, as well as development and expansion of Edwards’ Cybersecurity Solution Area. Brian was experienced in architecting, designing and developing solutions to some of the nation’s top cybersecurity challenges. Brian possesses successful program manager skills, leading large IDIQ contracts from inception through close involving hundreds of individual task orders, and involving several hundred staff members and dozens of corporate teammates.