The Cybersecurity Maturity Model Certification (CMMC) was established as a standard set of federal cybersecurity practices to ensure that organizations in the Defense Industrial Base (DIB) are able to properly secure sensitive data such as CUI, CTI, FCI, ITAR data and more. Assisting DoD contractors in finding the appropriate provider for their needs, the Cyber AB opened up applications for several initial certifications: CMMC Third-Party Assessor Organizations (C3PAOs), Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), Registered Provider Organizations (RPOs), Registered Practitioners (RPs) and Licensed Partner Publishers (LPPs). While each of the aforementioned certification types have a unique role in helping organizations along their compliance journey, this article focuses solely on the C3PAO role.
A CMMC Third Party Assessor Organization, or C3PAO, is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments after entering into contract with an Organization Seeking Compliance (OSCs). The CMMC-AB has defined two key roles for organizations who both advise and assess contractors as they work to align to the unique requirements of the CMMC.
To help you in the process of gaining CMMC compliance, you'll likely need help from, both, a C3PAO and an (RPO). Cybersecurity practitioners and technical advisors, known as RPOs, assist organizations in the pre-assessment process by providing CMMC guidance and support to OSCs. Typically, this can include pre-assessment, information system configuration, and updated or newly authored documentation and policies. Though a C3PAO can also be an RPO, the C3PAO cannot provide RPO related services to an OSC they are assessing to avoid obvious conflicts of interest.
DIB contractors who come in contact with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) in their information systems will eventually encounter the DFARS 7021 clause in their contract(s), and consequently need to undergo a CMMC assessment to attain certification prior to the recompete of the contract.
All contracts with the DoD will have this clause by 2025; therefore, it's important to check future RFIs, RFQs and RFPs for mention of CMMC or directly including DFARS 7021. Once you determine the appropriate level for your organization based upon existing or future contracts, a C3PAO can examine your organization based upon the applicable domains and practices based upon the desired level. As of this writing - C3PAOs are yet to be fully permitted to assess any and all OSCs.
Once permitted, a C3PAO can enter into contracts for assessments with the OSC, or may be brought in under contract on behalf of a CCA. For more on identifying which level of CMMC compliance your organization needs, click here.
After signing initial paperwork and paying all fees, a C3PAO is on its way to officially provide assessments to contractors seeking certification. The full process to become a C3PAO also requires the following:
In addition, the organization must carry a general liability policy with the CMMC-AB named among the insured, an errors and omissions policy, and a cybersecurity breach policy. The organization must also maintain an association with at least one RP, CCP, PA or CCA. Lastly, the organization also pays an annual fee of $3,000 USD to maintain its certification.
Note: If a C3PAO uses an external Cloud Service Provider (CSP) to access, store, or process any CUI data, they must ensure that the CSP meets FEDRAMP High standards, or that any gaps are addressed. If the CSP does not meet those standards it is the responsibility of the C3PAO to independently assess the CSP and provide that assessment to the Defense Contract Management Agency (DCMA) as part of their CMMC Level 3 assessment.
One of the first logical means in selecting or vetting a C3PAO is checking if the organization is listed in the CMMCAB.org directory; it is also useful if the organization is showcasing their AB Accreditation logo on materials, or their website. The ideal C3PAO would also have an established background of NIST 800-171, DFARS 7012, and other relevant federal cybersecurity mandates.
Beyond these more obvious considerations, OSCs should view potential vendors through these additional lenses:
Lastly, your leadership may request some of the credentials of the individuals conducting the actual assessment to distinguish between two firms. A certified C3PAO will provide assessment team members with active NAC, DHS Suitability or other DOD-accepted clearances as a foundation. However, a C3PAO with individuals holding additional credentials (CISSP, Microsoft Certified Professional, etc.) may have greater appeal.
In the process of searching for a C3PAO, be aware that there are some fraudulent organizations who have been offering assessments well before the certification process had even been completed. These fraudulent organizations often offer better than average pricing or promise timelines that are not realistic. As Stacy Bostjanick, director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment admonishes, "If you really want to ensure that you’re getting the right information, you need to go with people who have had the CMMC-AB training and have a certification through them."
The CMMC-AB’s standardized accreditation process for this role should help more organizations in the DIB progress in their journey towards CMMC compliance, ultimately strengthening the security that protects our nation and helps each of the organizations in the DIB to reliably support the DoD.
For more on C3PAOs and their wisdom on becoming CMMC compliant, check out this session from a recent Cloud Security and Compliance (CS2) event where multiple C3PAOs answered questions on the certification process.