If your company currently works closely with the Department of Defense (DoD) or plans to begin a lucrative partnership with the military, you will soon need to acquaint yourself with a managed security service provider (MSSP) that’s been vetted by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). There are many such organizations and many different kinds you’ll find on the CMMC AB Marketplace.
Understanding the Cybersecurity Maturity Model Certification Accreditation Body Certifications for Security Service Providers
To reach full CMMC implementation, you’ll need to work with a CMMC AB-vetted organization, at least to assess and verify your implementation. However, not all CMMC AB organizations are the same. There are three categories of providers recognized by the CMMC Accreditation Body:
- CMMC AB Certified Professionals and Certified Assessors
- CMMC AB Registered Practitioners and Provider Organizations
- CMMC AB Licensed Partner Publishers and Training Providers
Choosing the right assessor requires knowing what each category is and how they differ, along with what efforts comprise implementing the CMMC up to the Maturity Level that will be required for your organization.
Certified CMMC Professionals and Certified CMMC Assessors
The most critical categories of organizations recognized and listed by the CMMC AB are its various levels of assessors and professionals. The most important of these are Certified Third Party Assessor Organizations (C3PAOs), of which there are few at present. RSI Security, along with many other service providers, is in the process of becoming a C3PAO.
Other individuals and institutions currently recognized are certified CMMC professionals (CCP), certified CMMC assessors (CCA). The latter includes companies from within the pool of 101 Provisional Assessors (PA) who successfully completed the program and were selected.
CMMC AB Certified CMMC Professional (CCP) Authorization
A certified CMMC Professional (CCP) is an individual on their way to becoming a full CCA. The rank grants CCPs the ability to describe and advertise themselves as CMMC AB certified, and CCPs are listed on the CMMC AB Marketplace. More importantly, all CCPs are granted the authority to work closely with and under the supervision of CCAs on CMMC assessments.
Requirements for becoming a CCP include a college degree in a technical field, or equivalent experience (i.e., military), along with at least two years of experience in a technical or cyber field. Applicants must submit adequate documentation of these to the CMMC AB. Pending approval, prospective CCPs must also complete the DoD’s required training on Controlled Unclassified Information (CUI) and a certified training program offered by a Licensed Training Provider (LTP).
CMMC AB Certified CMMC Assessors (CCA) – Levels 1, 3, and 5
The next step in the process for individuals seeking CMMC AB certification is becoming a CCA, enabling them to conduct assessments and access other benefits. There are three levels:
- CCA Level 1 – CCA-1s are authorized to conduct CMMC assessments at Maturity Level 1 and oversee CCPs conducting these same assessments. After three assessments, the individual can use the CCA-1 logo and will be listed on the CMMC AB Marketplace. To become a CCA-1, an individual must be a US Person and pass a background check.
- CCA Level 3 – CCA-3s are authorized to conduct CMMC assessments up to Maturity Level 3 and oversee CCPs conducting the same. After Three assessments at CCA-3, they can use the logo officially and are listed on the Marketplace with the new rank. After 15 assessments, CCA-3s can apply for CCA-5 training and certification. Requirements include all those at CCA-1, alongside US citizenship and four years of experience.
- CCA Level 5 – CCA-5s are authorized to conduct and supervise CMMC assessments at any Maturity Level. Upon reaching CCA-5, individuals are immediately listed with the new rank on the CMMC AB Marketplace and are allowed to use the CCA-5 logo on any public-facing documentation. Requirements include all prior levels’, plus the CCA-5 training and exam.
CMMC AB Certified Third-Party Assessor Organizations (C3PAO)
The last class of entities fully certified by the CMMC AB is Certified Third-Party Assessor Organizations (C3PAOs). These are organizations rather than individuals; a C3PAO is staffed with CCAs and CCPs. According to the CMMC AB C3PAO page, C3PAOs are the only entities that will be able to deliver CMMC assessments to organizations seeking certification—they’re the parties you’ll need to contract.
To qualify as a C3PAO, organizations must apply, pay several fees, and pass several rounds of rigorous testing. Of the hundreds of applicants, few have progressed to C3PAO status yet. All C3PAOs need to become CMMC compliant themselves, with a minimum of Maturity Level 3 implementation required at first. This is because CMMC assessment data is considered as sensitive as CUI, which is only fully protected at Maturity Level 3. There are other requirements, such as ISO 17020 Accreditation, which all prospective C3PAOs must prove within 27 months.
C3PAOs are the most critical entities listed on the CMMC AB Marketplace, as they’re a required point of contact for all organizations seeking certification. RSI Security will be a C3PAO soon.
Registered Practitioners and Registered Provider Organizations
Outside the relatively smaller circle of certified assessors and professionals are the categories of individual and institutional service providers registered by the CMMC AB. These include two major classes: Registered Practitioners (RP) and Registered Provider Organizations (RPO). An RP is similar to an RPO in that both are qualified to provide advisory and consulting services to organizations seeking certification. However, neither is qualified to administer the assessment.
The most significant difference between both classes of registered entities and the classes of certified entities above is that the former have completed basic training. The latter, on the other hand, have completed the most rigorous training available—enabling them to certify other entities.
The most significant difference between RPs and RPOs is that one designation pertains to individuals and the smallest advisory firms, whereas the other pertains to larger institutions and MSSP organizations. For example, at present, RSI Security is an RPO with staff who are RPs.
CMMC AB Registered Practitioners (RP) – Individual Implementers
Like CCPs and CCAs, Registered Practitioners are individuals who are on their way toward fuller certification from the CMMC AB for themselves or their parent institutions. As we’ll cover below, RPOs need to employ at least one RP to qualify for RPO status. As such, individual RPs are valuable assets to organizations seeking certification from the CMMC AB and, in turn, all organizations seeking CMMC implementation and lucrative, long-term contracts with the DoD.
Per the CMMC AB RP page, requirements for RPs include registration, initial agreements, basic CMMC training, and a fuller agreement to the CMMC AB Code of Professional Conduct. Once all these criteria are met, RPs are eligible to provide CMMC AB authorized advisory, usually under the guidance of a larger RPO. They are also listed on the CMMC AB Marketplace.
CMMC AB Registered Provider Organizations (RPO) – Consultants
The relationship between RPs and Registered Provider Organizations (RPOs) is similar to that between CCPs, CCAs, and C3PAOs. That is, an RPO is a larger organization that employs at least one RP, by definition. RPOs are qualified to provide in-depth implementation guidance, including helping organizations build the infrastructure they need to pass a CMMC assessment.
RPOs are not qualified to provide assessment nor grant certification—that’s limited to C3PAOs.
Requirements for RPO status, per the CMMC AB RPO page, include registering for the title and passing CMMC AB inspection, including a detailed background check via Dun & Bradstreet. In some cases, companies seeking C3PAO status are currently listed as RPOs. This is precisely the position RSI Security is in as we await confirmation of C3PAO status from the CMMC AB.
Licensed Partnered Publishers and Licensed Training Providers
The last category of entities recognized and listed by the CMMC AB consists of those that have passed a CMMC AB inspection to provide licensed, direct and indirect basic training and materials. This is the lowest category of recognition for entities listed on the CMMC AB Marketplace. It corresponds to basic training intended for students or other stakeholders interested in the DIB.
There are two classes of organizations that fit this model: Licensed Partner Publishers (LPP) and Licensed Training Providers (LTP). Significant similarities and differences between them include:
- Licensed Partner Publishers (LPP) – These organizations produce materials to be sold to or hosted by educational institutions, such as universities. They must have 200 hours of related coursework material published, over two years of history publishing, and three references to qualify for the application, which also requires a background check.
- Licensed Training Providers (LTP) – These organizations directly host or provide training and educational programming, such as schools. They purchase CMMC AB licensed materials from LPPs and host them in ways approved by the CMMC AB. To qualify, the institution must show two years’ experience in teaching and three references.
These are not the only organizations that can provide training or literature, as all other CMMC AB-recognized entities can do so as well. However, LPPs and LTPs are limited to providing these materials exclusively. They must collaborate closely with other CMMC AB organizations, such as C3PAOs and RPOs, to create adequate and consistent materials.
Requirements and Timeline for Organizations Seeking Certification
The CMMC AB organizations listed above are far from the only parties working toward CMMC integration. Organizations seeking certification, or those who wish to work with the DoD, are also racing against the clock to implement the CMMC framework and achieve certification.
The CMMC is overseen not by CMMC-AB but by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). Per the OUSD(A&S) FAQ, the phased rollout plan for CMMC implementation will stretch into 2025-2026. At that point, all DoD contracts will require the contractors to have implemented CMMC and been certified up to a certain Maturity Level, depending on the kinds (and volume) of materials they come into contact with most often.
The CMMC framework doesn’t exist in a vacuum. It exists to streamline processes for the DoD to ensure compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) in all of its contracts. CMMC builds upon prior requirements, such as those laid out in the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). The CMMC framework includes all of NIST SP 800-171 and several other regulatory frameworks.
CMMC Implementation: Maturity Levels, Security Domains, and Practices
Implementing the CMMC framework involves installing controls to meet or exceed requirements detailed across the CMMC’s 171 Practices, to meet the Capabilities of its Security Domains. First, an organization needs to implement the Practices required for a certain Level. Then, they must document Process Maturity, or a level of organization-wide institutionalization, for all existing Practices at the Level.
The Maturity Levels, as of the most recent CMMC v1.02 (2020), break down as follows:
- Maturity Level 1 – Focused on protecting Federal Contract Information (FCI) and CUI by Performing (but not documenting) 17 Practices that constitute Basic Cyber Hygiene.
- Maturity Level 2 – Focused on preparing for full CUI protection at Maturity Level 3 by Documenting 55 new practices (72 total) that constitute Intermediate Cyber Hygiene
- Maturity Level 3 – Focused on fully protecting all CUI by Managing 58 new Practices (130 total), including all of NIST SP 800-171, that constitute Good Cyber Hygiene
- Maturity Level 4 – Focused on reducing the risk of Advanced Persistent Threats (APTs) by Reviewing 26 new Practices (156 total) that qualify as Proactive (not reactive)
- Maturity Level 5 – Focused on maximizing defenses respective to APTs (beyond Level 4) by Optimizing 15 new Practices (171 total) that qualify as Advanced / Progressive
The Security Domains, their Capabilities, and the Practices in each break down as follows:
- Access Control (AC) – Four Capabilities, 26 Practices
- Asset Management (AM) – Two Capabilities, two Practices
- Audit and Accountability (AU) – Four Capabilities, 14 Practices
- Awareness and Training (AT) – Two Capabilities, five Practices
- Configuration Management (CM) – Two Capabilities, 11 Practices
- Identification Authentication (IA) – One Capability, 11 Practices
- Incident Response (IR) – Five Capabilities, 13 Practices
- Maintenance (MA) – One Capability, six Practices
- Media Protection (MP) – Four Capabilities, eight Practices
- Personnel Security (PS) – Two Capabilities, two Practices
- Physical Protection (PE) – One Capability, six Practices
- Recovery (RE) – Two Capabilities, four Practices
- Risk Management (RM) – Three Capabilities, 12 Practices
- Security Assessment (CA) – Three Capabilities, eight Practices
- Situational Awareness (SA) – One Capability, three Practices
- Systems and Communications (SC) – Two Capabilities, 27 Practices
- System and Information Integrity (SI) – Four Capabilities, 13 Practices
Partner with a Cyberdefense Service Provider Registered with the Cybersecurity Maturity Model Certification Accreditation Body
The Cybersecurity Maturity Model Certification Accreditation Body is selective in recognizing and listing organizations on the CMMC AB Marketplace. Some organizations migrating from NIST SP 800-171 compliance to full-on CMMC implementation may feel that working with an outside partner is unnecessary, but this could not be farther from the truth.
Organizations seeking certification will eventually need to verify their implementation via a C3PAO, and for now, working with an RPO like RSI Security is a critical first step toward streamlining that process.
To get started on implementing CMMC and securing DoD contracts, contact us today!