The Cybersecurity Maturity Model Certification (CMMC) is right around the corner.
By 2025 all Department of Defense (DOD) contractors will be required to have CMMC, and you will need a certified third-party assessment organization (C3PAO) to grant certification.
This article will cover what a CMMC C3PAO is and how they operate within the CMMC ecosystem.
What Is a CMMC C3PAO?
With the US Department of Defense (DOD) phasing out NIST self-certification in favor of the CMMC, an organization will require a third-party auditor.
The third-party auditor, referred to as Certified Third-Party Assessor Organization (C3PAO), will have to be accredited to carry out CMMC certification. Before the CMMC, an organization could contract with the DOD, or any organizations in the Defense Industry Base (DIB), if they were NIST 800-171 certified.
NIST 800-171 is self-certified, meaning that if your organization could prove (via internal or external audits) that they adhered to the security controls and standards outlined by the framework, they could engage with the DIB.
However, the DOD ultimately decided that self-certification and the occasional reassessment were insufficient and not conducive to a robust security environment.
This is where the C3PAO and the CMMC came into play. The C3PAO is an assessor that grants an organization CMMC certification. The DOD introduced this measure to ensure that the DIB strictly controls cybersecurity, with an extra layer of accountability.
What Is The CMMC?
Before expanding on the C3PAO, a brief overview of the CMMC will help you to understand how the C3PAO fits the overall framework.
As mentioned above, the CMMC has replaced the NIST 800-171, but the model itself is an adaptation of the NIST framework in question. Both frameworks lay the foundations for a security standard for organizations within the DIB through a series of security controls.
The difference with the CMMC is that it has expanded on those controls and tiered them into different “maturity” levels, ranging from 1-5.
Depending on the amount and type of Controlled Unclassified Information (CUI), your organization will have to adhere to the appropriate maturity level.
The level of maturity compounds, meaning that if you require level four maturity, you will have to implement all previous levels to attain level four maturity.
Whether your organization has achieved the required maturity level depends on an external assessor, the C3PAO.
For the novice out there, consult this guide, where we explain the CMMC in an easy-to-understand manner, and here for further explanation on the maturity levels. In this article, we will not detail the CMMC itself but rather the role of the C3PAO.
Request a Free Consultation
Do I Need To Be CMMC Certified?
Whether you are looking to deliver CMMC certification or are a business looking to be a C3PAO, it is essential to know when CMMC certification is required.
Some might think that any organization within the DIB supply chain will need CMMC; however, this is not always the case.
Organizations that process or come in contact with federal contracts or process any CUI will need to be CMMC certified, with level 1 maturity being a minimum for federal contracts information.
What Are The Responsibilities of the C3PAO?
As discussed in the previous section, the C3PAO is responsible for assessing organizations on how well the CMMC framework has been implemented.
However, the responsibility of the C3PAO is to uphold a high standard of security within the DIB. While it is expected that CMMC accreditation will become a service of its own within the cybersecurity industry, the overall goal of the framework is to bolster the national cyber defense.
With the recent Solar Winds hack, there is no better time for the DOD and the United States government to start pushing the private sector to take more accountability for their security.
Ultimately, it is in the interest of both the C3PAO and the organization seeking accreditation to go through the process thoroughly.
While C3PAOs only responsibility is to award accreditation, there is scope to bring the organization and C3PAO into a business partnership where the preparation and the institutionalization of the CMMC controls make up part of the services offered.
However, this is up to the C3PAO, and the organization seeking accreditation should do its best to implement the CMMC controls before reaching out to a C3PAO (more on preparation later).
C3PAO Accreditation
The C3PAO accreditation process is still in the early phases of development; however, the DOD has decided on an accreditation board (which we discuss in the section below).
As the CMMC is slowly phasing in, only “prime” contractors will be required to comply as of now. The DOD will trickle down compliance requirements over the next five years with expectations to have CMMC for all contractors by 2025.
However, C3PAO accreditation will begin to roll out much sooner, giving businesses a chance to refine their auditing and implementation skills.
Who Gives Accreditation?
The accreditation for C3PAO is given by the CMMC Accreditation Board (CMMC-AB). The C3PAO certification is not given to an organization per se but rather to assessors looking to become CMMC practitioners.
A C3PAO is simply an organization that hires assessors or has assessors as part of its distinction).
Ultimately, these assessors within the organization will be carrying out audits and developing strategies for their partners or clients.
The Accreditation Process
The process of becoming an assessor, or a C3PAO, is to first register with the CMMC-AB. After that, you will be required to complete an introductory CMMC online training course, after which you will need to pass a commercial background check.
The last prerequisite is to sign the CMMC-AB professional code of conduct. Once all of this has been completed, you can begin your CMMC practitioner journey.
However, you should note that as a CMMC practitioner, you must work for a Registered Provider Organization (RPO, like RSI Security!).
The ecosystem is built up of organizations seeking CMMC, RPO’s, and certified training providers. These elements are what would be considered the CMMC marketplace. The CMMC-AB intended to create a platform from which seekers and providers can find each other.
While there will be certified training providers, all the testing and official certification will be given by the CMMC-AB.
Can My Business Be a C3PAO?
Not all businesses can become a C3PAO; there are some prerequisites that you must have.
First and foremost, all assessors need to be U.S citizens; note the word assessors. An organization from a foreign country can be a C3PAO. However, their assessors must be citizens of the country that the C3PAO is based in.
Furthermore, C3PAO’s from outside the U.S must be in a country with bilateral agreements concerning the CMMC. At the time of writing this article, no country has agreed with the United States government over CMMC, meaning, for now, C3PAO’s are strictly US-based organizations.
But we can expect that to change as time goes on; the DOD supply chain does include partners from outside the United States, after all.
Apart from the location-based requirements, you must satisfy some other conditions, the most important being CMMC itself.
Any C3PAO that wishes to provide CMMC must be certified itself, with a CMMC level 3 assessment.
The C3PAO must pass the level 3 CMMC because assessment results show that the organization providing CMMC to clients will need the same protection as CUI. The C3PAO must also ensure the security of their data storage.
They are permitted to store assessment results on cloud infrastructure, given that the cloud services provider meets the security level established by the Government for the Federal Risk and Authorization Management Program (FedRAMP).
If the external cloud services provider is not FedRAMP authorized, the C3PAO must carry out an independent assessment and provide the results to the Defense Contract Management Agency (DCMA).
On top of that, the organization must also achieve ISO 17020 accreditation.
ISO 17020: the International Standards Organization (ISO) 17020 is the operating standard for any organization performing inspections.
Essentially, with this accreditation, the ISO body recognizes that your organization can consistently and efficiently carry out checks while also remaining impartial.
The latter part is vital for the DOD; it would damage the integrity of the CMMC if the certification process were not impartial.
The CMMC-AB has stated that there is a 27 month grace period to attain ISO 17020 from the date of C3PAO registration, so there is no immediate need to be ISO 17020 compliant, but it is something that is better done sooner.
Finally, there is an economic requirement to becoming a C3PAO that comes from fees. There is an initial $1000 application fee and a $200 activation fee due when accepted. These fees do not include assessment fees associated with level 3 compliance, which the CMMC-AB has quoted as $750.
Process To Hiring a C3PAO
The CMMC-AB has worked with the DOD to create a CMMC ecosystem. And as part of that ecosystem, the CMMC-AB is developing a marketing place for C3PAOs.
At the time of writing this article, there are still no officially authorized C3PAO. However, you can still search the marketplace for RPO’s, C3PAO candidates (awaiting assessment), and individual registered practitioners.
The hiring will function much like any other audit and inspection service. Both parties should agree on the scope of the audit. In the case of the CMMC, it would be dictated by the appropriate level of maturity required by the DOD.
In terms of pricing, this will depend heavily on the maturity level needed. Higher levels of maturity will naturally be more involved. However, other factors need to be considered, such as:
- Size of the organization
- Service provider
- Assessor expertise and experience
Preparing For CMMC Assessment
Before scheduling for formal assessment, organizations seeking certification need to prepare. As mentioned in a previous section, the role of a C3PAO is to audit your cybersecurity infrastructure and ensure that your organization has reached a certain security maturity.
It is important to note that the chosen C3PAO cannot offer consulting services to an organization they are assessing.
However, this does not mean that you cannot get help beforehand; in fact, we would advise that you seek an RPO, like RSI Security, to get your house in order first. This should fortify your chances of achieving certification.
Preparing for CMMC assessment entails:
- Gap Analysis: gap analysis is an excellent tool in compliance strategy and implementation. Many service providers offer gap analysis for things like GDPR, CCPA, and ISO certification. Essentially, it is a tool used to analyze where the organization falls short (i.e. the gaps) and offers solutions to address these shortcomings.
- Strategy and Implementation Planning: after a gap analysis has been performed, a provider will develop a strategy of implementation. For the CMMC that would mean seeing what controls need to be implemented and “institutionalized” to reach the desired maturity level.
- Remaining Agile: Lastly, your organization will need to remain flexible to changes leading up to the assessment. This is not to say that there will be any changes with the CMMC controls or the framework itself, but rather in the business environment. Service providers will assist up to the assessment period and even after to ensure that while your organization changes it remains within the maturity level required.
Recap, Quick-Start Guide, and How RSI Security Can Help You
The CMMC is approaching its 2025 transition date, and all organizations within the DIB and DOD supply chain will be required to have certification. Certification is now only awarded by C3PAOs and organizations seeking certification will need to prepare for assessments.
Here is a C3PAO Quick-Start Guide:
FAQ | Answer |
Does My Business Require CMMC? | If your organization is in the DIB and has federal contracts with the DOD you will be required to have CMMC |
Who Grants CMMC Accreditation? | All CMMC accreditation is given by a certified third-party assessment organization (C3PAO). |
Who Certifies the C3PAO? | C3PAOs are authorized to operate by the CMMC Accreditation Board (CMMC-AB). |
Can My Business Be A C3PAO? | Given that you satisfy the needs outlined in this article:
your business can become a C3PAO if they pass the level 3 maturity assessment of the CMMC-AB |
Stay Ahead of The Curve With RSI Security
RSI Security is an authorized Registered Provider Organization (RPO) and can help you get started with CMMC and picking the right CMMC C3PAO. Although at the moment only the “prime” DOD contractors are required to have CMMC, it is simply a matter of time before the entire DIB will require CMMC.
Stay one step ahead and get your house in order with RSI Security. Leverage our industry expertise, and ensure you pass your CMMC maturity assessment with ease.
Get in contact with RSI Security today, and schedule a consultation here.
If you are looking for more detailed information on the CMMC, download our whitepaper here. We will take you through the CMMC step-by-step so you can maintain your preferred status as a DOD contractor.