July 16, 2020
This week, we’re taking a break from reviewing how to prepare for the Cybersecurity Maturity Model Certification (CMMC) to look at some new information released by the CMMC Accreditation Body (AB).
Get to know the CMMC AB
The CMMC AB is responsible for implementing the assessment process, training and licensing third-party assessors, and managing the certified third-party assessor organizations (C3PAOs). The CMMC AB recently posted eight main requirements for organizations planning to become C3PAOs, and registration is now open for those organizations ready to train up to become C3PAOs and then audit and certify organizations up to CMMC Level 3.
Some key items that will be of interest to companies wanting to become a C3PAO:
- C3PAOs shall not be accredited to conduct CMMC assessments at Level 2 or higher until they achieve CMMC Level 3 themselves.
- Assessment team members must have an active Department of Defense (DoD) accepted clearance.
- All C3PAOs must be 100% U.S. citizen-owned and individual assessors must be U.S. Persons or U.S. citizens, depending on which maturity level they will address.
- If the C3PAO uses external cloud solutions to handle Controlled Unclassified Information (CUI), they must use a FedRAMP-authorized, or equivalently assessed, solution.
These requirements should increase defense contractors’ and suppliers’ confidence in the C3PAO that conducts their audit and certification. The requirements also reinforce that information uncovered during a CMMC assessment will be protected at the appropriate security level.
In addition to C3PAOs, there are also Registered Provider Organizations (RPOs). These organizations include security consultants who sign up to be trained as a CMMC “registered practitioner.” This registration means they can provide preparation services to companies seeking CMMC accreditation, but they can not provide actual accreditation.
This is a point worth repeating: RPOs will not be able to certify a company as CMMC compliant. Only C3PAOs can provide that certification.
Licensed C3PAOs and RPOs will both be listed in the CMMC AB Marketplace. The current estimated timeline states the Marketplace will be ready to go live for commercial assessments in Winter 2020 or Spring 2021. Once the C3PAO has performed an assessment, companies seeking CMMC accreditation will have 90 days to resolve any findings and receive their certification.
CMMC expands beyond the DoD ecosystem
In addition to news around the CMMC AB, there is also recent evidence that companies working with federal departments beyond the DoD may need to meet CMMC requirements.
This potential CMMC expansion was telegraphed via a government-wide federal contract, the General Services Administration’s $50 billion STARS III vehicle. The RFP states that “while CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions,” furthering the expectation that CMMC may be adopted as a general requirement for all federal contractors.
In the Cybersecurity and Supply Chain Risk Management (SCRM) Assessment Template, GSA asks that bidders state their intention to obtain CMMC certification, at which maturity level, and their timeline.
Will a federal contractor’s CMMC level be public information?
Another important point hiding in the STARS III vehicle RFP notes that the GSA also “reserves the right to survey 8(a) STARS III awardees…to identify and to publicly list each industry partner’s CMMC level.”
With the DFARS contract flowdown requirement, this public CMMC level listing will become an important tool for defense suppliers to identify teaming partners and subcontractors and ensure everyone has the necessary CMMC level as required for the scope of work. We will continue to monitor if the GSA chooses to reserve or exercise their right to publicly publish a CMMC level list.
It’s time to get ready for CMMC
Despite the various unknowns, one thing is clear: If you haven’t yet started your initiative to get ready for CMMC, you should start by identifying your target maturity level. After you’ve determined your target maturity level, you’ll need to decide if you need help from external security or vendor services to achieve certification. With these two steps completed, it’s time to take a look at your IT infrastructure like a Cybersecurity Maturity Model Certification (CMMC) assessor.
For a comprehensive look at the CMMC target maturity levels and preparation recommendations, check out our Cybersecurity Maturity Model Certification (CMMC) Best Practice Guide.