The Cybersecurity Maturity Model Certification Accreditation Body (“CMMC-AB”) has approved an initial set of twelve (12) Certified Third Party Assessment Organizations (“C3PAOs”) to participate in the CMMC Ecosystem overseen by the CMMC-AB. Additional C3PAOs will be announced in the future. C3PAOs will be responsible for providing assessment-related services and certifying the cybersecurity maturity of organizations doing business with the DoD.
C3PAOs Cannot Begin Assessments Yet
Although the C3PAOs have met the CMMC-AB’s requirements, the C3PAOs’ own cybersecurity programs must be assessed, and certified, against the CMMC Model before the C3PAOs can begin providing assessment services. According to the CMMC-AB’s C3PAO website, “Due to Assessment results begin [sic] CUI, C3PAOs shall not be accredited to conduct CMMC assessments until achieving CMMC Level 3 certification themselves”. Assessment of C3PAOs will be performed by the Defense Contract Management Agency’s (“DCMA’s”) Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) assessment team. The DIBCAC assessment team have already been trained and certified as Provisional Assessors by the CMMC-AB. Timing for the DIBCAC assessments has not been publicly released.
The Department of Defense’s (“DOD’s”) Cybersecurity Maturity Model Certification (“CMMC”) program is designed to give DoD better insight into risks posed by its supply chain. One of the main focuses of the CMMC program is to allow DoD decision makers to more easily identify those contractors whose cybersecurity programs are mature enough for them to be trusted with sensitive information (referred to as Controlled Unclassified Information, or CUI). It also allows DoD to track the contractors whose programs, while not mature enough to handle CUI, can still be trusted with less sensitive, but still nonpublic, information (referred to as Federal Contract Information, or FCI). This is accomplished through an independent assessment and certification of the maturity of the contractors’ cybersecurity program by certified assessors against a set of requirements developed by DoD. The contractors’ cybersecurity program(s) are measured on a 1-5 scale, with Maturity Level 1 being the minimum required to create or receive FCI and Maturity Level 3 the minimum required to create or receive CUI.
Rather than coordinating the assessment and certification of the over 200,000 companies that are part of the DoD supply chain, in November 2019 DoD asked industry to stand up an Accreditation Body that would create and oversee an ecosystem of independent Certified 3rd Party Assessment Organizations (“C3PAOs”) and Certified Assessors. Industry responded by creating the CMMC-AB in January 2020. In November 2020, DoD entered into a no-cost contract with the CMMC-AB which authorizes the CMMC-AB to act as the sole Accreditation Body for the CMMC program.
The CMMC-AB is working with independent curriculum developers (referred to as Licensed Partner Publishers, or LPPs) to develop formal training materials as part of the assessor certification process. The CMMC-AB’s decentralized approach to assessor training and certification allows the market to meet the demand for assessors, but it does require additional time to build out. As an interim step, the CMMC-AB created the Registered Practitioner (“RP”) and Provisional Assessor (“PA”) training programs. The Registered Practitioner program is designed to give consultants working in the CMMC Ecosystem a strong foundation in CMMC. Participants in the RP program must also agree to abide by the CMMC-AB’s Code of Professional Conduct, and the RP training walks through several key ethical and business issues that consultants may face. CMMC consulting services performed by an RP must be provided through a Registered Provider Organization.
The Provisional Assessor program builds on the RP program and walks the assessors through the CMMC assessment process, including the collection and analysis of objective evidence required for CMMC certification. Assessment services performed by a Provisional Assessor must be provided through a C3PAO. Provisional Assessors and C3PAOs will be focusing on assessment and certification of the contractors who are participating in the fifteen contracts with CMMC requirements that will be released by DoD during FY2021.
Although only fifteen contracts are expected to include CMMC requirements in FY2021, contractors are still encouraged to begin their CMMC assessment preparation process. The CMMC Information Institute’s recently published “CMMC Assessment Lifecycle” infographic, shown below, helps organizations understand the process they should follow when preparing for a CMMC assessment.