This week, the CMMC Information Institute hosted two Informed Events focused on C3PAOs.

C3PAO Round Table

The first, a C3PAO-only roundtable, gave representatives of candidate C3PAOs the opportunity to discuss issues and trends they are seeing, and to share concerns. The event was held subject to the Chatham House Rule and was not recorded. The Informed Event was only scheduled to last an hour, but the conversations went on for over 75 minutes, and probably could have gone longer. It became clear that these types of sessions are needed in the C3PAO community, and that 3 months between sessions would be too long. We will be hosting them every 2 weeks instead. If your organization is a C3PAO and would like to participate, please reach out to us for more information.

ISO 17020 and ISO 17021 Accreditation Informed Event

Our second session was a discussion on the ISO 17020 Accreditation requirements. As those closely following the CMMC program will recall, under the current DoD/CMMC-AB requirements, C3PAOs face several hurdles, including certification of their cybersecurity programs at CMMC ML3 by DCMA’s DIBCAC. The C3PAOs must also obtain ISO 17020 accreditation by October 31, 2022. Although the C3PAOs have some time before the ISO accreditation requirement kicks in, they are smart to start the audit preparation process now. In this Informed Event, Vicki Delaney and Tara Lemieux discuss the differences between 17020 and 17021, describe the 17020 requirements, and answer questions about the accreditation process. The Informed Event is chock-full of great information for any candidate C3PAO or other organization considering applying to become a C3PAO. The recording of the session, and slides with additional details about the ISO 17020/17021 accreditation process is available to our Communities members in the Tools and Information menu of our website by selecting “Informed Event Recordings”.