For those watching closely what is happening with the CMMC-AB, Inside Cybersecurity published an article which includes a copy of the CMMC-AB’s SoW with DoD. Many of the changes highlighted in the article have already been reported, but the SoW does confirm that the CMMC-AB will need to spin off the training and assessor certification program. The SoW gives the CMMC-AB time to make the transition, and the CMMC-AB has stated that the change will not impact the Licensed Training Providers and Licensed Partner Publishers who are already participating in the CMMC Ecosystem, or the Certified Professionals and Certified Assessors who will be trained using the training programs created under the CMMC-AB’s direct guidance.

The SoW also allows the CMMC-AB to directly authorize C3PAOs for the time being. This is critical so the C3PAOs can meet DoD’s and industry’s assessment needs now while still transitioning to a more independent, ISO-based model in the future. C3PAOs authorized by the CMMC-AB will have up to 27 months from their registration to obtain their ISO/IEC 17020 accreditation.


The SoW solidifies the CMMC-AB’s role as the sole manager of the CMMC Ecosystem. The structure and mechanics of the CMMC Ecosystem will look different in a few years, but the direct impact of these changes on contractors will likely be minimal. Contractors will still need CMMC certifications before they can be awarded a contract, and the CMMC-AB is still pursuing a distributed management model for the CMMC Ecosystem which will encourage competition and reduce conflicts of interest.