The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) recently released news that two organizations that have successfully become authorized CMMC C3PAOs. As anticipation for CMMC assessments grow, an understanding of what C3PAOs do, how they became assessors, and what to expect if you are planning on applying to become a C3PAO are imperative to understand. This post will cover each of the phases and requirements associated with successfully becoming an authorized C3PAO, as well as more about the first companies to do so, and their experience.
All companies in the Defense Industrial Base will need to pass at least a CMMC Level 1 assessment because each of them processes federal contract information. Depending on the sensitivity of other information they process (CUI for example), they will need to pass a corresponding CMMC Level Assessment. As the promise of CMMC assessments continues to draw closer, a few companies not only want to pass their assessments, but are interested in becoming assessors themselves. So, what exactly is a C3PAO? C3PAO stands for CMMC Third Party Assessment Organization. These organizations will conduct assessments in order to recommend that the CMMC-AB issue CMMC certificates to companies in the Defense Industrial Base (DIB), at the appropriate level for which they are assessed (CMMC level 1-5). C3PAOs are authorized by the CMMC Accreditation Body (CMMC-AB), which is the only entity charged by the Department of Defense (DoD) with accrediting, licensing, and managing the CMMC ecosystem.
The First CMMC C3PAO
On June 9th the first C3PAO organization, Redspin, was authorized by the CMMC-AB after passing their Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) CMMC Level 3 assessment. At that time, there were 156 other organizations that were awaiting approval. Shortly after, on June 15th, another leading National Security Solutions provider – Kratos — was named as a second CMMC C3PAO. These approvals are a relief to many who have worried that there will not be enough C3PAOs approved to conduct the CMMC assessments at a fast enough rate to meet the DoDs requirement for all companies in the DIB to be assessed in the next several years.
So how does an organization become a CMMC C3PAO? Like most things the government does, it can seem confusing or intimidating to try and sort through the necessary steps and requirements. In order to become a C3PAO there are three main phases of authorization, composed of multiple requirements, including becoming a Candidate C3PAO, then an Approved C3PAO, and finally an Authorized C3PAO. Following is a brief explanation of why an organization would want to become a C3PAO, each phase of the C3PAO approval process, and what is required at each phase.
Why and how to become a CMMC C3PAO?
There are an estimated 220,000+ companies in the DIB, and as CMMC ramps up, each of those companies will need to be assessed every three years to keep their status as a compliant prime or sub-contractor. Because there will be a limited number of authorized CMMC C3PAOs, not only will they be in a unique position to help make sure sensitive information is protected, but it also affords them an additional business opportunity. Although the costs to become a C3PAO can be substantial (which we will cover later in the article), it is likely that becoming a C3PAO will pay for itself many times over.
Phase One: Candidacy
The first phase is becoming a Candidate CMMC C3PAO. In order for the CMMC-AB to consider your company as a candidate there are four requirements that must be fulfilled. First, the organization must follow the application process at the CMMC-AB website. The application process includes signing a C3PAO License Agreement, followed by providing verification of insurance — which includes general liability, errors and omissions, and cybersecurity breach polices, for which the minimum coverage amounts have not yet been determined. Next a non-refundable application fee of $1,000 needs to be paid, as well as a $2,000 activation fee. Congratulations! Once your company has completed these four application steps, it is officially considered a Candidate C3PAO!
Phase Two: Approval
The next phase is to become an Approved CMMC C3PAO. In order to accomplish this, your company must first complete an Organizational Background Check by having Dun & Bradstreet provide the CMMC-AB with some information, including a DUNS number. Your company also must maintain an association with at least one individual trained to help organizations prepare for CMMC assessments. This individual must hold one of the following CMMC-related registrations or certifications: Registered Practitioner, Certified Professional, Provisional Assessor, or Certified Assessor. Your company has a 30-day grace period to develop such an association. Next, your business must either be 100% U.S. Citizen owned, or your business must successfully complete a Foreign Ownership, Control or Influence (FOCI) background investigation, whether yours is a public company, an Employee Stock Ownership Plan (ESOP), or a global partnership. The final step to become an approved C3PAO is to undergo a CMMC Level 3 assessment, which is performed by DIBCAC. Depending on the company and their specific needs and contracts, becoming CMMC Level 3 compliant can entail significant costs and expansion of the organization’s cybersecurity program.
Phase Three: Authorization
The final phase is becoming an Authorized CMMC C3PAO. During this step your company must prove to the CMMC-AB it has the necessary resources and personnel to sustain C3PAO Authorization and actually perform assessments. At this point your company will also need to be ISO 17020 Certified, within 27 months from the date your company first registered to become a C3PAO. Hiring personnel and having appropriate resources can be another large expenditure, as well as going through the ISO 17020 certification process. Once your company is an Authorized C3PAO, there are also additional training and maintenance costs for each assessor, as well as a requirement for each assessor’s first audit to be observed by an AB credentialed individual at a rate of $2,500 per day.
Tips on Preparation to become a CMMC C3PAO
Since the results of these assessments and the information associated with them are going to be considered CUI, which therefore requires a CMMC Level 3 compliant environment, most companies that pursue CMMC C3PAO Authorization are already going to need to become CMMC Level 3 compliant. According to the organizations who have already become authorized, your company is most likely already doing the basics of C3PAO requirements, but your company may find that the actual compliance is much more rigorous and exact than one might originally think.
Caleb Barlow is the CEO of CynergisTek, the parent company of RedSpin, the first authorized CMMC C3PAO. He shares that the CMMC Level 3 assessment was not unlike audits that many other parts of his company regularly face, especially those in the financial department. The difference with the C3PAO process was that it was just the first time that those in the cyber field have been asked to prepare for the scrutiny that often accompanies audits in other parts of the business world. He shared that one of the biggest challenges was not just having the correct policies, practices, and procedures documented, but making sure that employees understood and were able to follow them exactly.
CMMC compliance is not something that the IT and Security department can take care of alone; it encompasses and requires the whole organization to be involved, educated, and intentional in their roles. For full compliance, the company must also define how those roles relate to the security of the company as a whole. At the end of the day, CMMC compliance is a culture change for each company. If your company is interested in becoming a CMMC C3PAO, Totem’s workshops are a great place to learn about the CMMC practices and processes. It is also a great place to become familiar with challenges that businesses in the DIB face when getting compliant. If you are interested in the workshop, you can find more information or enroll here: DFARS / NIST 800-171 / CMMC Online Workshop