Understanding C3PAO and the CMMC Certification Process
What promulgated CMMC?
U.S. Defense Industrial Base (DIB) contractors are under constant cybersecurity threat and improperly implemented or missing cybersecurity controls are allowing unauthorized disclosure of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Most of the security requirements in CMMC have been requisite for DIB contractors since 2017. Previously, contractors had been tasked with a self-assessment to ensure that all cybersecurity measures were in place and functional. Requiring a third-party assessment is a step forward in ensuring the security of our federal government’s sensitive unclassified data by way of an external attestation that each contractor is properly securing their environments prior to handling FCI / CUI.
In the words of the OUSD(A&S): “Security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.”
Who must attain CMMC certification?
CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending on where the protected information is handled and stored. CMMC-AB estimates the certification process will take at least six months.
How does a firm attain CMMC certification?
Prior to a formal assessment it’s likely an Organization Seeking Certification (OSC) will work with a managed service provider, a Registered Professional (RP), or other consultant to ensure they are ready. Once ready to proceed, an OSC will choose a Certified 3rd Party Assessor Organization (C3PAO) from the list of accredited C3PAOs on the CMMC Accreditation Body (CMMC-AB) marketplace website. The selected C3PAO will assign an assessment team and coordinate with the OSC. After completion of the assessment, the lead Certified Assessor (CA) will make a certification recommendation to the CMMC-AB and provide supporting documentation. After official review, the CMMC-AB will make a final decision and issue a level-specific certification when and where warranted. All CMMC certifications will be valid for three (3) years.
Why is it necessary to prepare now for CMMC certification?
Companies within the DIB must not only prepare for CMMC certification, but set a specific plan to attain certification. It is imperative to be proactive as requests for proposals and contract solicitations will mandate that a firm has attained a required certification level. The Department of Defense has specified its plan with regard to future solicitations with CMMC requirements. A company within the DIB who fails to act, is not proactive in attaining certification, or does not have the required certifications for any solicitations or RFPs for contract renewals could be precluded from the qualified bidders for a contract.
Who must attain CMMC certification via assessment at some level?
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs), and contract solicitations. If a contract has a CMMC requirement the DIB contractor and their subs must attain CMMC certification. The level of CMMC certification is contingent on RFP language, as well as the nature of the information exchange between a prime contractor and a subcontractor. It may be possible that a prime contractor may require a higher certification level than some or all of their subcontractors.
Who does not have to attain CMMC certification?
By 2025 all DoD suppliers must be CMMC certified. There is also some speculation that other federal agencies will implement CMMC requirements in the future.
Where can I find a chart for the full journey to “certified organization”?
The CMMC AB maintains a great site. Their OSC Journey page is highly recommended.