The Defense Industrial Base comprises of businesses and organizations of all shapes and sizes. Because each company in the Defense Industrial Base processes government contract information, they will all need to pass at least a CMMC Level 1 evaluation. They will need to pass a CMMC Cybersecurity Level Assessment depending on the sensitivity of the information they handle. As the promise of CMMC evaluations becomes more tangible, a few firms are considering not just passing their exams, but also becoming assessors.
CMMC Third Party Assessment Organization is also known as C3PAO. The CMMC Accreditation Body (CMMC-AB), the sole body entrusted by the DoD with certifying, licensing, and administering the CMMC ecosystem, has given C3PAOs its approval.
After completing their Defense Industrial Base Cybersecurity Examination Center (DIBCAC) CMMC Level 3 assessment, the first C3PAO organization, Redspi, was authorized by the CMMC-AB on June 9th. There were 156 additional groups seeking for approval at the time. On June 15th, another renowned provider of national security solutions, Kratos, was recognized as a second CMMC C3PAO. Many people were afraid that there wouldn’t be enough C3PAOs certified to undertake CMMC assessments quickly enough to fulfil the Department of Defense’s requirement that all firms in the DIB be examined within the next few years.
Phase One: Candidacy
The first step is to become a CMMC C3PAO Candidate. There are four conditions that must be met in order for the CMMC-AB to evaluate your firm as a candidate. To begin, the business must go to the CMMC-AB website and complete the application procedure. Signing a C3PAO License Agreement is the first step in the application procedure, followed by presenting proof of insurance, which encompasses general liability, discrepancies, and cybercrime breach policies, for which minimum coverage levels have yet to be set. Then there’s a $1,000 non-refundable enrollment charge and a $2,000 activation cost to pay. Once you have completed these steps, you will become C3PAO Candidate.
Phase Two: Approval
The next step is to become a CMMC C3PAO that has been approved. To do so, your firm must first undertake an Organizational Background Check by providing the CMMC-AB with general details, including a DUNS number, from Dun & Bradstreet. Your firm must also have a working relationship with at least one person who has been trained to assist organizations in preparing for CMMC evaluations. This person must be a Registered Practitioner, Certified Professional, CMMC consulting professional, Provisional Assessor, or Certified Assessor with a CMMC-related registration or certification. Your firm has a 30-day grace period in which to establish such a relationship.
Phase Three: Authorization
The last step is to become a C3PAO Authorized by CMMC. During this stage, your firm must demonstrate to the CMMC-AB that it has the resources and manpower in place to maintain C3PAO Authorization and conduct evaluations During 27 months of the date your firm initially qualified to become a C3PAO, your company will also need to be ISO 17020 certified.