2024 is sure to be the year of preparing for NIST/CMMC. There’s no question CMMC is coming, and if you’re a defense contractor or a sub-contractor who handles controlled unclassified information, you’ll need to begin the process of scheduling third-party assessments to achieve CMMC certification.
CMMC Third-Party Assessment Organizations (C3PAO) are the only organizations who may issue a CMMC certificate. They employ CMMC Certified Assessors (CCA) and CMMC Certified Professionals (CCP) who are trained and tested on properly assessing an organization’s compliance with NIST SP 800-171. C3PAOs are certified by the Cyber-AB (who’s not a part of the Department of Defense). Cyber-AB is an autonomous organization specifically responsible for accrediting third-party assessors. The Cyber-AB website (CyberAB.org) has a marketplace listing all accredited organizations.
Picking a high-quality C3PAO
Selecting a single C3PAO may seem daunting. Here are some considerations when selecting your C3PAO:
- How long has the organization been around? – CMMC is new, but organizations conducting cybersecurity assessments have been around for a while.
- Does the C3PAO offer any other certifications? – Combining a CMMC assessment and ISO 27001/27701 certification can bring additional opportunities internationally.
- Is the C3PAO accredited by other accreditation boards, i.e. ANAB or IATF? – While not critical to CMMC, additional accreditations demonstrate a greater overall competency about assessments and broader understanding of standards.
- Does the C3PAO offer consulting services? – An organization that provides consulting or preparation work for CMMC may not also conduct the assessment; it’s a conflict of interest.
- Does the C3PAO have adequate CCAs and CCPs? – Volume isn’t critical, but availability of auditors may become an issue if you need the assessment sooner than later.
Make sure they’re accredited
Only Cyber-AB approved C3PAO are allowed to issue CMMC certificates – confirm your assessor is a valid C3PAO in good standing at Cyber-AB’s marketplace.
ISO auditing experience is a plus
It’s difficult to look for a C3PAO with relevant experience specific to NIST/CMMC because, technically, no one has actual experience certifying companies for CMMC compliance. However, if a company is an ANAB or IATF accredited certification body you can have confidence they know how to assess an organization, and they have training and safeguards in place for professional conduct.
No mixing of remediation and assessing
If you see a company offering remediation and/or consultation as part of their assessment process, be cautious and ask questions about separation of functions. CMMC assessments and consulting may not be combined. A company can provide assessment or consulting/remediation services for an organization, but they can’t do both.
Closing comments
As with any partnership, it’s a good idea to talk with a few organizations before selecting a C3PAO. In addition to technical acumen, it’s important to choose a C3PAO that can work well with your organization, and specifically, the people in your organization with whom they’ll be working. Take your time with the selection. It’s an important choice that can have significant ramifications for your company.
Explore the January/February 2024 Issue
Check out more from this issue and find your next story to read.
Latest from Defense and Munitions
- Sharrow Propeller now available through ADS as an approved supplier for U.S. defense applications
- RTX's Raytheon awarded $590 million production contract for Next Generation Jammer Mid-Band
- Curtiss-Wright’s NXP 16-Core Arm-based VPX single board computer
- RTX's Raytheon completes Delta Design Review for F/A-18E/F Advanced Electronic Warfare prototype
- BAE Systems to aid secure Department of Defense software development
- 4D Technology's AccuFiz SWIR interferometer
- Best of 2024 - #3 Most Read News Story from Defense and Munitions Online
- Curtiss-Wright, Sintavia deliver first submarine component using additively manufactured impeller