Selecting a C3PAO for your organization

2024 is sure to be the year of preparing for NIST/CMMC. There’s no question CMMC is coming, and if you’re a defense contractor or a sub-contractor who handles controlled unclassified information, you’ll need to begin the process of scheduling third-party assessments to achieve CMMC certification.

CMMC Third-Party Assessment Organizations (C3PAO) are the only organizations who may issue a CMMC certificate. They employ CMMC Certified Assessors (CCA) and CMMC Certified Professionals (CCP) who are trained and tested on properly assessing an organization’s compliance with NIST SP 800-171. C3PAOs are certified by the Cyber-AB (who’s not a part of the Department of Defense). Cyber-AB is an autonomous organization specifically responsible for accrediting third-party assessors. The Cyber-AB website (CyberAB.org) has a marketplace listing all accredited organizations.

Picking a high-quality C3PAO

Selecting a single C3PAO may seem daunting. Here are some considerations when selecting your C3PAO:

• How long has the organization been around? – CMMC is new, but organizations conducting cybersecurity assessments have been around for a while.
• Does the C3PAO offer any other certifications? – Combining a CMMC assessment and ISO 27001/27701 certification can bring additional opportunities internationally.
• Is the C3PAO accredited by other accreditation boards, i.e. ANAB or IATF? – While not critical to CMMC, additional accreditations demonstrate a greater overall competency about assessments and broader understanding of standards.
• Does the C3PAO offer consulting services? – An organization that provides consulting or preparation work for CMMC may not also conduct the assessment; it’s a conflict of interest.
• Does the C3PAO have adequate CCAs and CCPs? – Volume isn’t critical, but availability of auditors may become an issue if you need the assessment sooner than later.

Make sure they’re accredited

Only Cyber-AB approved C3PAO are allowed to issue CMMC certificates – confirm your assessor is a valid C3PAO in good standing at Cyber-AB’s marketplace.

ISO auditing experience is a plus

It’s difficult to look for a C3PAO with relevant experience specific to NIST/CMMC because, technically, no one has actual experience certifying companies for CMMC compliance. However, if a company is an ANAB or IATF accredited certification body you can have confidence they know how to assess an organization, and they have training and safeguards in place for professional conduct.

No mixing of remediation and assessing

If you see a company offering remediation and/or consultation as part of their assessment process, be cautious and ask questions about separation of functions. CMMC assessments and consulting may not be combined. A company can provide assessment or consulting/remediation services for an organization, but they can’t do both.

Closing comments

As with any partnership, it’s a good idea to talk with a few organizations before selecting a C3PAO. In addition to technical acumen, it’s important to choose a C3PAO that can work well with your organization, and specifically, the people in your organization with whom they’ll be working. Take your time with the selection. It’s an important choice that can have significant ramifications for your company.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division. https://www.smithers.com