top of page
Search
Needling Worldwide

Audit and compliance awareness – the C3PAO in CMMC Certification

Updated: Jun 19

The Cybersecurity Maturity Model Certification (CMMC) program is aligned with the Department of Defense (DoD) Information Security requirements and is designed to enforce the protection of sensitive unclassified information shared by the department with its contractors and any subcontractors. This program provides increased assurance these contractors and subcontractors are meeting cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

In turn, the DoD developed the CMMC program, which involves C3PAO (Certified 3rd Party Assessor Organization) Certification to help achieve the DoD goals. The C3PAO is an organization that has successfully passed an intense series of requirements to become acknowledged by the CMMC accreditation body as being objective and competent to perform security assessments.

So, as a company desiring to receive CMMC accreditation, you may wonder how to find an auditor with C3PAO accreditation experience.

The company can find a C3PAO through the CMMC accreditation body, which maintains a marketplace meant to serve the entire defense industrial base. The Defense Industrial Base (DIB) cybersecurity program of the DoD is focused on protecting intellectual property and safeguarding all DoD content residing on or transiting through contractor unclassified networks that handle any business aspects within the DoD.

Steps to consider when visiting the marketplace:

  1. You should only engage with a C3PAO assessor when you are confident in your organization’s abilities to meet the demands laid out by any existing contracts, or for the level of CMMC certification desired for your organization. While CMMC does not fully become effective until 2025, it makes sense to engage with a C3PAO far earlier since compliance is already specified as a requirement for any business seeking DoD contracts. However, it is best to avoid engaging with a C3PAO until you’ve accurately assessed your security architecture and you’ve implemented your latest security controls in relation to NIST 800-171.

  2. For auditing companies who desire to become a C3PAO auditor, they would need to abide by the following:

    1. A representative of the auditing company seeking to achieve certification and auditing within CMMC is required to fill out an application at CyberAB > Home. Applicants will then be screened in multiple steps. The CyberAB will then provide a risk assessment of each applicant. This includes analysis and scoring of up to 15 different factors.

    2. CyberAB has been tasked to provide an overall risk score of moderate or better for the company seeking to become the certified auditor to move to the next step in the process.

    3. Applicants scoring higher than a moderate risk are then referred to AB leadership for further review.

    4. Foreign Ownership, Control, or Influence (FOCI) analysis is conducted to evaluate the risk of foreign influence by submitting both the required FOCI form included in their application as well as a completed SF-328 form

    5. As part of the FOCI review, an interview is conducted with senior management of the desired company seeking to obtain certification, and U.S. citizenship of company ownership must be confirmed.

    6. If the applicant is a part of an Employee Stock Ownership Plan (ESOP) that consists of a global partnership, or a global company headquartered in the U.S., an enhanced FOCI analysis is performed.

    7. If all the analysis is determined to be favorable, the C3PAO applicant becomes a C3PAO candidate. Once the CyberAB confirms the candidate, C3PAO is ready to be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) contractor resource page.

    8. C3PAOs become authorized to conduct assessments upon achieving CMMC Level 2. Therefore, they’ll receive authorization to become an assessor. Noteworthy is that only authorized C3PAOs can conduct CMMC assessments for certification.

So, for any company desiring CMMC certification but still debating whether to wait until 2025, here are a few reasons not to wait, but rather seek out a CMMC-authorized assessor to obtain CMMC certification well in advance:

  • There are more organizations seeking compliance than there are C3PAO assessors. This is causing a major bottleneck effect. If you wait until the DoD phased rollout starts, you will face an inevitable backlog that will severely put your intended certification in jeopardy of meeting your desired time frame.

  • There are even fewer assessors with NIST SP 800-171 experience to help an organization desiring certification which C3PAO is based upon.

  • The average time it takes to implement NIST SP 800-171 is 12-18 months for a company employing between 50-500 people starting from an average compliance posture.

  • If you want to stay competitive when certifications become available in Q1 of 2025, it’s estimated to take 12-18 months just to go through the process. This is only if everything goes well, and the company is meeting all security controls.

The bottom line is if you desire business with the DoD and you want to obtain CMMC certification level approval, your competitors will be picking the earliest possible moment to become compliant. This is essential to seek a competitive edge in bidding for new contracts.

8 views0 comments

Comments


bottom of page