CMMC C3PAO CMMC C3PAO
Back to blog

Why you need a CMMC C3PAO

As a subcontractor, you probably already know a little bit about the Cybersecurity Maturity Model Certification (CMMC) program. However, with so little information available, understanding how CMMC will impact your organization might feel like swimming upstream through mud. Although all organizations that bid on Department of Defense (DoD) contracts will need to be CMMC compliant […]

Published: October 8, 2020, by Karen Walsh

As a subcontractor, you probably already know a little bit about the Cybersecurity Maturity Model Certification (CMMC) program. However, with so little information available, understanding how CMMC will impact your organization might feel like swimming upstream through mud. Although all organizations that bid on Department of Defense (DoD) contracts will need to be CMMC compliant by 2025, understanding how the new requirement impacts you now is likely top of mind. If you’re looking to maintain your contracts with primes, you need to engage in a third-party certification with a CMMC Certified Third-Party Assessment Organization (C3PAO). 

 

What does CMMC mean for subcontractors?

 

CMMC sets out a maturity model rather than a prescriptive set of security controls.  Moreover, unlike many regulatory requirements and industry standards, CMMC lacks a risk assessment requirement. For subcontractors, this means that no matter how much DoD information you have or other compliance standards you meet, CMMC is in a category by itself. 

Types of Data

CMMC covers two different types of information – Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

 

FCI covers information managed as part of contract activities that is not intended to be shared publicly like emails, documents, or chat messages. 

 

CUI is non-public personal data or sensitive data that would be covered under other regulatory requirements as well, like non-public personal information (NPI), financial information, IT security data, documentation from law enforcement agencies, or patents. 

5 CMMC Levels

The five CMMC levels are based on the type of data a subcontractor manages. Each level requires additional controls based on whether the business manages FCI only or also needs to protect CUI. Although CMMC sets out 5 levels, most small and mid-sized subcontractors are expected to fall into Levels 1-3. 

 

  • Level 1: Performing best practices for cyber hygiene but often on an “ad hoc” basis
  • Level 2: Documenting processes for consistency as intermediate cyber hygiene
  • Level 3: Managing processes for good cyber hygiene programs. 

 

Levels 4 and 5 focus on creating robust enterprise cybersecurity programs, requiring benchmarking, measuring, and standardizing cybersecurity efforts. 

What is CMMC-AB?

The CMMC Accreditation Body (AB) is the governing body that establishes and oversees the community of assessors by providing training and certifications for third-party assessors. 

 

The CMMC-AB website offers resources including information for:

  • Organizations looking to become certified C3PAOs
  • Individuals looking to become Certified Assessors (CAs)
  • Organizations looking to become non-certified Registered Provider Organizations (RPOs)
  • Individuals looking to become non-certified advisory Registered Practitioners (RPs)
  • Publishers of educational courses and content 

 

In short, the CMMC-AB is the entity in charge of all third-party assessors or other vendors looking to work in the CMMC compliance field. 

What is a C3PAO?

A C3PAO is an authorized third-party assessor organization certified by the CMMC-AB to contract with organizations seeking certifications, hire and train certified assessors, schedule assessments, and/or manage assessments. All team members must have the appropriate, active NAC, DHS Suitability, or DoD Accepted Clearance prior to engaging in an assessment. 

 

In order to be certified as a C3PAO, assessors must:

  • Sign the license agreement
  • Verify insurance
  • Pay an application fee
  • Pay a C3PAO activation fee
  • Undergo an Organizational Background Check
  • Maintain an association with at least one RP, CP, or CA
  • Provide a commercial background check for all ML-1 assessment team members
  • Be owned 100% by U.S. citizens

 

Additionally, CMMC-AB requires C3PAOs performing Maturity Level 2 or above assessments to achieve CMMC Level 3 certification prior to being accredited. 

What is the difference between C3PAOs, Certified Professionals (CPs), and Certified Assessors (CAs)?

 

C3PAOs are organizations certified to do the assessments. For example, an audit firm would be the C3PAO, as opposed to the individual auditors. Meanwhile, CPs and CAs are the members of the C3PAO working on or conducting the assessment. 

Certified Professional (CP)

CPs are professionals who can participate as part of an assessment team but not authorized to complete the assessment. The CMMC-AB notes that becoming a CP acts as a caliable credential for employees who need the training to understand CMMC requirements for a DoD supplier. In short, CPs are the CMMC equivalent of paralegals; they have many of the same skills and know all the rules, but they cannot be the final arbiter. 

Certified Assessor (CA)

CAs are credentialed to conduct the CMMC assessments and supervise CPs. According to the CMMC-AB website, CAs must also prove “maturity,” based on the number of completed assessments, to be fully authorized. CAs are split into CA-1, CA-3, and CA-5, each based on the highest CMMC Maturity Level for which they are authorized to assess. 

How do I get CMMC certified?

CMMC certification is required for any organizations – primary contractors or subcontractors – managing FCI and CUI in order to bid on DoD contracts. In short, if your organization sits anywhere in the Defense Industrial Base (DIB) supply stream, you need to meet some level of CMMC certification. 

 

The first step to certification is determining your CMMC Maturity Level. From there, you can use the CMMC-AB marketplace to find a C3PAO that will manage your assessment. Your assessment will not be considered valid unless you use a C3PAO. 

 

Once you choose a C3PAO from the marketplace, you can expect the organization to schedule an assessment with a CA. After completing the assessment, the CMMC-AB reviews the assessment with its Quality Auditors, then sends back any findings. You will have up to 90 days to resolve the findings with your C3PAO. 

 

Once you resolve the findings, you will send the assessment back to the CMMC-AB where the Quality Auditors will re-review it prior to issuing your CMMC Maturity Level Certificate. 

CMMCplus: Easing the Burden of CMMC Certification

Although the CMMC-AB has a marketplace, CMMCplus recognizes that subcontractors have different compliance needs than their primes. CMMCplus streamlines the certification process with an easy-to-use platform that uses everyday language to help businesses determine the appropriate Maturity Level, set controls, and engage in gap assessments to streamline compliance. 

 

We also work with a marketplace of CMMC-AB certified C3PAOs who focus specifically on subcontractor compliance, tailored to the data that you manage as part of your contract. 

 

For more information about how CMMCplus can help your organization identify the appropriate CMMC maturity level and manage the certification process, contact us today. 

 

Engage in a Free Gap Assessment Today!

Begin the process of increasing your competitive advantage
by maturing your security posture with our Free Assessment Tool

Start A FREE GAP ASSESSMENT