CMMC-AB C3PAO: How to choose the right one?


Currently, only four companies are officially approved by the Cybersecurity Maturity Model Certification Accreditation Body CMMC-AB C3PAOs (authorized), and just under 200 organizations are currently listed as C3PAO Candidates pending a CMMC Maturity Level 3 Assessment.

As CMMC has become an inevitable requirement for all companies in the Defense Industrial Base (DIB), it spikes the demand for CMMC audits and requires a clear understanding of what an authorized C3PAO does, what it takes to become one, and how to set the right expectations in the application process of becoming an approved CMMC assessor. In this blog post, we will tap into the nuances of the C3PAO nature, approval process, share first-hand candidate experience, and determine the best practices on how to pick a CMMC-AB C3PAO.

The Memorandum of Understanding (MOU), signed by the CMMC-AB in March 2020, explicitly states that the U.S. Department of Defense (DoD) will only work with organizations certified by a C3PAO or assessor accredited by the CMMC-AB. Every DIB organization should obtain a minimum of CMMC Level 1, out of the available five maturity levels corresponding to the sensitivity of their Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to conduct their contractual obligations with the DoD.

What is the CMMC-AB C3PAO?

C3PAO is an abbreviation for CMMC Third-Party Assessor Organization. Simply put, it’s a certified third-party CMMC auditor authorized by the CMMC-AB to perform assessments of the cybersecurity environment and maturity level of organizations engaged or want to engage in any contractual commitments with the DoD. To become a CMMC-AB C3PAO, companies must also undergo a CMMC-AB certification process, including assessing their ability to adhere to the standard at the maturity level it intends to access.

Before CMMC’s enactment, organizations operating within the DIB were required to comply with the security regulations stipulated in NIST 800-171. Complying with NIST 800-171 was easy since it was a self-certification process that required organizations to prove through external or internal assessments that they were compliant with the various cybersecurity standards and controls described in the framework.

However, due to increasing threats and security concerns, the DoD determined that self-certification is insufficient. Also, the DoD decided that the periodic compliance reassessments did little to foster the required data protection and cybersecurity maturity needed to secure CUI.

As a result, the emerging CMMC uses a different approach to audit, assess, and certify a company to achieve the appropriate cybersecurity maturity level. Specifically, organizations must work with an accredited CMMC-AB C3PAO to demonstrate compliance with an applicable CMMC level before being certified. A C3PAO is an assessor authorized to audit organizations applying for CMMC certification to verify and validate that its implemented cybersecurity controls work as required and provide adequate security for highly sensitive data. Essentially, the C3PAO would provide a pass or fail with recorded deficiencies for the DIB supplier, and report results to the CMMC-AB.

Top Reasons Why the DoD is Developing the Model

Defense contractors and subcontractors often question why the DoD decided to mandate C3PAOs to audit and certify organizations as CMMC compliant. One of the top reasons is the pressing need to increase accountability among organizations seeking to meet the cybersecurity requirements in the Defense Federal Acquisition Regulation Supplement (DFARS).

According to Katie Arrington, who served as the chief information security officer (CISO) in the Office of the Under Secretary for Acquisition and Sustainment, “CMMC has, and will remain a priority for the Department, and will safeguard our enterprise against cyber theft losses that cost our nation $100 billion annually, and $600 billion worldwide, equating to 1% of global GDP.”

In addition, the DoD mandates the CMMC-AB C3PAO certification body and CMMC accreditation body, which mirrors the global ISO management models for certifying implemented requirements. In particular, the CMMC accreditation body mirrors ISO 17011, and CMMC-AB C3PAO certification body mirrors ISO 17021. The underlying reason for choosing the model is that it has proven to enhance organizational security management and posture for more than 30 years.

The DoD settled on the ISO 17021 model for C3PAOs to provide a fair and level playing field for all organizations competing to win lucrative DoD contracts. For instance, smaller organizations bidding on contracts may self-certify to comply with the cybersecurity maturity levels but have yet to conform to the requirements. In contrast, established organizations may have complied with all requirements. Therefore, CMMC will determine that only organizations that have sufficiently met the requirements compete for the DoD contracts by developing the model.

Arrington states that “we need to make sure our industry partners are prepared to take on the work, and our third-party auditors will ensure that they are implementing the practices that we need in place to secure that national defense and our industrial base.”

Why C3PAOs are Critical to CMMC 

The CMMC compliance program is largely based on NIST SP 800-171, a self-attestation regulation that requires organizations to conduct self-assessments and self-report the outcomes. As a result, some companies may report inaccurate cybersecurity performance against the defined data security controls. Furthermore, some companies may self-report the essential and accurate compliance requirements but fail to maintain the vital ongoing monitoring to sustain a healthy cybersecurity program. Compliance is a continuous process and responsibility required to protect confidential information from current or emerging threats.

With the introduction of the CMMC-AB C3PAO, only the accredited third-party CMMC assessors can establish whether a company meets the various security requirements in the five cybersecurity levels and demonstrates DoD audit readiness. After performing satisfactory assessments, the C3PAO sends the results to the CMMC-AB as proof and for verification purposes where if everything is in order, the organization can be certified.

Best Practices to Consider when Choosing a C3PAO

When choosing and vetting a third-party assessor, the first thing to consider is determining if the company is listed as a CMMC C3PAO in the CMMC-AB marketplace. Only the CMMC accreditation body can license an organization to perform the C3PAO role. Also, see if the company has displayed its official accreditation logo in its services, website, or materials when researching suitable C3PAO to perform the CMMC audit process. More importantly, an authorized C3PAO should demonstrate vast knowledge and background concerning DFARS 252.204-7012 and NIST SP 800-171, upon which CMMC is based, and other necessary data protection mandates.

Other than verifying whether the C3PAO is fully accredited, the following considerations are invaluable in selecting the most competent third-party assessor:

  • The number of completed CMMC assessments: This speaks directly to the C3PAO’s competence in auditing and certifying an organization. An approved C3PAO ultimately benefits a company by completing the security assessments within a short period to fast-track the certification process. However, it is essential to note that C3PAOs may complete very few assessments this year but more in subsequent years.
  • Has the C3PAO worked with other companies in the same industry? Companies in different industries are exposed to different threats and typically require different data protection requirements. The additional expertise can assist in resolving the security problems relative to a specific industry and ensure that they aren’t misunderstood or overlooked. Also, organizations that store information in the cloud or on-premise data centers may require C3PAOs experienced in auditing similar Organizations Seeking Certifications (OSCs).
  • The expected delivery time: The faster an organization becomes certified as complying with the CMMC requirements, the faster it gets to bid and win new and retain existing DoD contracts. So, determining the delivery time is crucial to rapid but effective assessment and certification processes. Some of the factors to consider are the projected auditing schedule and the C3PAO’s backlog.
  • Request to see some credentials: An organization’s upper management may require seeing and verifying the credentials of staff members performing the security assessments. When requesting the assessors’ credentials, qualified, accredited C3PAO team members should at least provide Department of Homeland Security (DHS) Suitability, active National Agency Check (NAC), or other types of DoD clearances. In addition, just like experts in other fields, C3PAO assessors with additional credentials, such as Microsoft Certified Professionals and Certified Information Systems Security Professional (CISSP), may be an added advantage.

When deciding on the C3PAO to perform a CMMC security assessment, companies should be wary of companies claiming to provide the assessment services even before the CMMC-AB has fully rolled out the certification procedure. Most of the bogus assessors prey on the companies’ urge to get early certifications to bid on DoD contracts. Also, these “assessors” may attempt to lure vulnerable companies with better pricing while promising unrealistic deadlines. A little research of the company on the CMMC-AB marketplace can help determine if it is legit and will help to avoid being a victim of fraud or provide access to confidential information systems to uncredentialed staff.

About Ignyte Assurance Platform 

The Ignyte Assurance Platform is software purposely built to assist companies in CMMC audit readiness. The technology has been in operation for several years and is trusted by numerous organizations. Using the platform permits companies to effectively manage their DFARS and CMMC compliance requirements and mitigate identified risks.

In addition, the Ignyte Assurance Platform is an end-to-end technological solution designed to meet specific CMMC needs and requirements. Therefore, the platform goes beyond the typical checklist of required cybersecurity maturity requirements. More importantly, the platform is C3PAO and assessor friendly, easy to implement, cost-effective, and preferred for most contractors and subcontractors. As a result, Ignyte Assurance remains one of the leading and proven companies that assist organizations in scaling the rough CMMC certification journey.

Stay up to date with everything Ignyte