CMMC Level 3 will be required for some prime contractors and will involve assessment by the DoD Industrial Base Cybersecurity Assessment Center (DIBCAC) after first passing a Level 2 Assessment from a C3PAO. Most DoD contractors will need to have a CMMC Level 2 Assessment performed by a third party. This can be a complex process. Fortunately, there are organizations and individuals with the expertise to help you through it.

Foremost is The Cyber Accreditation Body (The Cyber AB), the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem and the sole authorized non-governmental partner of the U.S. Department of Defense in implementing and overseeing the CMMC conformance regime. They authorize the assessment and consulting organizations that will help you on your journey, as well as the individuals who work for them. The Cyber AB Marketplace can help you find authorized providers of the services you need.

Assessment Services: C3PAOs

One service all OSCs will require is that of a CMMC Third Party Assessment Organization (C3PAO). C3PAOs are the only organizations authorized by The Cyber AB to perform CMMC Level 2 Assessments. You will need to engage one once you are ready to be certified.

Click to enlarge

The requirements to become a C3PAO include passing the same DoD cybersecurity assessment required of defense contractors, plus a review of Foreign Ownership and Control (FOCI), organizational background check, proof of insurance, and eventual certification in ISO 17020 Conformity Assessment. The individuals working for C3PAOs must also be certified by The Cyber AB.

Certified CMMC Assessors (CCAs) can perform CMMC Level 2 Assessments, and their certification process includes background checks, training, and practical experience.

Certified CMMC Professionals (CCPs) can perform CMMC Level 1 Assessments and can also assist on Level 2 Assessments by assessing the Level 1 practices on those assessments, which helps them gain the experience toward becoming a CCA.

When looking for a C3PAO, you should verify they are legitimate. They should be listed in The Cyber AB Marketplace and should display The Cyber AB accreditation logo on their website. Then find out about their experience. Ask them how many Joint Surveillance Voluntary Assessments (JSVAs) they have conducted. JSVAs are CMMC Assessments conducted jointly with DIBCAC which will eventually translate to CMMC Level 2 per the 32 CFR rule after it goes into effect in December. Ask them what environment they used to pass their DIBCAC Assessment. Ask for references from other companies in your industry to ensure they understand your needs. Review the credentials of their CCAs and CCPs.