CMMC C3PAO FAQs
The entire US defense supply chain now knows that a Cybersecurity Maturity Model Certification (CMMC) v2.0 third-party security assessment or self-assessment is in their future. This third-party assessment process, along with many other components of the CMMC 2.0 rollout, pivots around one thing: the CMMC-AB’s Certified Third-Party Assessor Organization (C3PAOs) that will be authorized to manage and perform the assessment process and the security assessments themselves.
What are C3PAOs and what do you need to know about them? Check out these FAQs:
A C3PAO is a service provider organization that the CMMC Accreditation Body (CMMC-AB) has accredited and authorized to conduct CMMC assessments and submits findings and certify that Organizations Seeking Certification (OSCs) comply with the CMMC 2.0 maturity level (1 through 3) to perform in a given Aerospace & Defense (A&D) contract.
The Certified CMMC Assessors (CCAs), that will lead the assessment teams, and Certified CMMC Professionals (CCPs) that will be authorized to participate in assessment teams tasked to conduct CMMC assessment services must each be aligned (as a 1099 contractor or employee) with a C3PAO.
If your organization needs to achieve CMMC 2.0 certification via a third-party assessment, you will contract with a C3PAO to manage your assessment process. The CMMC Marketplace will be “the authorized training, credentialing and accreditation ecosystem” for researching potential C3PAOs, as only the CMMC-AB can license C3PAOs.
Back in June 2020, the CMMC-AB opened registration for organizations wishing to become C3PAOs. However, as of November 2021, there are only five officially accredited C3PAOs, per the CMMC-AB Marketplace. Additionally, as part of CMMC 2.0 the CMMC-AB itself, along with all C3PAOs and the to-be-created CMMC Assessors and Instructors Certification Organization (CAICO), must all achieve compliance with the ISO 17011 “conformity assessment” standard before any more C3PAOs can be accredited.
According to the Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC FAQ page, “The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.” As a baseline, former CMMC point person Katie Arrington originally estimated that the cost for a CMMC Level 1 certification audit would be in the $3,000 to $5,000 range. In initial proposals from some of the first C3PAOs to be accredited regarding CMMC v1, we saw $50,000 to $90,000 proposals dependent upon the size of the organization, number of locations, and number of System Security Plans. CMMC 2.0 Level 2 certification audit costs will hopefully be lower than those estimates due to: 1) fewer controls to certify; 2) elimination of the confusing “maturity processes”; and 3) reduced emphasis on procedural documentation.
Another cost factor could be “supply and demand” for available auditors. Thus, getting ready for CMMC 2.0 certification sooner rather than later could help you save money.
Keep in mind also that C3PAOs will need to recoup their costs, which per CMMC-AB guidelines will include expenses to certify their own security postures to at least CMMC 2.0 Level 2, plus achieving ISO 17021 certification, plus paying various CMMC-AB fees and also paying their Certified Assessors, who can be hourly contractors or employees with benefits. In short, before conducting a single audit, each C3PAO will likely have invested $20,000 to $150,000 or more.
Once C3PAOs are accredited and CMMC 2.0 is finalized, you’ll be able to schedule an assessment with your chosen C3PAO via the CMMC-AB portal (when available), which is slated to be part of the CMMC Marketplace.
Becoming a C3PAO means your business is certified to employ Certified CMMC Assessors (CCAs) to perform CMMC assessments and Certified CMMC Practitioners (CCPs) to be part of an assessment team, led by a CCA. The first hurdle is your business must be 100% US Citizen owned. Some other requirements include purchasing appropriate insurances (including Cyber Liability Insurance), undergoing an organizational background check, having an active DUNS, CAGE, and SAM.gov account, passing individual background checks leading to the issuance of a U.S. Secret security clearance, “maintaining an association” with at least one RP, CCP, PA or CCA, signing the C3PAO license agreement and paying the activation fees ($3,000 for the first year).
In addition, potential C3PAOs will need to prove compliance with CMMC 2.0 Level 2 or above, to validate their ability to safeguard Controlled Unclassified Information (CUI) and perform audits at the appropriate CMMC Level. C3PAOs must also achieve ISO 17011 certification before they can be accredited.
Prior to scheduling a formal assessment with a C3PAO, OSCs need to prepare for their assessments. The major steps include documentation and institutionalization of the CMMC 2.0 practices. For those handling CUI, policies must be up to date, processes must enforce the policy, procedures must be performed at the frequency stated within the policy and/or processes, and objective evidence must be collected in advance for an adequate period to validate that your organization meets the required CMMC 2.0 level.
Are you looking to get a head start on CMMC 2.0 compliance by performing a “gap analysis” to identify where you stand today and prioritize next steps? As one of the first Registered Provider Organizations (RPOs), Pivot Point Security offers a full range of CMMC compliance services, led by appropriately trained and certified experts. Contact us here to find out how we can help.