Pivot Point Security
PPS ISO 27001 Logo RPO Logo
Access The Latest Episodes from The Virtual CISO Podcast

CMMC C3PAO FAQs

The Defense Industrial Base (DIB) and the entire Defense Supply Chain (DSC) know that a Cybersecurity Maturity Model Certification (CMMC) security assessment is in their future. This assessment process, along with all the other components of the colossal CMMC rollout, pivots around one thing: a CMMC-AB’s Certified Third-Party Assessor Organization (C3PAO) that will be authorized to manage and perform the assessment process and the security assessment themselves.

What are C3PAOs and what do you need to know about them? Check out these FAQs:

What is a C3PAO?

A C3PAO is a service provider organization that the CMMC Accreditation Body (CMMC-AB) has accredited and authorized to conduct CMMC assessments and submits findings and recommendations to the CMMC-AB in order to certify that Organizations Seeking Certification (OSCs) comply with the CMMC maturity level (1 through 5) to perform in a given A&D contract

The Certified Assessors, leading the assessment team, and Certified Professionals that will be authorized to participate in an assessment team tasked to conduct CMMC assessment services must each be aligned (as a 1099 contractor or employee) with a C3PAO.

What’s the process and timeline for your company to hire a C3PAO?

If your organization needs to achieve CMMC certification, you will contract with a C3PAO to manage your assessment process. The CMMC Marketplace will be “the authorized training, credentialing and accreditation ecosystem” for researching potential C3PAOs, as only the CMMC-AB can license C3PAOs.

Back in June 2020, the CMMC-AB opened up registration for organizations wishing to become C3PAOs. However, all the pieces are not yet in place to complete the process. So currently there are no officially authorized C3PAOs. According to the CMMC-AB’s “Assessment Ecosystem Timeline,” commercial assessments should be available by early in 2021.

What are C3PAOs likely to charge for assessments?

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC FAQ page, “The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.” As a baseline, CMMC point person Katie Arrington estimates the cost for a CMMC Level 1 certification audit will be in the $3,000 to $5,000 range. From initial proposals from some of the first C3PAOs to be accredited, we are seeing $50K to 90K” proposals dependent upon the size of the organization, number of locations, and number of System Security Plans. As a baseline, CMMC point person Katie Arrington estimates the cost for a CMMC Level 1 certification audit will be in the $3,000 to $5,000 range.

Costs will be higher depending on your environment’s scope and complexity, your CMMC level and “supply and demand” for available auditors. Thus, getting ready for CMMC certification sooner rather than later could help you save money.

Keep in mind also that C3PAOs will need to recoup their costs, which per CMMC-AB guidelines will include expenses to certify their own security postures to at least CMMC Level 3, plus achieve ISO 17021 certification, plus pay various CMMC-AB fees and also pay their Certified Assessors, who can be hourly contractors or employees with benefits.

In short, before conducting a single audit, each C3PAO will likely have invested $20,000 to $150,000 or more.

How do you schedule our CMMC assessment?

Once the CMMC-AB begins authorizing C3PAOs, you’ll be able to schedule an assessment with your chosen C3PAO via the CMMC-AB portal (when available), which will be part of the CMMC Marketplace.

Can your business become a C3PAO?

Becoming a C3PAO means your business is certified to employ Certified Assessors (CAs) to perform CMMC assessments and CPs to be part of an assessment team, led by a CA. The first hurdle is your business must be 100% US Citizen owned. Some other requirements include purchasing appropriate insurances (including Cyber Liability Insurance), undergoing an organizational background check, having an active DUNS, CAGE, and SAM.gov account, passing individuals’ background checks leading to the issuance of a U.S. Secret security clearance, lining up at least one CA at all times, signing the C3PAO license agreement and paying the activation fees ($3,000 for the first year).

In addition, potential C3PAOs will need to prove compliance with CMMC Level 3 or above, validating their ability to safeguard Controlled Unclassified Information (CUI) and perform audits at the appropriate CMMC Level.

How do you prepare for a CMMC assessment?

Prior to scheduling a formal assessment with a C3PAO, OSCs need to prepare for their assessments. The major steps include documentation and institutionalization of the CMMC practices. Policies must be up to date, processes must enforce the policy, procedures must be performed in the frequency stated within the policy and/or processes, and objective evidence must be collected, validating your organization meets the expected cyber hygiene for the required CMMC Level.

Are you looking to get a head start on CMMC compliance by performing a “gap analysis” to identify where you stand today and prioritize next steps? Pivot Point Security offers a full range of CMMC compliance services, led by CMMC-AB RP trained Indvidual’s (pending CMMC-AB process to be finalized in order to officially say we have Certified RPs and we are among the first RPOs). Continue to monitor the CMMC-AB Marketplace and look for Pivot Point Security.  For now, Contact us here to find out how we can help.