CMMC Marketplace FAQs

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is responsible for managing the CMMC training and certification framework on behalf of the US Department of Defense (DoD). The CMMC-AB has identified a number of Licensed Training Providers (LTP), also they have begun developing the CMMC Body of Knowledge (BOK), approving, certifying, licensing and/or training various entities that will deliver essential services to support the overall CMMC ecosystem.

To connect with CMMC-AB approved service providers, the CMMC-AB has created the CMMC Marketplace (which is undergoing a facelift as of 06Nov20).  The Marketplace will be its “authorized training, credentialing and accreditation ecosystem” website. Having gone through a “rigorous approval process” that includes background checks, agreeing to a code of ethics and paying various fees, these service providers will be “safe bets” for the hundreds of thousands of businesses in the US Defense Industrial Base (DIB) that will need to achieve CMMC certification within the next five years.

What is the CMMC Marketplace all about? Check out these FAQs:

What can I find on the CMMC Marketplace right now?

Currently, as of November 6, 2020, the site is “unavailable”, the only businesses listed on the CMMC Marketplace are some “approved Licensed Partner Publishers (LPPs) and Licensed Training Providers (LTP). Links for other classes of service providers and practitioners are not yet live yet (our Consultants are RP trained so we will know because our name will be up there).

While the CMMC opened up registration for various entities back in June 2020, the CMMC Marketplace has been slow to unfold. A major reason is that some key ecosystem pieces (e.g., auditor training, security clearance requirements, background check process) are still falling into place.

According to the CMMC-AB’s “Assessment Ecosystem Timeline,” we should see a lot more activity on the CMMC Marketplace by the time commercial assessments are available in Q1 2021. Meanwhile, independent entities like ComplyUp are looking to fill the gap by creating independent “marketplaces” of currently non-approved organizations that advertise CMMC-related services.

What classes of service provider will eventually be listed on the CMMC Marketplace?

The CMMC Marketplace will shortly be a clearinghouse for connecting Organizations Seeking Certification (OSCs) and others with these CMMC ecosystem service providers:

  • CMMC 3rd Party Assessment Organizations (C3PAOs), which will manage and perform CMMC certification assessments
  • Licensed Partner Publishers (LPPs), which will create and sell education programs and content to universities, online training providers and individuals
  • Registered Provider Organizations (RPOs), which are authorized to provide CMMC consulting and support to help DoD suppliers prepare for assessment
  • Certified Assessors (CAs), Certified Professionals (CPs) and Registered Practitioners (RPs), which are the individuals approved to assess, consult with and/or support CMMC assessments

What is the process for hiring a CMMC-AB approved service provider?

The easiest approach will be to simply visit the CMMC Marketplace, find the type of practitioner or organization you need to connect with, and research approved providers individually from there.

Once the CMMC-AB begins authorizing C3PAOs and other practitioners, per the RP training, the OSC must register with the CMMC-AB as such, then indicate the need for a CMMC level and desired or required timing. The OSC can go to the CMMC-AB Marketplace to validate but can engage with assessors however they choose. You’ll be able to interact with your chosen service provider via the CMMC-AB portal, which will soon be part of the CMMC Marketplace but is not “live” as of this writing.

Factors to consider when researching service providers might be whether an entity is located close by to help cut potential travel costs, how much experience the entity has with the service you need, whether they specialize in that service or it is a “sideline,” whether they offer a full spectrum of related services, whether their service offerings are fixed or flexible, their service cost structure, do they understand your organization’s market, products, services, and so on.

If you are seeking services right now and don’t want to wait for the CMMC-AB to approve service providers, there are many companies—including Pivot Point Security—offering CMMC-related services on the open market.

Contact us today to speak with a CMMC expert about your unique situation and how we can best help you prepare for your CMMC assessment.