By Payam Pourkhomami, President & CEO of OSIbeyond
Those familiar with the Cybersecurity Maturity Model Certification, especially its updated 2.0 version, know that its most significant shift from earlier Department of Defense cybersecurity efforts lies in the introduction of a tiered certification process. Unlike past standards, such as NIST SP 800-171, CMMC 2.0 mandates both self- and third-party assessments whose rigor depends on the sensitivity of data a contractor handles.
The tiered assessment requirements have motivated the creation of a complex accreditation ecosystem involving multiple entities, each with its own role and responsibilities. In this article, we demystify this ecosystem and offer practical guidance on how contractors can best prepare for a CMMC 2.0 assessment.
The CMMC Accreditation Body
At the heart of the CMMC 2.0 accreditation ecosystem is the CMMC Accreditation Body, now known as the Cyber AB, an independent nonprofit organization that serves as the sole authorized non-governmental partner of the DOD in implementing and overseeing the CMMC conformance regime.
To ensure the organization independence, the Cyber AB does not receive any funding from the DOD or other governmental taxpayer resources. Instead, it operates on a “no cost” contract with the DoD and generates revenue primarily from application and renewal fees collected from participants within the CMMC ecosystem.
The Cyber AB is run by a board of directors, whose current members include Paul Michaels, president and founder of Monoc Securities LLC; Mathew Newfield, senior vice president and chief security and infrastructure officer of Unisys; and Debbie Taylor Moore, senior partner and VP of global cybersecurity within IBM Consulting.
The primary role of the Cyber AB is to authorize and accredit CMMC Third-Party Assessment Organizations, or C3PAOs, that conduct CMMC assessments of companies within the defense industrial base.
In addition to accrediting C3PAOs, the Cyber AB is currently responsible for managing the professional certification and training aspects of the CMMC ecosystem. However, this responsibility will soon transition to a separate legal entity known as the Cybersecurity Assessor and Instructor Certification Organization, or CAICO.
Third-Party Assessment Organizations
Not to be confused with a certain golden droid from Star Wars, C3PAOs serve as the bridge between Organizations Seeking Certification — a.k.a. OSCs — and CMMC Level 2 and Level 3 certifications, as they are the only organizations authorized by the CMMC-AB to conduct and manage CMMC assessments.
C3PAO teams consist of certified professionals, specifically Certified CMMC Professionals, or CCPs, and Certified CMMC Assessors, or CCAs. CCPs are individuals who have demonstrated their understanding of the CMMC framework and are responsible for guiding OSCs through the assessment process. CCAs, on the other hand, lead the assessment teams and are responsible for conducting and managing the formal assessments of OSCs. Authorized C3PAOs are listed in the Cyber AB Marketplace, a platform designed to connect those who are looking to achieve CMMC certifications with accredited assessment organizations.
Currently, there are 50 C3PAOs listed in the CMMC-AB Marketplace. The number may seem relatively small, considering that C3PAOs can also provide consulting services to companies seeking certification. However, it is important to note that C3PAOs are not the only entities providing consulting services because there are also Registered Practitioner Organizations, or RPOs.
Registered Practitioner Organizations
In contrast to C3PAOs, RPOs are consulting companies that help contractors prepare for CMMC assessments but are not authorized to conduct formal third-party assessments.
There are two key roles within RPOs. The first one is the role of Registered Practitioners, or RPs, who are individuals with knowledge of CMMC standards, and their job is to offer advice and recommendations to help contractors achieve compliance.
The second key role within RPOs is the Advanced Registered Practitioner, a.k.a. RPA. RPAs are experienced cybersecurity professionals who have implemented a minimum of 50-plus cybersecurity framework controls that directly correlate to the 110 CMMC Level 2 Practices.
To find a suitable RPO, contractors can visit the Cyber AB marketplace. However, they can also prepare for a CMMC 2.0 assessment independently without involving an RPO or C3PAO. In the next coliumn, we will discuss the steps contractors can take to increase their chance of successfully passing a CMMC 2.0 assessment, regardless of whether they decide to work with a service provider or self-prepare.
Conclusion
Understanding the CMMC 2.0 accreditation ecosystem and the roles of its key players—such as the Cyber AB, C3PAOs, and RPOs—has become vital for contractors seeking to work with the Department of Defense. Once you are no longer lost in the sea of acronyms, you can choose the right approach for your organization regardless of whether that involves partnering with an RPO like OSIbeyond or doing it alone.
For full access to OSIbeyond’s DoD Contractor’s Guide to CMMC 2.0 Compliance click here.
