Hello, Guest!

GovCon Expert Payam Pourkhomami Explains the Intricacies of CMMC 2.0 Third-Party Assessments

By Payam Pourkhomami, President & CEO of OSIbeyond

In a previous article in our CMMC series, we explored the key differences between the Cybersecurity Maturity Model Certification and past Department of Defense cybersecurity initiatives, namely the NIST SP 800-171. One of the most significant changes is the introduction of mandatory third-party assessments for achieving CMMC compliance.

This article takes a closer look at the specifics of CMMC 2.0 third-party assessments, covering what contractors can expect during the process, from the initial review to the final certification decision. We’ll also explore the critical considerations regarding external service providers, such as managed service providers, or MSPs, managed security services providers, a.ka. MSSPs and cloud service providers, or CSPs.

Anyone working in government contracting with cyber capabilities should attend Potomac Officers Club’s 2024 Cyber Summit. This June 6 event will gather top cyber officials from the Departments of Defense and Homeland Security, the U.S. intelligence community and beyond for a day of informative keynote speeches, productive panel sessions and plentiful networking opportunities. Tickets are going fast — make sure your company is represented!

Introduction to CMMC 2.0 third-party assessments

CMMC 2.0 third-party assessments are performed by CMMC Third-Party Assessment Organizations, or C3PAOs, the only organizations authorized by the CMMC Accreditation Body — known as Cyber AB — to conduct and manage CMMC assessments.

For CMMC Level 1, contractors can meet the requirements through self-assessments. This level is primarily about safeguarding federal contract information, or FCI, and does not involve handling controlled unclassified information, a.k.a. CUI.

Moving on to CMMC Level 2, C3PAOs are responsible for assessing contractors who handle CUI. The purpose of this assessment is to ensure that these contractors adhere to the 110 security requirements specified in NIST SP 800-171 Revision 2.

To comply with CMMC Level 3, contractors must first obtain a Level 2 certification, implement all 24 security controls from NIST SP 800-172, and, finally, pass a Level 3 assessment conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

The CMMC 2.0 third-party assessments are evidence-based and take place on-site at the contractor’s facility. The successful completion of an assessment results in a CMMC 2.0 certification, which signifies that the contractor has demonstrably achieved a certain level of cybersecurity posture.

What does a CMMC 2.0 third-party assessment involve?

Let’s unpack the key stages of a CMMC 2.0 third-party assessment to clearly explain what contractors can expect during the process.

1. Review of the current security program

The first stage of a CMMC 2.0 third-party assessment process involves a thorough review of the contractor’s current security program. The C3PAO will initiate contact with the person responsible for the organization’s cybersecurity, who may be a dedicated chief information security officer, a network administrator, or another designated individual. The primary objective of this stage is for the C3PAO to gain a detailed understanding of the contractor’s cybersecurity environment and determine its readiness for the assessment.

During this review, the C3PAO will focus on identifying the types of FCI and CUI data stored and transmitted by the organization, as well as the methods used for handling this data. This process will include a complete examination of the system security plan — dubbed SSP — and supporting documentation to verify that the contractor is prepared for the assessment.

The SSP outlines the security controls implemented to protect sensitive information and describes how these controls are managed and maintained. Such controls may include the implementation of access control measures, incident response plans, encryption techniques, regular vulnerability assessments, continuous monitoring and more. Additionally, the SSP may detail security awareness training programs, configuration management processes and disaster recovery strategies.

2. Assessment of vendor ecosystem

In today’s interconnected IT landscape, the security posture of a DOD contractor is intricately linked to the cybersecurity practices of its external service providers. A critical vulnerability within the vendor ecosystem can create a significant entry point for cyber threats and potentially compromise sensitive data.

The importance of assessing the vendor ecosystem is highlighted by incidents such as the data breach at Bank of America’s service provider Infosys McCamish Systems in late 2023, which compromised the personal data of over 57,000 customers. To mitigate such risks, the C3PAO verifies that any MSPs and MSSPs involved with the organization hold a valid CMMC 2.0 certification, while CSPs are required to have FedRAMP authorization and be listed on the FedRAMP Marketplace.

The C3PAO will also require shared responsibility matrices from these providers to define which requirements are being met with their help. This process ensures that contractors and their service providers are jointly accountable for maintaining the necessary security controls to protect sensitive information.

3. Verification of implementation of controls

Once the C3PAO has a thorough understanding of the contractor’s security program and vendor ecosystem, the next step is to verify the implementation of the required security controls.

During this stage, the C3PAO will perform an in-depth analysis of individual controls. The assessor may ask the person responsible for the organization’s cybersecurity to explain a certain process or demonstrate how a specific control works. The level of detail required for this verification will depend on the CMMC 2.0 level being assessed, with Level 3 verifications always requiring written documentation in the form of policies, procedures or configuration data.

It’s important to note that this verification process may involve any staff member or job function mentioned in a policy or procedure, including HR, operations and individual end users. All staff must be able to demonstrate familiarity with policies, procedures, and training material that includes them. The goal here is to check that security controls are not only implemented but also effectively integrated into the organization’s day-to-day operations.

4. Issuing of an official assessment report

After completing the verification of controls, the C3PAO prepares an official assessment report, summarizing its findings and providing a comprehensive evaluation of the contractor’s cybersecurity posture.

Before submitting the report to the Cyber AB, the C3PAO will conduct its own internal quality assurance to check for accuracy and completeness. The organization being assessed, also referred to as organization seeking assessment, or OSC, doesn’t need to worry about suffering damage to its reputation even if it fails the assessment, as the C3PAO keeps specific findings confidential.

If the report indicates that the organization has fulfilled the requirements for the desired CMMC 2.0 level, the Cyber AB grants the certification directly to the contractor. With the certification, the contractor can demonstrate that they have achieved the required level of cybersecurity posture for the target CMMC 2.0 level.

While the CMMC 2.0 certification is valid for three years, contractors must remain vigilant, as cybersecurity is an evolving field and passing a single assessment doesn’t mean that the certified contractor can stop focusing on CMMC and its requirements. The DOD intends for CMMC to be an evolving certification and compliance process that will likely introduce new controls to the various levels in response to emerging threats.

How can external service providers make or break a contractor’s CMMC 2.0 compliance?

Most contractors rely on external service providers for their expertise and solutions. This includes various MSPs, MSSPs and CSPs that store or process data for a company, such as Microsoft, Google or Dropbox.

While these providers offer valuable support and solutions, they can also pose risks to a contractor’s CMMC 2.0 compliance.

MSPs and MSSPs

MSPs and MSSPs are external IT resources that many smaller contractors leverage to supplement their internal IT staff. These service providers may be responsible for user account management, device setup, security functions and more. The CMMC 2.0 rules mandate that these service providers be third-party certified to the same CMMC 2.0 level as the contractor, even if they do not directly handle CUI data.

Since MSPs and MSSPs without a substantial percentage of defense industrial base business may find it impractical to build a compliant information system and undergo the certification process, contractors must effectively bet the future of their contracts and business on their service providers obtaining CMMC 2.0 certification in a timely manner.

Obviously, that’s far from ideal, so contractors should take the following steps to avoid non-compliance caused by an MSP or MSSP:

  • Partnership with compliant providers: Contractors should seek out MSPs and MSSPs that already have CMMC 2.0 certification or have clearly demonstrated their commitment to achieving it.
  • Engage in ongoing dialogue: Contractors should consistently communicate with their MSPs and MSSPs regarding CMMC 2.0 compliance. A service provider that’s unwilling or unable to engage in these conversations may not be the best partner for ensuring compliance.
  • Contractual agreements: Contractors should make sure that their service level agreements, or SLAs, with MSPs and MSSPs include clauses related to CMMC 2.0 compliance. The clauses can include penalties for non-compliance or deadlines for achieving certification.


When a DOD contractor signs up for a cloud service like Microsoft 365, Google Workspace, or Dropbox, they are entrusting the CSP with the storage and processing of their data. This relationship introduces potential risks, as any vulnerabilities in the CSP’s systems could compromise the contractor’s sensitive data.

That’s why CSPs must hold FedRAMP Moderate authorization and be listed in the FedRAMP marketplace. Alternatively, CSPs that don’t hold FedRAMP authorization can provide evidence of equivalency to demonstrate they meet comparable security standards. This option, however, is rarely used in practice.

We should also point out that more and more products and services are adding cloud components that might not immediately be recognized as such. This includes Internet of Things devices that often rely on cloud-based management and reporting, vulnerability management products like those provided by Rapid7 or remote desktop software that stores configurations and settings on cloud servers for easy access.

In all these cases, the same requirements apply as with more traditional CSPs, meaning DOD contractors must ensure that these less obvious cloud service providers also hold FedRAMP Moderate authorization or provide evidence of equivalency to meet comparable security standards.


CMMC 2.0 ushers in a new era of cybersecurity compliance for DOD contractors with the introduction of the third-party assessment process as a comprehensive evaluation of a contractor’s cybersecurity posture. By understanding the intricacies of CMMC 2.0 third-party assessments, and considering the impact of their external service providers on their compliance, contractors can better prepare themselves for the assessment process and meet the necessary requirements.

Video of the Day