How Does the CMMC Accreditation Body Qualify Assessors?

How Does the CMMC Accreditation Body Qualify Assessors?

Although there have been several delays since the Cybersecurity Maturity Model Certification was first announced, 101 experienced professionals have now been chosen to become future CMMC auditors. Most have now completed their training, thus providing valuable insights that will influence the training of registered provider organizations (RPOs).

The main difference between CMMC and the DFARS 252.204-7012 clause that preceded it is that the former requires a third-party assessment. In other words, you can only be awarded a certification after an approved CMMC auditor has evaluated your company’s security maturity. While there’s still plenty of time before the October 2025 deadline, starting now is a good idea.

What is the CMMC Accreditation Body?

The CMMC Accreditation Body, or CMMC-AB, has been authorized by the US Department of Defense to be the sole authority governing the implementation of CMMC audits and training. As such, no organization can become a CMMC auditor or RPO without first going through the CMMC-AB. The body does not endorse or promote any organization that is not included in its marketplace of pre-approved partners.

How does the CMMC-AB choose CMMC auditors?

One of the main responsibilities of the CMMC-AB is overseeing the training of certified CMMC assessors, which will formally start in summer 2021. As of July, 101 experienced professionals have been selected under the Provisional Assessor Program. However, most of them have already completed their training under the PAP which, as the name suggests, is a temporary program until the formal training of CMMC auditors begins.

Once a candidate has become a CMMC certified assessor, they will be able to register as a CMMC third-party assessor organization, thus giving them the power to carry out full CMMC audits on behalf of the CMMC-AB and the Department of Defense. To become a C3PAO, all candidates must complete an application form before undergoing extensive screening and an individual risk assessment.

When applicants are assessed, they are assigned a risk score of up to 15 factors. Risk scores must be medium or better for the applicant to be allowed into the next step of the process. If an applicant scores higher than medium, they will be referred to the CMMC-AB leadership for additional review and verification.

Given the highly sensitive nature of defense-related information, there are several other tests that applicants must go through. The CMMC-AB also requires a Foreign Ownership, Control, or Influence (FOCI) test to determine the risk of foreign influences on their decision-making capabilities. The FOCI test applies to any individual working for a global public company, even if it is headquartered in the US.

Once a potential CMMC auditor has passed these tests, they will be able to partake in formal training. Once complete, the assessor’s organization will be able to register as a C3PAO. At the time of writing, only two organizations have so far become authorized C3PAOs, with a further 168 pending a CMMC Level 3 assessment before they can be formally authorized.

What is the difference between a C3PAO and an RPO?

A C3PAO is the only entity that has been authorized to conduct a formal CMMC audit, so you cannot earn a certification without engaging with one. On the other hand, there are hundreds of registered provider organizations (RPOs) already available via the CMMC-AB marketplace. An RPO is an organization that has been endorsed to provide advice on CMMC compliance. Charles IT is one such example!

Over the longer term, most organizations making up the Defense Industrial Base will engage with both an RPO and a C3PAO. However, it makes sense to start by partnering with an RPO, since doing so will help you prepare your business for earning a formal certification once the auditing begins. Although the October 1, 2025, deadline might seem a long way off, achieving CMMC compliance is no trivial task, especially if you are aiming for level four or five. This is why it is important to start now so that you are ready to bid on high-value defense contracts as soon as CMMC compliance becomes mandatory.

Charles IT helps organizations prepare for CMMC audits with the optimal blend of cutting-edge technology and expert guidance. Call us today to book your first cybersecurity assessment!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”