CMMC marketplace: Understanding C3PAOs, RPOs, LTPs and more
The Cybersecurity Maturity Model Certification (CMMC) program demonstrates an increasingly mature security posture using five successive levels. Since September 2020, several Department of Defense (DoD) requests for information (RFI) have contained some level of CMMC compliance as a requirement. This phased inclusion of CMMC in DoD tenders will continue throughout the next few years until 2026, when all the over 300,000 DoD vendors (the U.S. Defense Industrial Base (DIB)) will be required to comply with one of the CMMC levels.
Any DIB vendor wishing to contract with the DoD must use a certified external entity to help in the assessment and certification process to meet a CMMC level of compliance. These organizations are accredited by the CMMC Accreditation Body (CMMC-AB) and listed on a “CMMC Marketplace.” This marketplace provides a searchable database of accredited service providers that a DoD contractor can pick from when going through CMMC compliance.
Who is the CMMC Accreditation Body (CMMC-AB)?
The CMMC-AB is a not-for-profit organization established to oversee the CMMC certification process. This includes the accreditation of entities involved in taking OSCs through CMMC certification. The CMMC-AB is the only authorized accreditation and certification partner of DoD in its CMMC program; as such, every CMMC certification partner is fully accredited by and listed in the marketplace by the CMMC-AB.
What is the CMMC Marketplace?
The CMMC requires an ecosystem of partners responsible for ensuring the CMMC framework and process to certification happens harmoniously at a given CMMC level. This ecosystem covers all entities involved in leveraging the CMMC relationship between an Organizations Seeking CMMC Certification (OSC) within the Defense Supply Chain and the government agency. To service this relationship, the CMMC-AB has created a CMMC Marketplace to connect OSCs with organizations that can take them through the necessary CMMC level certification process.
The CMMC Marketplace hosts the following seven entities:
- Registered provider organization (RPO): its role is to prepare OSCs for certification. An RPO acts as a consultant, but they are not certified to carry out CMMC assessments.
- CMMC 3rd party assessment organization (C3PAO): its role is to provide CMMC certification assessments to OSCs.
- C3PAO candidate – pending CMMC ML3 assessment: a pending status means that the company must first go through the ML3 assessment before being fully accredited to carry out a CMMC certification assessment.
- CMMC provisional assessor (PA): this role is authorized to conduct assessments during the provisional period. They typically work alongside/with a C3PAO.
- CMMC registered practitioner (R.P.): this role provides advice, consulting and recommendations to a client and works with an RPO.
- Licensed partner publishers (LPP): this role creates approved CMMC training materials.
- Licensed training provider (LTP): This role trains CCPs and CCAs using LPP material.
The marketplace lists all the CMMC accredited entities available to an “Organization Seeking Certification” (OSC). The listing works using a search facility, with searchable terms including name, description, city, state and type of accredited entity. Using this search can help to identify CMMC certification partners that are most applicable to an OSC. Entities that make it into the CMMC Marketplace, such as an RPO, will have already been through a stringent series of checks, accreditation and paid annual fees. The CMMC-AB essentially provides a filtering system on behalf of the vendors in the U.S. Defense Industrial Base (DIB) and the U.S. government to ensure that the certification of an OSC runs smoothly and effectively. Only entities with the right level of skills, staffing and stability, will be accredited to the level needed to become part of the CMMC Marketplace.
The search function on the CMMC Marketplace is poor. However, expect it to see an overhaul as more certification partners are listed.
Connecting with a CMMC Marketplace service provider
Once a DIB contractor has chosen its certification partner from the CMMC Marketplace, they can interact with that vendor in any way they please. However, the CMMC-AB also provides a CMMC-AB Portal that acts as a forum to allow discussion between groups and entities. The portal takes the form of a user group forum.
Things to consider when using the CMMC Marketplace
The CMMC Marketplace provides a searchable database to research CMMC ecosystem partners to help your organization achieve CMMC certification. At the time of writing, the marketplace was operational, but the search facility needed optimization. You can expect an update soon. When searching for the best partner for your CMMC certification requirements, certain elements may tip the balance to choosing a specific service:
- Are they local? The process for CMMC compliance is collaborative, and close-by means easier on-site visits if needed and reduced travel costs.
- Does the CMMC partner specialize in delivering services around CMMC certification?
- What is the cost structure of the service offering?
- Do they understand your specific service or product offering?
- Does the CMMC Marketplace service provider have experience with other government security frameworks?
A marketplace for future security
A recent Samsung survey found that 64% of federal government I.T. and cybersecurity professionals see endpoint security breach prevention as a priority. This makes compliance with the stringent security of the CMMC framework by contractors of vital importance. This position is evidenced in a DHS Homeland Threat Assessment 2020 report, showing that government entities, including the DoD and its OSC ecosystem, continue to fight cybersecurity battles. The CMMC-AB is the only entity to provide accreditation services for potential CMMC service partners and then list those certified service providers under one umbrella, the CMMC Marketplace. This takes the legwork out of finding the right provider. By choosing a good service provider partner that is a good fit for your organization, the chance of a successful CMMC compliance certification is greatly improved.
Samsung, Closing the Gaps in Federal endpoint Security
DHS, DHS Homeland Threat Assessment 2020 report
Infosec, CMMC Ebook
Infosec, CMMC page