How to become a CMMC Certified Third-Party Assessor Organization (C3PAO)
The SolarWinds cyberattack demonstrated how critical it is to secure the vendor supply chain. The SolarWind attack happened because attackers could add malicious code to SolarWind Orion software updates, a software tool used by several government departments, including the Department of Defense (DoD). To mitigate vendor-focused cyberattacks that affect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the DoD has created the Cybersecurity Maturity Model Certification (CMMC) framework. This program engages a CMMC ecosystem of organizations able to advise on, and implement, the program on behalf of a vendor (Organizations Seeking Certification (OSCs)). One of these ecosystem partners is a Certified Third-Party Assessor Organization or (C3PAO).
What is a C3PAO?
A Certified Third-Party Assessor Organization (C3PAO) is part of the CMMC ecosystem. A C3PAO acts as a service provider to Organizations Seeking CMMC Certification (OSCs at one of the five levels of the CMMC framework. A C3PAO employs, either as an employee or as a contractor, Certified Assessors (CAs) and Certified Professionals (CPs) who can demonstrate by an appropriate certification that they can carry out CMMC assessments. This personnel are highly skilled and authorized and have the necessary skills to lead an assessment team to conduct CMMC assessment services.
How do I become a C3PAO?
To achieve the status of a C3PAO, a company must be accredited by the CMMC Accreditation Body (CMMC-AB). Accreditation is a process that requires several prerequisites to ensure success, including trained staff and demonstrable secure IT systems and cloud services (as appropriate).
Prerequisites for C3PAO accreditation:
- A 3PAO must have completed a CMMC Level 3 assessment themselves.
- Any use of third-party cloud services by a C3PAO must be checked to ensure that those services meet the requirements of FedRAMP. If any gaps between FedRAMP and CMMC requirements exist, they must be closed.
- The assessment team members of a C3PAO must have active NAC, DHS Suitability or Other DoD Accepted Clearance status
- A C3PAO organization must have ISO 9001, ISO 27001, CMMI Maturity Level 2 or 3.
- A C3PAO must have minimum coverage insurance that includes general liability with CMMC Accreditation Body as the named insured. This insurance must cover “Errors and Omissions” and “Cybersecurity Breaches.”
- A C3PAO will be subject to an organizational background check via Dun & Bradstreet and must have a DUNS number.
- Currently, a C3PAO must be a 100% U.S. citizen-owned business (the DoD is considering foreign-owned companies for future contracts).
Note: ISO 17020 Certification is required to become a C3PAO; however, the CMMC-AB offers a grace period of 27 months, from the date of registration, to achieve certification.
Watch out for: In addition, the CMMC-AB is currently developing CMMC C3PAO ML-3 certification.
Once the prerequisites are in place, a prospective C3PAO must undergo a formal process to achieve accreditation. This process includes signing a license agreement and paying fees. On successful accreditation, a C3PAO will be listed in the CMMC marketplace for OSCs. Certification is renewed annually. CMMC accredited C3PAO fees cover initial application ($1,000), pre-assessment (starting at $300) and activation ($2,000). An annual maintenance fee of $2,000 is also required.
How can a CMMC Third-Party Assessor Organization (C3PAO) stand out from the crowd?
Being a C3PAO requires a commitment to internal security measures and processes and the financial costs of being certified. However, only a C3PAO can carry out a Certified CMMC Assessment of an OSC. The DoD estimates the costs of a CMMC assessment to be around $3,000 for a level one CMMC certification.
Even at level one, the certification process requires a deep knowledge of security regarding the process, people and technologies needed to meet the CMMC levels. A C3PAO is accredited to supply this level of security know-how on behalf of an OSC. The skilled professionals employed to carry out the CMMC assessment are:
Certified Professional (CP)
A CP is a security professional with the experience and certifications required to help conduct the assessment. A CP, however, does not make the final certification decision. Instead, they work to support the CA.
Certified Assessor (CA)
CAs conduct the CMMC assessment and supervise CPs. There are three levels of CA: CA-1, CA-3 and CA-5, which reflect the highest CMMC Maturity Level that they are authorized to assess.
To stand out from the crowd as a C3PAO, your organization should be able to demonstrate:
- You employ at least one CP and CA who is fully certified and accredited to work at your chosen offering.
- Your organization has experience working with the DoD and security frameworks, such as the CMMC, e.g., the NIST Cybersecurity Framework and ISO 27001.
- That you use a collaborative approach to work closely with the client during the CMMC assessment process.
An organization may wish to focus on certain levels of the CMMC or offer the full assessment to CMMC level 5.
As all companies bidding on DoD contracts are required to meet a CMMC level, offering a cost-effective service to an SMB is one way to differentiate your C3PAO offering.
Can an SMB become a C3PAO?
If your organization already works with the U.S. government, has staff internally with the required skills and can be certified as a C3PAO. If so, investment in the C3PAO program may be worth exploring as more U.S. DoD bids come down the line with a requirement to meet the CMMC program. An SMB C3PAO could benefit from this need by tailoring an offering to specific levels of the CMMC program to optimize their personnel time and financial costs.
If your organization can afford the time, personnel focus and financial costs of the C3PAO process, there is no reason why a small organization should not become a C3PAO.
Achieving the status of C3PAO is not a simple one but will be worthwhile as all DoD contracts will, by 2026, expect an OSC to have CMMC certification to bid.
DoD sees CMMC as new way to monitor supply chain, spot shell companies, Federal News Network
CMMC eBook, Infosec