What’s a C3PAO? Hint – Not a “Star Wars” Character!

The Defense Industrial Base (DIB) serves as the supplier community for the U.S. Department of Defense (DoD).  Any company in the DIB should have the Cybersecurity Maturity Model Certification (CMMC) on its radar. CMMC certification, which only a CMMC Third Party Assessment Organization (C3PAO) can provide, will soon be a contractual requirement for many organizations handling sensitive information on behalf of the Department of Defense. 

What Is CMMC Compliance?

CMMC compliance represents a security framework designed to protect sensitive but unclassified data from theft that places U.S. national security at risk.  Examples of this data include Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  All indicators point to CMMC 2.0 compliance becoming a contractual requirement as soon as first quarter 2025.

The DoD created CMMC because existing cybersecurity contractual requirements to protect data like CUI have proven ineffective.  Those requirements apply to all DoD prime contractors and their subcontractor supply chains who store, process, transmit or otherwise handle CUI.  These organizations must fully address the 110 security controls defined in the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171).

The current mandate allows entities to self-assess and self-attest their compliance with NIST SP 800-171.  Those that do not meet all 110 controls can submit a Plan of Action and Milestones (POA&M) to get there.

Unfortunately, the current system simply does not work.  CUI continues to be compromised at an alarming rate.  POA&Ms do not get fully executed.  And businesses believe they possess stronger cybersecurity maturity than reality dictates.  Audits conducted by the DoD have consistently demonstrated contractors have overestimated their NIST SP 800-171 compliance postures.  Thus, the need for CMMC certification.

What Makes CMMC Different?

CMMC 2.0 consists of three Maturity Levels (ML).  ML1 applies to all members of the DIB and focuses on keeping FCI safe.  Upwards of 80,000 companies will be subject to ML2, which trains its sights on CUI protection.  ML2 demands full compliance with NIST SP 800-171.  Only a small fraction of the DIB (likely less than one percent) will fall under ML3 and additional security requirements above and beyond NIST SP 800-171.

Yes, ML2 sounds a lot like the current underperforming regime.  However, it differs in two important ways.

The first involves POA&Ms.  They won’t be allowed for every NIST SP 800-171 control as they are today.  They must be closed within 180 days.  And only organizations close to full CMMC 2.0 compliance will even be given the POA&M option.

The second relates to who performs the NIST SP 800-171 assessment and attests to the result.  Almost all companies that handle CUI will no longer be able to self-assess and self-attest compliance.  Instead, they will need to rely on an independent party to determine CMMC compliance and eligibility for a CMMC ML2 accreditation. 

What is CMMC Certification? Enter C3PAO

Businesses seeking CMMC ML2 accreditation will not be able to engage just any auditor to conduct the NIST SP 800-171 171/CMMC self-assessment.  Instead, they will have to work with an authorized CMMC 3rd Party Assessment Organization (C3PAO) on their CMMC assessment.

C3PAOs receive their authorizations from The CMMC Accreditation Body (The Cyber AB).  The DoD contracted with The Cyber AB, a non-profit, to oversee the CMMC ecosystem that consists of C3PAOs, training organizations, individual CMMC assessors, and others.

C3PAOs must complete a rigorous process to achieve authorization from The Cyber AB.  The process includes risk analyses and background checks that if favorable allow the company to become a candidate C3PAO.  Candidates subsequently must pass a CMMC ML2 assessment executed by the DoD to achieve authorized status.

Authorized C3PAOs and their teams of CMMC-certified professionals and assessors possess a deep understanding of the 110 NIST SP 800-171 controls.  They bring an accurate and unbiased eye to determine a DIB firm’s cybersecurity maturity, compliance with the controls, qualification for POA&M, and ultimately CMMC ML2 accreditation. Once CMMC certification becomes mandatory for businesses subject to ML2 and ML3, they will be required to undergo a triennial CMMC assessment by a C3PAO.

The DoD believes the C3PAOs’ independent assessments that serve as a gateway to accreditation will improve the cybersecurity posture and compliance of the entire DIB.  As a result, FCI and CUI will be harder to compromise and U.S national security will be strengthened. Organizations 

Don’t Wait for 2025

Although CMMC requirements likely will not appear in DoD contracts before 2025, members of the DIB needing ML2 accreditation must get moving now.  Preparing to pass a C3PAO’s thorough evaluation against all 110 NIST SP 800-171 controls takes far longer than a self-assessment – perhaps as much as 12-18 months.

In addition, The Cyber AB’s CMMC ecosystem currently comprises fewer than 60 authorized CMMC C3PAOs.  With as many as 80,000 DIB companies seeking CMMC ML2 accreditation, a backlog to engage a C3PAO looks to be a distinct possibility.

May the force be with you.

To understand how Exostar’s CMMC Ready Suite can help you get through the CMMC 2.0 compliance maze visit our page and set up a free demo and a time to talk to one of our specialists.