By Kathryn Daily, CISSP, CAP, RDRP
Despite the current pandemic, the CMMC AB (Cybersecurity Maturity Model Certification Accreditation Body) is moving right along. They have now announced the requirements to become a Certified Professional (CP), Certified Assessor (CA), Certified Third Party Assessment Organization (C3PAO), or Registered Practitioner.
The C3PAO will contract with OSCs (Organizations Seeking Certification) via the CMMC-AB Marketplace that is due to be released at some point this summer. They will schedule assessments, hire and train certified assessors and manage the overall assessment. In order to be a C3PAO, the organization must sign the C3PAO license agreement, provide verification of insurance (minimum coverage amounts are TBD). Insurance policies must consist of General Liability with CMMC Accreditation Body as a Named Insured, Errors and Omissions Policy and Cybersecurity Breach Policy. They will also need to pay the application fee and a C3PAO activation fee (good for 1 year). C3PAOs will be subject to an organizational background check through Dun & Bradstreet and have a DUNS number.
C3PAOs are required to maintain an association with at least one Registered Professional (RP), Certified Professional (CP), or CA (Certified Assessor). There is a 30-day grace period for this requirement. Lastly the C3PAO is required to provide a commercial background check for all ML-1 assessment team members and be a 100% U.S. Citizen Owned Business. Currently foreign ownership considerations are under exploration for all C3PAOs. If performing assessments at Maturity Level 2 (ML-2) and above the CP3AO themselves must be certified at ML-3 or above. If you’re hosting your CUI in the cloud, be sure that you are using a FedRAMP high baseline or an IL 4 service provider. If you aren’t, you will have to ensure the Cloud Service Provider (CSP) is compliant with the CMMC requirements.
Certified Assessors and Certified Professionals have their own set of requirements. CPs and CA-1s only need to be a U.S Person (i.e. granted US citizenship or a green card vs being born or naturalized). If they participate as a team member on an ML-2 assessment, U.S. Citizenship is required. CA-3 and above require US Citizenship. One can be a CP with a college degree, 2+ years in cyber or other IT Field, gain CMMC-AB approval of submitted application, complete CMMC-AB Certified professional class from an LPT (Licensed Training provider) and be able to pass a commercial background check.
There is a training program and exam for each level of Certified Assessor that must be taken/passed in order to assess at that level. The levels themselves are cumulative, to wit, in order to be a CA-5, you’ll need to pass the CA-1 Exam through the CA-5 exam. CA-1 and CA-2 require one to pass a Commercial background check but CA-3 and higher require a National Agency Check (NAC). A clearance is also required and the DoD is providing a mechanism for the CMMC-AB to sponsor clearances for CAs who work for a C3PAO that doesn’t have a contract with the Government that requires a clearance. More information on that should be released in the near future.